Uganda’s Personal Data Protection Office has ruled against Google LLC, ordering the tech giant to register as a data controller and collector within 30 days for operating in violation of the country’s Data Protection and Privacy Act.

Announced on July 18, 2025, the ruling stems from a complaint filed by four Ugandan citizens in November 2024. The complainants—Ssekamwa Frank, Leni Sharon Pamela, Amumpaire Raymond, and Awino Mercy—alleged that Google operated in Uganda without mandatory registration and transferred personal data abroad without adequate safeguards.

The data protection office found that Google collects personal information from Ugandan users, including names, browsing history, and location data, and determines the purposes of that data’s use. The office concluded that this makes Google a data controller under Ugandan law, subject to registration under Section 29 of the Act and Regulation 15.

Google argued that no registration was required absent a specific exemption notice published by the regulator. The office rejected that claim, stating, “The legal structure is clear: the general rule is that registration is mandatory, unless and until a specific exemption is operationalized by way of gazette notice.”

The regulator also ruled that Google violated Section 19 and Regulation 30 for failing to demonstrate a lawful basis for cross-border transfers of the complainants’ personal data.

This marks the first major enforcement action under Uganda’s data protection framework and sends a clear signal to multinational tech companies operating in emerging markets. For digital advertisers and data processors, the decision underscores the growing enforcement power of African privacy regulators and the importance of local compliance strategies.

Need Help?

If you’re concerned or have questions about how to navigate the Uganda or global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight and ensure you’re informed and compliant.