Authored By: Daisy Wagaba
Uganda Christian University
Abstract
As Uganda embraces digital transformation, the collection and processing of personal data have become central to both commerce and governance. The enactment of the Data Protection and Privacy Act, 20191 marked a significant milestone in operationalising the right to privacy under Article 27(2) of the 1995 Constitution. However, the rise of Artificial Intelligence and automated decision-making presents new challenges that the current legal framework must address. This article evaluates the core principles of the Act, provides examples of recent enforcement in Uganda, and compares the Ugandan framework with the European Union’s General Data Protection Regulation (GDPR). It argues that while the Act provides a solid foundation, further clarity is needed — particularly regarding algorithmic transparency in automated decision-making — to fully protect Ugandan data subjects.
[Author’s Note: The original draft also referenced Kenya’s Data Protection Act and India’s Digital Personal Data Protection Act (DPDP Act 2023) as comparative frameworks. These comparisons have not yet been developed in the body of the article. Please expand the Comparative Analysis section or update the Abstract accordingly before publication.]
Introduction
In the modern Ugandan economy, personal data has often been metaphorically described as the “new oil.” From mobile money transactions on MTN and Airtel to the registration of national IDs by NIRA, the volume of data being harvested is unprecedented. While this digital shift promises efficiency, it also exposes individuals to significant risks, including identity theft, unauthorised surveillance, and discriminatory automated profiling.
The Data Protection and Privacy Act, 2019 was introduced to create a digital sentinel for Ugandan citizens. However, a law is only as strong as its enforcement and its ability to adapt to new technologies. As a third-year law student observing the rapid growth of FinTech and digital lending in Kampala, it is clear that the traditional understanding of privacy as simply “being left alone” is no longer sufficient. Modern privacy requires the right to control how one’s digital identity is sliced, diced, and sold by algorithms.
This article is structured as follows: it first examines the Act’s core principles, then surveys recent enforcement decisions by the Personal Data Protection Office (PDPO), and finally compares Uganda’s framework with the GDPR to identify gaps that require legislative attention.
Core Principles of the Ugandan Framework
The Act2 is built upon several key principles that dictate how data collectors and processors must behave. For a student of law, three principles stand out as particularly vital:
- Accountability: Under Section 3 of the Act, the burden of proof lies with the data collector. They must demonstrate that they have implemented technical and organisational measures to protect data. This concerns the mode of collection, utilisation, and processing of the data concerned.
- Data Minimisation: Section 14 requires that data collected must be adequate, relevant, and not excessive. For example, a digital lending app does not need access to a user’s entire contact list or photo gallery to determine creditworthiness — doing so violates the principle of minimisation.
- Transparency and Consent: Under Section 7 of the Act, personal data must be collected directly from the data subject with their informed consent, unless specific legal exceptions apply. This principle also governs practices such as the acceptance of website cookies, through which platforms routinely collect user data in exchange for access to their services.
Recent Enforcement Case Studies in Uganda
To understand the law, one must look at how it is applied in the streets and courtrooms of Uganda. Recent years have seen the Personal Data Protection Office (PDPO) move decisively from sensitisation to enforcement.
The Meta Ruling
The most significant development in Ugandan data law is the February 2026 ruling involving Meta Platforms Inc. and WhatsApp LLC.3 The public interest complaint, filed by AdLegal International Ltd, challenged the tech giant’s lack of local accountability. Meta argued that because it has no physical office or incorporation in Uganda, it is not subject to the Data Protection and Privacy Act. The Personal Data Protection Office rejected this argument. It ruled that the act of collecting, analysing, and transferring personal data of individuals located in Uganda creates a sufficient nexus to trigger Ugandan jurisdiction. As a result, the PDPO ordered Meta and WhatsApp to formally register as data collectors in Uganda and to implement specific safeguards for the cross-border transfer of Ugandan users’ metadata and behavioural analytics. This ruling is a landmark victory for Ugandan digital sovereignty, establishing that big tech companies cannot hide behind borders to avoid local privacy standards.
Anti-Competitive Data Bundling
In January 2026, a complaint was lodged with the COMESA Competition and Consumer Commission4 — of which Uganda is a member — regarding Meta’s October 2025 update to its WhatsApp Business terms. The allegation was that Meta had restricted third-party AI chatbots from using the WhatsApp API while granting its own Meta AI a clear competitive advantage. The contrast between this matter and the PDPO ruling is instructive: while Uganda’s PDPO focuses on the privacy of the data, the COMESA Notice No. 1 of 2026 probe focuses on the market abuse of that data. Uganda protects the person; COMESA protects the market. This mirrors the European Union’s dual-track approach, where the GDPR governs privacy while the Digital Markets Act governs competition.
The Shame and Blame of Digital Lenders
A realistic and recurring issue in Uganda involves unregulated digital moneylenders. In 2025, the PDPO and Ugandan courts took a firm stand against Nano Loans and similar entities. These companies often scraped data from borrowers’ phones and, upon default, sent threatening WhatsApp messages to the borrower’s entire contact list. This conduct violates Section 10 of the Act, which protects the right to privacy, and Section 35, which prohibits the unlawful disclosure of personal data. The landmark conviction of a digital lender’s director in July 20255 sent a clear message that violating data privacy is no longer merely a regulatory slap on the wrist — it is a criminal offence in Uganda. In that case, a precedent was set: the accused had blackmailed a loan debtor using his personal data, threatening to expose him if he failed to repay. It was Uganda’s first criminal conviction concerning a breach of data privacy.
In July 2025, the PDPO also issued a landmark ruling against Google LLC.6 Four Ugandan citizens complained that Google was collecting data without being registered in Uganda and transferring that data across borders without demonstrating adequate safeguards. The PDPO ruled that since Google has a commercial nexus in Uganda — in that it generates revenue from Ugandan users — it must register as a data collector under Section 18 of the Act.7 This case reinforces the extraterritorial reach of Ugandan law: a physical office in Kampala is not required for the Act to apply.
Comparative Analysis: Uganda vs. The European Union (GDPR)
While the Ugandan Act is heavily inspired by the EU’s General Data Protection Regulation (GDPR), there are significant differences that impact how rights are exercised in practice.
Automated Decision-Making
The GDPR, under Article 22, provides a robust right to explanation: if an AI system rejects a European citizen’s loan application, the company must explain the logic behind that decision. In contrast, Section 38 of the Ugandan Act addresses rights in relation to automated decision-making but is less detailed. While it permits a person to request a human review of an automated decision, it lacks the explicit requirement for transparency of logic found in the GDPR. This is a gap that Ugandan regulators must fill, especially as local financial institutions — such as Emata — begin using AI for credit scoring.
The Right to be Forgotten
The GDPR provides a clear right to erasure under Article 17. While the Ugandan Act provides for the correction and deletion of data under Section 39, the process is more restrictive. In the European Union, this right is frequently invoked to remove old, embarrassing, or irrelevant search results. In Uganda, the law focuses more narrowly on data that is inaccurate, irrelevant, or excessively retained, making it somewhat harder for a citizen to demand deletion on the basis of a simple change of mind.
Penalties and Fines
Under the GDPR, fines can reach 20 million Euros or 4% of global annual turnover. Uganda’s Act provides for fines and imprisonment of up to 10 years for certain offences, but the monetary fines are significantly lower in absolute terms. However, it is important to note that for a Ugandan small or medium enterprise, a fine of 2% of annual gross turnover — as permitted under the Regulations — remains a serious business threat, ensuring meaningful levels of compliance.
Conclusion
The Data Protection and Privacy Act Cap 97 is a strong piece of legislation that has successfully moved Uganda into the digital age. From the criminal conviction of predatory lenders to bold rulings against global giants like Google and Meta, the PDPO has demonstrated that it is an operative and assertive regulator.
As we look toward the future, however, the greatest challenge to the Act is Artificial Intelligence. When a Ugandan citizen uses an AI-powered chatbot or a calorie-tracking app, their data is not simply stored — it is used to train a model. Does consent to use an app constitute consent to have one’s data used to train a global AI system? Under Section 13 of the Act, which provides for the retention of personal data, it is stipulated that data should be deleted once the purpose for which it was collected has been achieved. But AI training is an ongoing, iterative process — and this creates a legal friction that the Data Protection and Privacy Act8 did not fully anticipate. To navigate this challenge, legal practitioners must look toward the National Information Technology Authority Guidelines9 on Data Protection, which provide a technical roadmap for ensuring that “Privacy by Design” is integrated into local software development from the outset.
To truly excel, Uganda must also learn from the GDPR’s emphasis on algorithmic transparency. As we move deeper into 2026, the law must ensure that AI systems are held to the same standards of fairness and accountability as a human decision-maker. For the Ugandan data subject, privacy is no longer a luxury — it is a fundamental requirement for dignity in a digital world.
Bibliography
The Constitution of the Republic of Uganda, 1995.
Data Protection and Privacy Act, Cap 97.
Data Protection and Privacy Regulations, 2021.
General Data Protection Regulation (EU) 2016/679.
In the Matter of a Complaint against Google LLC, PDPO Ruling (2025).
Uganda v Director of Nano Loans Microfinance Ltd (2025).
Personal Data Protection Office (PDPO), Annual Performance Report 2024/2025.
National Information Technology Authority Act No. 4 of 2009.
AdLegal International Ltd v Meta Platforms Inc & WhatsApp LLC, PDPO Ruling (20 February 2026).
COMESA Competition and Consumer Commission, Notice of Investigation No. 1 of 2026 (AdLegal International v Meta Platforms Inc).
Ssekamwa Frank & 3 Ors v Google LLC, Complaint No. 08/11/24/6683.
Footnote(S):
1 Cap 97.
2 Data Protection and Privacy Act, Cap 97.
3 AdLegal International Ltd v Meta Platforms Inc & WhatsApp LLC, PDPO Ruling (20 February 2026).
4 COMESA Competition and Consumer Commission, Notice of Investigation No. 1 of 2026.
5 Uganda v Director of Nano Loans Microfinance Ltd (2025).
6 Ssekamwa Frank & 3 Ors v Google LLC, Complaint No. 08/11/24/6683.
7 Data Protection and Privacy Act, Cap 97.
8 Cap 97.
9 NITA-U Act (Act No. 4 of 2009).
