By Julius Mboizi
In a noteworthy decision with potential regional implications, Uganda’s Personal Data Protection Office (PDPO) on July 18, 2025, ruled against Google for violations of the Country’s Data Protection and Privacy Act Cap. 97. While this ruling emerges from a single African jurisdiction, it may prove pivotal in shaping how global digital platforms engage with emerging markets and how those markets assert their digital sovereignty in return.
In November 2024, four Ugandan citizens (all descendants of Max Schrems) filed a formal complaint with the PDPO against Google LLC, alleging non-compliance with Uganda’s Data Protection and Privacy Act.
The complainants argued that Google had failed to register as a data collector, processor, or controller, as required under the Act, and that it had engaged in the cross-border transfer of personal data without prior authorisation from the PDPO. They further claimed that these actions violated their data protection rights and caused emotional distress, warranting compensation.
Echoing the extraterritorial reach of the European Union's GDPR, at the heart of the decision is the concept of "commercial nexus", the idea that a company that derives value from users in a particular jurisdiction, regardless of where it is physically located, must comply with that jurisdiction’s data protection laws. The PDPO determined that Google collects, processes, and monetizes data from Ugandan users, thereby establishing a substantial and ongoing economic presence in the Country.
In effect, economic, not physical, footprint defines regulatory responsibility in the digital age.
This is an example of how global data governance is evolving. In the past, global platforms have argued that they are not subject to local laws because they have no local servers or registered legal entities. The decision rejects this logic, essentially asserting local presence is defined by more than just office space.
By holding Google accountable for non-compliance with user consent requirements and insufficient transparency under Ugandan law, the PDPO is asserting its digital sovereignty.
Crucially, while this is a single-country decision, it reflects a broader regulatory assertiveness taking root across the Continent.
Kenya has demonstrated growing resolve through its Office of the Data Protection Commissioner (ODPC), with recent investigations into cross-border data transfers and digital lenders. Nigeria’s NDPC is actively building out its enforcement capabilities and is expected to follow suit with tighter compliance expectations.
This PDPO Google LLC decision was quickly followed by a recent criminal conviction of a digital lender for privacy violations is part of this emerging regulatory pattern where African regulators are increasingly going beyond public education and sensitisation efforts to full spectrum enforcement.
For digital platforms, it is a reminder that while data governance may be global in principle, it is increasingly local in application, regardless of where the servers sit.
As regulatory capacity grows across the Continent, the expectation is that similar determinations will follow. The PDPO’s interpretation of commercial nexus could be adopted by peer authorities, resulting in a significant increase in risk exposure and compliance expectations for global platforms.
Specific Orders against Google
Within 30 days:
(i) register as a controller, collector with the PDPO;
(ii) provide the PDPO with the contact details of its designated data protection officer; and
(iii) submit documentary evidence of its compliance framework for cross-border data transfers, including the legal basis for such transfers and the accountability measures in place to ensure the security of personal data transferred outside Uganda.
If replicated across other jurisdictions, the decision could reshape how global platforms approach compliance, risk, policy, and regulatory engagement in the Global South.
Importantly, Uganda’s position reflects a maturing approach to digital governance, based on regulatory parity and respect for user rights, extending the compliance and accountability expectations of smaller local entities to large multinational platforms to restore balance and trust in the global digital ecosystem.
