The recent decision by the Personal Data Protection Office (PDPO) in Uganda in the case of Frank Ssekamwa & 3 others vs. Google LLC - Complaint No: 08/11/24/6683 addresses critical issues surrounding the registration of data controllers and processors, particularly those without a physical presence in Uganda, and their obligations concerning cross-border data transfers. This ruling holds significant implications for the landscape of data protection across the African continent.
The complainants in Uganda alleged that Google LLC, acting as a data collector, controller, and processor, failed to register with the PDPO and unlawfully transferred their personal data outside Uganda without meeting legal conditions, including the absence of a designated Data Protection Officer (DPO).
Google LLC acknowledged processing data of Ugandan users but argued that its corporate entities were separate, and no registration obligation arose without a specific Gazette notice for exemptions under Regulation 15(2). Google also contended that Section 19 of the Act and Regulation 30, which govern cross-border data transfers, apply only to entities domiciled in Uganda, which Google claimed not to be. Furthermore, Google asserted that its global Privacy Policy adequately safeguards personal data.
The PDPO made several key determinations:
Qualification as Data Controller/Collector: The PDPO found that Google LLC, by collecting user data from Uganda and determining the purposes and means of processing, qualifies as both a data controller and a data collector under the Ugandan Act.
Mandatory Registration: The PDPO clarified that the general obligation for all data controllers, collectors, and processors to register with the PDPO (Section 29 of the Act and Regulation 15(1)) remains mandatory, even if the power to issue exemptions (Regulation 15(2)) has not been exercised. The mere existence of an enabling provision for exemption does not suspend the general requirement. Google's non-registration was thus deemed a violation.
Extra-Territorial Application: The PDPO strongly affirmed the extra-territorial application of Uganda's Data Protection and Privacy Act. It cited Section 1, which applies to "a person, institution or public body outside Uganda who collects, processes, holds or uses personal data relating to Ugandan citizens".
"Nexus" for Regulatory Reach: The PDPO rejected Google's argument that Section 19 and Regulation 30 apply only to entities based in Uganda. It highlighted Google's established commercial presence, including being a registered taxpayer remitting VAT and digital services tax in Uganda, actively deriving revenue from Ugandan users, and interacting with Ugandan statutory frameworks. This "nexus" was deemed sufficient to ground Google's data protection obligations, irrespective of its physical domicile.
Cross-Border Transfer Violation: The PDPO found that Google LLC violated Section 19 of the Act and Regulation 30 by failing to provide evidence of a lawful basis or compliance framework for transferring the complainants' personal data outside Uganda.
Impact on Data Subjects: The PDPO acknowledged that Google's failure to register and the inability of complainants to contact a local DPO caused distress, anxiety, and uncertainty, underscoring the importance of accountability and accessible recourse for data subjects.
Orders Issued: The PDPO ordered Google LLC to register with the PDPO within 30 days and to submit documentary evidence of its compliance framework for cross-border transfer of Ugandan citizens' personal data. Notably, the PDPO stated it did not have the authority to award compensation or order data localisation at this stage.
<aside> 📖
Access Country Determinations/Rulings
</aside>
The Ugandan decision sets a significant precedent for how African nations may regulate global tech companies and enforce their data protection laws.
Drawing on the ruling and provisions of various African data protection laws, here are key questions to explore the decision's broader impact across the African continent:
How will African Data Protection Authorities (DPAs) leverage the "commercial nexus" principle to enforce extra-territorial reach on foreign data controllers and processors?
The Ugandan PDPO explicitly relied on Google's status as a registered taxpayer remitting VAT and digital services tax in Uganda as a basis for asserting jurisdiction and obliging registration. This precedent could embolden other African DPAs to expand their regulatory enforcement beyond traditional physical presence to include any significant commercial activity or digital footprint within their borders. Many African data protection laws already possess extra-territorial scope, applying when data processing occurs within their territory, by entities established there, or even when data subjects are located there, or means within the territory are used [Angola: Art. 3(2), (3); Botswana: Sec. 3(2); Congo: Art. 2; Côte d'Ivoire: Art. 10(2); Eswatini: Sec. 2(2); Ethiopia: Art. 3(2); Gabon: Art. 3; Madagascar: Art. 5, 6(1); Mauritania: Art. 1(2); Mauritius: Sec. 3(2); Niger: Art. 2; Rwanda: Art. 2(1); Senegal: Art. 2; South Africa: Sec. 3(1); Togo: Art. 2(4); Zimbabwe: Sec. 2(3)]. The Ugandan decision provides a tangible enforcement mechanism for this inherent extra-territoriality. Furthermore, this could increase demands for foreign entities to appoint local representatives or Data Protection Officers (DPOs), a requirement explicitly or implicitly found in various legislations [Algeria: Art. 4; Angola: Art. 31(i); Benin: Art. 409(1); Botswana: Sec. 4(2); Congo: Art. 240 (implicit, as non-resident controllers mentioned); Côte d'Ivoire: Art. 10(2); Gabon: Art. 51(2); Mauritania: Art. 38(1); Mauritius: Sec. 32(1); Niger: Art. 29(1); Rwanda: Art. 39(1); Senegal: Art. 22(1); South Africa: Sec. 55(1); Togo: Art. 10(1)].
Will the increased scrutiny on cross-border data transfers lead to a more harmonised approach to "adequate protection" standards or create greater fragmentation across Africa?
The PDPO found that Google failed to demonstrate a lawful basis or compliance framework for transferring data outside Uganda, emphasising the criticality of proper safeguards. Many African data protection laws permit international data transfers only to countries that ensure an "adequate" or "sufficient" level of data protection, or under specific derogations and safeguards [Angola: Art. 33, 34; Benin: Art. 392(1); Botswana: Sec. 75(1), 76(1); Cape Verde: Art. 19(2), (3); Congo: Art. 46; Eswatini: Sec. 32(3), (4); Ethiopia: Art. 20(1), 21(1); Gabon: Art. 42; Madagascar: Art. 20; Mauritania: Art. 21; Mauritius: Sec. 36(1), (4); Morocco: Art. 37(1), (2); Niger: Art. 62, 63; Nigeria: Sec. 2.1(1); Rwanda: Art. 48(1), (2); Sao Tome: Art. 20(1); Senegal: Art. 51; South Africa: Sec. 72(1); Togo: Art. 29(1), 30; Tunisia: Art. 51; Zimbabwe: Sec. 28, 29]. This decision could prompt other DPAs to more rigorously assess and enforce these standards. The question then becomes whether this will foster a more unified approach to data transfer mechanisms (e.g., standard contractual clauses, binding corporate rules) accepted across the continent, or if differing national interpretations will lead to complex, country-specific compliance challenges for global operators.
Will the emphasis on accountability and accessible recourse for data subjects lead to stronger DPO requirements and an increase in data protection litigation across Africa?
The Ugandan PDPO acknowledged the distress and uncertainty caused by Google's non-registration and the inability of complainants to easily contact a local DPO, highlighting the practical implications for data subjects. Many African laws grant data subjects rights such as the right to information, access, rectification, opposition, and even compensation for damages [Angola: Art. 6(2), 25-28; Benin: Art. 415, 423, 441, 483(3), (4); Botswana: Sec. 3(1); Congo: Art. 46, 50-53, 60; Eswatini: Sec. 10, 19, 20; Ethiopia: Art. 24, 26-28; Gabon: Art. 10, 14; Ghana: Sec. 24, 30, 31; Kenya: Sec. 26; Lesotho: Art. 28-31; Madagascar: Art. 4(2), 22-25; Mauritania: Art. 53, 55-58, 61, 62; Mauritius: Sec. 38, 39; Morocco: Art. 6-9; Niger: Art. 32-35; Nigeria: Art. 3.1(1), (4)(h), (5); Rwanda: Art. 18-24; Sao Tome: Art. 7(2), 8, 9; Senegal: Art. 37, 39-44, 69; South Africa: Sec. 5, 23-25; Togo: Art. 18, 36, 39, 46; Tunisia: Art. 9, 34-38, 40, 42; Zambia: Art. 28(1)(f), 56-58, 60; Zimbabwe: Sec. 8, 10, 11]. The Ugandan decision could therefore encourage more proactive enforcement of DPO mandates and possibly lead to an increase in data subject complaints and litigation in other African jurisdictions, especially where similar distress or harm can be demonstrated.
<aside> ⚖️
Access Africa Country Data Protection Laws and Country Fact Sheets
</aside>
What will be the impact on the digital economy in Africa as governments increasingly assert regulatory authority over global tech companies, potentially influencing investment and operational strategies?
The Ugandan ruling is a clear signal of African states' growing assertiveness in regulating the digital space. The explicit link between Google's tax compliance and its data protection obligations suggests a broader strategy where tax frameworks and other regulatory instruments might be used to establish a "nexus" for data protection enforcement. This could lead to global tech companies re-evaluating their operational models in Africa, potentially increasing investment in local data centers or compliance infrastructure to meet diverse national requirements. Conversely, it could also raise concerns about regulatory burdens and market fragmentation, influencing market entry and expansion decisions.
How will the Ugandan PDPO's assertive enforcement influence regional cooperation and harmonisation efforts among African DPAs under initiatives like the Malabo Convention?
The Malabo Convention and various national laws explicitly encourage cooperation among DPAs to facilitate effective enforcement and exchange of information [Malabo Convention: Art. 25(3)(m); Algeria: Art. 27(15); Angola: Art. 44(i); Benin: Art. 483(25); Botswana: Sec. 79(a)-(c); Burkina Faso: Art. 56(7); Eswatini: Sec. 2(3)(a); Kenya: Sec. 8(1)(e); Madagascar: Art. 38(e); Mauritania: Art. 68(2)(h); Mauritius: Sec. 44(c); Nigeria: Sec. 6.2(1)(d); Rwanda: Art. 27(8), (9); South Africa: Sec. 88(4); Togo: Art. 65(8); Zimbabwe: Sec. 4(j)]. The Ugandan decision, as a tangible example of assertive enforcement against a global tech giant, could serve as a model and catalyst for other DPAs to take similar actions. This might accelerate the drive for regional harmonisation of data protection standards and enforcement practices, fostering a more unified African stance on digital regulation, or it might expose underlying challenges in achieving such unity if national interpretations diverge significantly.
<aside> ➡️
Access Web Assets for Data Regulators Across Africa
</aside>