In a major victory for African digital rights and regulatory authority, Google LLC has formally withdrawn its appeal in a landmark data protection case, committing to comply fully with the Uganda Data Protection and Privacy Act (DPPA).
The case, Ssekamwa Frank & 3 Others v. Google LLC (Complaint No. 08/11/24/6683), centered on Google’s failure to adhere to local data protection laws.
The Personal Data Protection Office (PDPO), Uganda’s Data Protection Authority, had previously issued a binding ruling against Google. The tech company initially resisted, arguing it had no obligation to comply because it lacked a physical presence in Uganda.
The PDPO firmly rejected this stance, asserting that its jurisdiction extends to any entity collecting or processing the personal data of Ugandan citizens, regardless of where that company is headquartered.
Following this robust defence by the complainants and intervention from the Minister of ICT and National Guidance, Google formally notified authorities of its decision to withdraw the appeal on November 5, 2025.
Google’s withdrawal confirms the immediate enforceability of the PDPO’s original orders. To continue operating in relation to Ugandan users, Google must:
- Register with the PDPO: Officially register as a data controller/processor in Uganda.
- Appoint a Local DPO: Appoint a Data Protection Officer (DPO) who is based in Uganda.
- Ensure Cross-Border Compliance: Demonstrate and ensure compliance with all national regulations governing the transfer of personal data outside Uganda.
The resolution of this case sets a crucial legal precedent across the continent, signalling a new era of accountability for multinational technology corporations. The ruling confirms that:
- Extraterritorial Scope: The DPPA applies to any company—local or foreign—that collects or processes data belonging to Ugandans.
- Mandatory Registration: All entities operating in relation to Ugandan data must register with the PDPO.
- Strict Transfer Standards: Companies conducting cross-border data transfers must meet rigorous Ugandan legal standards, which require either the explicit consent of the data subject or proof that the recipient country offers adequate protection measures equivalent to the DPPA.
OneTechConnect, the youth-led organization championing digital justice, stated, “This case affirms that the digital rights of Ugandan users cannot be ignored… The withdrawal of the appeal is a win for digital justice, user dignity, and national regulatory authority.”
The outcome underscores the increasing trend of African nations enforcing domestic laws to safeguard citizen data, forcing Big Tech to adapt to local regulatory frameworks.