Uganda has fired what may become one of the most consequential regulatory shots yet in Africa’s unfolding battle over digital sovereignty.
In a landmark ruling, the country’s Personal Data Protection Office (PDPO) has found that global tech giants WhatsApp LLC and Meta Platforms Inc. are subject to Uganda’s data protection laws — despite having no physical presence within the country.
The decision, arising from a complaint filed by Kampala-based Adlegal International Ltd, establishes that multinational digital platforms processing the personal data of Ugandan citizens must comply with the country’s Data Protection and Privacy Act, 2019, including mandatory registration with the national regulator.
Jurisdiction Without Borders
At the heart of the case was a critical question facing regulators across emerging markets:
Can a country regulate foreign digital platforms that operate entirely online but collect and process personal data from its citizens?
Meta and its messaging subsidiary WhatsApp argued — in effect — that their lack of incorporation or physical footprint in Uganda placed them outside the scope of local regulatory oversight.
The PDPO disagreed.
In its ruling, the Office held that the act of collecting, analysing, storing and transferring personal data of individuals located in Uganda constitutes sufficient nexus to trigger jurisdiction under domestic law — regardless of where the data processor is headquartered.
This interpretation effectively affirms the extra-territorial reach of Uganda’s privacy regime, aligning it with global frameworks such as the EU’s GDPR, which applies similar logic to foreign technology firms operating across borders.
Data Processing at Scale
The regulator found that WhatsApp and Meta’s platform activities — including user registration, metadata collection, contact synchronisation, behavioural analytics and cross-platform integration — amount to personal data processing within the meaning of Uganda’s law.
Uganda Airlines Grounds Two Long-Haul Jets, Affecting London and Mumbai Flights as Dubai Service Continues
As such, the companies qualify as both Data Collectors and Data Processors under the Act.
This classification triggers statutory obligations, including registration with the PDPO and the implementation of safeguards governing international data transfers.
According to the ruling, neither company had fulfilled these compliance requirements.
Compliance Orders Issued
The Personal Data Protection Office has now directed WhatsApp LLC and Meta Platforms Inc. to register as data collectors and processors in Uganda, to regularise their data handling practices in accordance with national law, to ensure that lawful safeguards are in place for the cross-border transfer of Ugandan users’ personal data, and to align their privacy frameworks with domestic regulatory standards. Non-compliance may attract administrative sanctions under the Act.
A Signal to the Digital Economy
For Uganda’s fast-growing digital economy — from fintech to e-commerce and media platforms — the implications are immediate.
The ruling signals that:
any entity, domestic or foreign, that processes the personal data of Ugandan citizens will be required to comply with national data governance standards.
Legal analysts say the decision may embolden regulators across Africa to assert greater oversight over multinational technology firms whose services operate seamlessly across jurisdictions but whose compliance structures often remain rooted in foreign legal regimes.
As African governments seek to balance innovation with consumer protection, the PDPO’s ruling marks a decisive step toward reclaiming regulatory authority in an increasingly borderless digital marketplace.
