The Personal Data Protection Office (PDPO) of Uganda issued a decision with legal ramifications for data transfers conducted by multinational entities (MNEs) collecting data of Ugandans or relating to Ugandans. This decision affects subsidiaries, branch offices, affiliates and holding companies. In the 18th July decision, the Director ordered Google LLC (“Google”) to register with the Uganda PDPO, to provide details of their data protection officer, and to submit documentary evidence of the compliance framework for cross border data transfers. In this brief, we discuss the salient features of the decision and its implications for MNEs. We examine this decision in the context of previous regulator decisions and comment on the limited approach taken regarding the parameters for determining what amounts to a “harm” arising from non-compliance with data privacy laws.
Background
Four Ugandan data subjects—Ssekamwa Frank, Leni Sharon Pamela, Amumpaire Raymond and Awino Mercy— submitted a complaint to the PDPO concerning the conduct and omissions of Google. The complainants averred that Google was collecting personal data without registering as a data collector and processor in Uganda. Further, that Google unlawfully transferred their personal data without complying with the legal requirements under Uganda’s Data Protection and Privacy Act (DPPA) Cap. 97. In addition, they alleged that the above actions by Google, infringed their data protection and privacy rights and caused them distress.
The PDPO Decision
The PDPO found that Google is a data controller and collector within the meaning of the DPPA, as such, Google’s failure to register with the Uganda PDPO violated Section 29 of the DPPA and Regulation 15 of the Data Protection and Privacy Regulations (DPPR). Further, that Google’s transfer of personal data of Ugandan citizens to jurisdictions outside Uganda, without demonstrating adequate safeguards breached Section 19 of the DPPA and Regulation 30 of the DPPR. The PDPO stated;
PDPO finds that the legal structure is clear: the general rule is that registration is mandatory, unless and until a specific exemption is operationalized by way of gazette notice. The mere existence of an enabling provision for exemption does not, by itself, displace the general requirement.
Other Similar Regulatory Decisions
The PDPO’s pronouncements on complaints serve as a guide to interpret and understand the scope of obligations under the DPPA. This decision must be understood, in the context of similar decisions issued after the enactment of the DPPA.
