ASSESSING THE EFFECTIVENESS OF THE PERSONAL DATA PROTECTION OFFICE DECISION IN SSEKAMWA FRANK & 3 ORS v GOOGLE LLC
INTRODUCTION
In Uganda’s rapidly digitalizing economy, the role and effectiveness of quasi-judicial entities in regulating data protection and privacy remain pivotal yet under-examined.
On 18th July 2025, the Personal Data Protection Office PDPO) delivered a landmark ruling in Ssekamwa Frank & 3 Others v Google LLC, the country’s first major enforcement under the Data Protection and Privacy Act, 2019 Cap. 97.
This case provides critical insights into the regulatory reach over multinational technology firms and the practical authority of Uganda’s data protection framework. This analysis explores the facts, reasoning, and implications of the PDPO’s decision, critically evaluating its effectiveness as an instrument of statutory enforcement and quasijudicial oversight.
FACTS OF THE CASE
On 8th November 2024, four Ugandan complainants: Ssekamwa Frank, Leni Sharon Pamela, Amumpaire Raymond, and Awino Mercy, filed a complaint with the PDPO against Google LLC. They alleged that Google had:
• Collected and processed their personal data without registering as a data controller or processor as required by Ugandan law.
• Transferred their personal data outside Uganda without adhering to legally mandated safeguards.
• Failed to provide recourse or redress, causing distress and uncertainty.
Google argued that it was exempt from Ugandan jurisdiction due to its lack of physical presence in Uganda. The PDPO rejected this defense, emphasizing the Act’s extraterritorial scope, reasoning that Google’s active service provision coupled with its registration and tax compliance in Uganda established a sufficient legal nexus. Accordingly, the PDPO found Google to be a data controller and collector in breach of the Data Protection and Privacy Act for failure to register and for improper cross border data transfers. Google was ordered to register within 30 days and demonstrate compliance with legal safeguards for international data transfers.
ANALYSIS OF THE DECISION’S EFFECTIVENESS
• The PDPO’s decision is effective within the limits prescribed by statute and operates as a tribunal as such, it has powers to investigate complaints, issue binding directives on registration and compliance, and oversee regulatory adherence.
• It is prudent to note that, unlike courts, the PDPO cannot award damages or impose criminal penalties, enforcement beyond directives depends on voluntary compliance or escalation to judicial authorities.
• The ruling is legally binding in compelling Google’s registration and compliance but relies on additional enforcement mechanisms to address non-compliance or compensation claims.
• The decision also sets a vital precedent, affirming Uganda’s regulatory reach over foreign digital platforms and clarifying that physical presence is not a prerequisite for legal accountability under the Data Protection and Privacy Act.
• Furthermore, it signals to both local and international entities the need to comply with Ugandan registration and data transfer requirements, encouraging regulatory clarity and enforcement rigor.
• The enforcement against powerful multinational corporations, especially absent physical presence, remains challenging and the PDPO’s influence often depends on reputational pressure, risk of court referrals, and international legal cooperation.
BROADER IMPLICATIONS
This ruling marks a significant regulatory milestone for Uganda and potentially influences data protection oversight in other African countries and emerging digital markets globally. It contributes to the growing international narrative that digital platforms bear accountability for data protection irrespective of their geographic location. The decision may prompt increased scrutiny of cross-border data practices and encourage stronger compliance frameworks. However, unresolved issues such as awarding damages or compelling behavioral change beyond registration remain court matters.
CONCLUSION
The Ssekamwa Frank & 3 Ors v Google LLC decision is a landmark regulatory achievement demonstrating the PDPO’s capacity to assert jurisdiction and compel compliance in Uganda’s digital space. While its powers are partly constrained by statute particularly in awarding remedies, its binding directives significantly enhance regulatory standards and underscore the government’s commitment to enforcing data protection. The ruling’s effectiveness will ultimately depend on follow-through actions from Google, other digital actors, enforcement bodies, and courts. Nonetheless, it sets a foundational benchmark for Uganda’s evolving data protection system and sends a strong signal to multinational tech companies globally.
