The Personal Data Protection Office (PDPO) recently ruled on a complaint that hits home for millions of smartphone users on the way WhatsApp and Meta handle our personal information.
Background of the case
Adlegal international limited brought the matter in the public interest on behalf of Ugandan users of WhatsApp Messenger against the 1st Respondent (WhatsApp LLC) a U.S incorporated company responsible for operating the messaging service and the 2nd Respondent (Meta Platforms, Inc.), a parent company of the Meta group. The dispute arose when WhatsApp Privacy Policy update was communicated to users in January 2021. Adlegal alleged that this update forced Ugandan users into a take-it-or-leave-it position, where they had to accept expanded data-sharing practices within the Meta family of companies or lose access to service.
Key Allegations
The complaint, filed with the Personal Data Protection Office (PDPO) on 31st March, 2025, raised several core issues:
- The Complainant argued that WhatsApp shares Ugandan users’ data with Meta without freely given, informed, and explicit consent. They contended that the purposes of sharing were framed in broad, composite terms that prevented users from distinguishing between data necessary for messaging and data used for ancillary ecosystem-level purposes.
- It was alleged that WhatsApp collects excessive data such as device identifiers, behavioural analytics, and location data beyond what is strictly necessary to provide a messaging service.
- A major point of contention was the disparate treatment rather the transparency gap. It was alleged that WhatsApp provided materially weaker structured transparency to Ugandan users compared to those in other jurisdictions, specifically the European region. In Europe, WhatsApp provided structured tables correlating processing activities with specific lawful bases, a feature absent from the Ugandan policy.
- The Complainant raised cross-border transfer issues and alleged that personal data was transferred outside Uganda to U.S. data centres without the Respondents demonstrating that these receiving jurisdictions afforded equivalent legal protections as required by Section 19 of the Data Protection and Privacy Act, Cap.97.
The Respondents’ Position
WhatsApp and Meta challenged the complaint on several grounds:
- On jurisdiction and role: Meta argued it should be excluded because it is a separate legal entity and not the data controller for WhatsApp Messenger. Both respondents initially argued that because they are not incorporated in Uganda, the PDPO’s reach was limited.
- The nature of the policy: WhatsApp maintained that its Privacy Policy is a transparency document rather than a consent instrument, and that it relies primarily on contractual necessity and legitimate interests for data processing.
- WhatsApp denied causing harm and argued that there was no evidence of financial loss or tangible injury to users and that the allegations of harm were speculative.
The ruling is not just about legal technicalities; it is a significant moment for digital rights in Africa, highlighting three major shifts in how we should expect tech giants to behave.
- The transparency gap: if you can do it in Europe, do it here
One of the most striking parts of the case was the comparison between how WhatsApp treats users in Europe versus those in Uganda. In Europe, the privacy policy is structured with clear tables showing exactly what data is used for what purpose and the specific legal reason for doing so.
In Uganda, however, the PDPO found that the policy was structurally inferior. It bundled core messaging functions together with secondary ecosystem goals like product improvement and personalization without clearly explaining the difference. The ruling makes it clear: Ugandan users deserve the same level of clarity and control as anyone else in the world.
- Bundling is no longer allowed
The PDPO found that WhatsApp was essentially forcing users to agree to everything at once. While some data collection is strictly necessary to actually send a message like your phone number or routing data other types of data use, such as advanced behavioural analytics across Meta’s other apps, are not indispensable to the service.
The office has now ordered WhatsApp to differentiate between these two. Within 90 days, the company must provide a way for Ugandan users to opt-in or out of these secondary data-sharing practices without losing access to the core messaging service.
- Redefining harm in the digital age
Perhaps the most forward-thinking part of this decision is how the PDPO defined harm. WhatsApp argued that no demonstrable material injury like financial loss or identity theft had occurred.
However, the PDPO disagreed, ruling that privacy harm includes the loss of autonomy and control over one’s own information. When a company makes it impossible for you to understand or manage how your data is being used, they are infringing on a legally protected interest, even if your bank account remains untouched.
The orders issued by the PDPO are significant and time bound. WhatsApp is required the comply with the following orders within 90 days as failure to comply could lead to daily fines and further sanctions:
- Revise its policy to clearly correlate data categories with specific purposes and lawful bases.
- Implement a granular, opt-in mechanism for non-essential processing such as analytics or advertising that is not strictly necessary for messaging.
- Conduct a Data Protection Impact Assessment (DPIA) specifically addressing intra-group data sharing.
- Prove that data transferred outside Uganda to places like the U.S. is handled with the same level of protection required by Ugandan law.
Conclusion
This case serves as a wake-up call. It proves that local regulators have both the authority and the grit to hold global tech companies accountable, ensuring that where you live does not determine how much privacy you get.