Uganda’s Data Protection and Privacy Act, 2019 (DPPA) represents a significant step in safeguarding personal data within the country. Enacted to protect individuals’ privacy rights, the law regulates the collection, processing, and use of personal data. Recently, the law saw its first enforcement through a conviction, highlighting its practical application.
Uganda’s Data Protection and Privacy Act, 2019
The DPPA aims to protect the privacy of individuals by regulating the collection and processing of personal data in Uganda. It applies to any person, institution, or public body that collects, processes, holds, or uses personal data within Uganda, and extends to entities outside Uganda if they process data related to Ugandan residents. The law is enforced by the Personal Data Protection Office (PDPO), which oversees compliance, registration, and investigations.
What the Law Mandates
The DPPA outlines several key mandates for data controllers, processors, and collectors and as you’ve read in our other educational guides that data localization laws vary by country:
- Registration Requirement: All entities that collect or process personal data must register with the PDPO to ensure their practices are lawful, fair, and transparent.
- Consent and Justification: Personal data can only be processed with the data subject’s consent or a legal justification. Processing must align with principles like purpose limitation, prohibiting misuse beyond the original intent.
- Data Protection Principles: The Act enforces seven core principles: lawfulness and fairness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.
- Rights of Data Subjects: Individuals have rights to access, rectify, erase, or object to the processing of their data. Sensitive data (e.g., religious beliefs, political opinions) requires heightened protection.
- Security and Breach Notification: Data must be secured against unauthorized access, and breaches must be reported as soon as practicable.
- Cross-Border Transfers: Data transfers outside Uganda require adequate protection levels or data subject consent.
Non-compliance can lead to penalties, including fines up to UGX 4.8 million (approximately $1,300), imprisonment for 3-10 years, or fines up to 2% of annual gross turnover in severe cases.
The First Ever Conviction and Fine
On July 10, 2025, Uganda recorded its first conviction under the DPPA in a case involving Mr. Ronald Mugulusi, Director of Nano Loans Microfinance Ltd, which operates the Quickloan app. The case stemmed from complaints about the app’s practices between 2023 and 2025 in Kampala.
Details of the Violation:
- Mugulusi failed to register his company with the PDPO despite collecting and processing personal data.
- He misused a borrower’s personal data (name, phone number, and photograph) by creating a threatening video sent via WhatsApp, warning of publication on TikTok for loan non-repayment. This violated the purpose limitation principle, as the data was collected for loan processing but used for shaming.
Mugulusi pleaded guilty to the first count (failure to register) and entered a plea bargain. He was fined UGX 300,000 (about $80). The second count (privacy violation) was resolved through court-sanctioned reconciliation, where he compensated the complainant, Mr. Michael Wonambwa, leading to a stay of proceedings. The PDPO had previously engaged Mugulusi to comply, but he did not, prompting prosecution by the Criminal Investigations Directorate and the Office of the Director of Public Prosecutions.
This case underscores the DPPA’s emphasis on accountability and serves as a warning to other entities handling personal data.
Comparison to POPIA and GDPR
While the DPPA draws inspiration from international standards like the GDPR, it has distinct features when compared to South Africa’s POPIA and the EU’s GDPR. We have a breakdown of the different privacy laws by state in this guide and below is a table summarizing key aspects of each of these country privacy laws:
| Aspect | Uganda DPPA | South Africa POPIA | EU GDPR |
|---|---|---|---|
| Scope and Applicability | Applies to personal data processed in Uganda or affecting Ugandans; no strong extraterritorial reach. | Applies to personal information of natural and juristic persons processed in South Africa; some extraterritorial elements. | Extraterritorial; applies to EU residents’ data worldwide. |
| Principles | 7 principles: lawfulness/fairness, purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality, accountability. | 8 conditions: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, data subject participation. | 7 principles: lawfulness/fairness/transparency, purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality, accountability. |
| Data Subject Rights | Access, rectification, erasure, objection; no explicit right to data portability. | Similar to GDPR: access, correction, deletion, objection; includes rights for juristic persons. | Comprehensive: access, rectification, erasure (right to be forgotten), restriction, portability, objection. |
| Obligations for Controllers/Processors | Registration with PDPO, consent or legal basis, security measures; DPO required in certain cases. | Appoint Information Officer, lawful processing, DPIAs for high-risk; similar to GDPR but adapted for SA context. | DPO for public/large-scale processing, DPIAs, records of processing, consent must be explicit. |
| Breach Notification | As soon as practicable. | As soon as reasonably possible. | Within 72 hours to authority, without undue delay to subjects if high risk. |
| Penalties | Fines up to UGX 4.8M (~$1,300) or 2% of turnover, imprisonment 3-10 years. | Fines up to ZAR 10M (~$550,000), imprisonment up to 10 years. | Up to €20M or 4% of global annual turnover, whichever is higher. |
| Enforcement Authority | PDPO, with criminal prosecutions via courts. | Information Regulator, with administrative and criminal penalties. | National Data Protection Authorities (DPAs), coordinated by EDPB. |
| Key Differences | Lower penalties, no legitimate interest basis, less emphasis on extraterritoriality. | Protects juristic persons, higher child age threshold (18), fixed fines lower than GDPR. | Higher fines, strong extraterritorial application, includes legitimate interests as a basis. |
While all three laws share foundational principles inspired by global standards, the DPPA and POPIA are tailored to their regional contexts with milder penalties compared to the GDPR’s robust enforcement. Organizations operating across these jurisdictions should align their practices to the strictest requirements to ensure compliance.
