Background

The case arose from a complaint that was made by four Ugandan data subjects who claimed that Google was processing personal data from its users in Uganda without being registered with the PDPO. They also complained that Google was transferring their personal data outside Uganda without demonstrating that the jurisdiction to which the personal data was being transferred had measures for the protection of the personal data that were adequate and at least equivalent to the protection provided under the DPPA.

In response, Google argued that while it did collect personal data from Ugandan data subjects, it was not subject to Uganda’s DPPA registration requirements. It argued that the registration requirement was stated to be “subject to” regulation 15(2) of Uganda’s Data Protection and Privacy Regulations, 2021 (Regulations), a provision which grants the PDPO power to exempt certain data controllers and collectors from the registration requirement. Google reasoned that since the registration requirement was stated to be “subject to” the provision granting the PDPO power to gazette exemptions and no exemption had been gazetted by the PDPO, then the registration requirement ought not to be deemed to be in force and therefore its non-registration with the PDPO was not in breach of the law.

In response to the concerns raised over the cross-border transfer and storage of personal data, Google contended that section 19 of the DPPA, which restricts the transfer of personal data outside Uganda unless the recipient country has established adequate measures for the protection of the transferred personal data, did not apply to it. It pointed out that the express wording of section 19 imposes this obligation on data processors or data controllers that are “based in Uganda” and that since it had no physical presence in the country, the obligation did not apply to it.

Determination by the PDPO

In determining the issue of the obligation to register, it was held that the fact that the PDPO was yet to exercise its power to publish a gazette notice exempting certain data controllers, data processors and data collectors from the registration requirements did not relieve such parties of the obligation to be registered. Rather, the fact that the Regulations made the obligation to register “subject to” the exemption clause meant that “registration is mandatory unless and until a specific exemption is operationalised by way of gazette notice”. In other words, the lack of a gazette notice did not suspend the law and exempt Google from meeting its legal obligations. Google was therefore found to have breached its obligation to register as a data controller under the DPPA.

On the issue of cross-border data transfers, the PDPO also disagreed with Google’s argument. It held that the personal data transfer security obligations, though stated to apply to data processors or data controllers which are “based in Uganda”, had to be read in light of section 1, which extends the applicability of the DPPA to any person or organisation (regardless of their location in the world) that processes the personal data of Ugandan citizens.

Since Google had not demonstrated compliance with the transfer safeguards required under section 19 of the DPPA, it was found to have violated its cross-border obligations.

The PDPO issued directions to Google to comply with the requirements of the DPPA within 30 days of the decision and pointed out that a default in this regard would constitute a criminal offence under the DPPA.

Conclusion

This decision is important as it provides insight into the importance that the PDPO assigns to the extra territorial applicability of the DPPA, and points towards an inclination to interpret all provisions of the DPPA as having extra territorial effect. It serves as a timely reminder for global corporations processing personal data belonging to Ugandan data subjects to take proactive steps to understand and meet their compliance obligations regardless of where they are based. Much like Uganda’s DPPA, Kenya’s Data Protection Act, 2019 requires all non-exempted data controllers and processors to register with the Office of the Data Protection Commissioner and extends its applicability to data controllers and data processors based outside Kenya and which process personal data belonging to data subjects located in Kenya.

Click here to read our article on the data controller and data processor obligations in Kenya.