Uganda has fired what may become one of the most consequential regulatory slots yet in Africa’s unfolding battle over digital sovereignty. In a land mark ruling, the country’s personal Data Protection Officer (PDPO) has found that global tech giants Whatsupp LLC and Meta Platforms Inc. are subject to Uganda’s data protection laws – despite having no physical presence within the country. The decision, arising from a complaint filed by Kampala-based Adlegal International Ltd, establishes that multinational digital platforms processing the personal data of Uganda citizens must comply with the country’s Data Protection and privacy Act, 2029 including mandatory registration with the national regulator.

At the heart of the case was a critical question facing regulators across emerging markets. Can a country regulate foreign digital platforms that operate entirely online but collect and process personal data from its citizens? Meta and its messaging subsidiary WhatsApp argued – in effect – tat their lack of incorporation or physical footprint in Uganda placed them outside the scope of local regulatory oversight. In its ruling, the Office held that the act of collecting, analyzing, storing and trabsfering personal data of individuals located in Uganda constitutes sufficient nexus to trigger jurisdiction under domestic law – regardless of where the data processor is headquartered. This interpretation effectively affirms the extra-territorial reach of Uganda’s privacy regime, aligning it with global frameworks such as the EU’s GDPR, which applies similar logic to foreign technology firms operating across borders. The regulator found that WhatsApp and Meta’s platform activities – including user registration, metadata collection, contact synchronization, behavioral analytics and cross-platform integration – amount to personal data processing within the meaning of Uganda’s law. As such, the companies qualify as both Data Collectors and Data Processors under the Act. This classification triggers obligations, including registration with PDPO and the implementation of safeguards governing international data transfers. According to the ruling, neither company had fulfilled these compliance requirements.

The Personal Data Protection Office has now directed WhatsApp LLC and Meta Platforms Inc. to register as a data collectors and processors in Uganda, to regularize their data handling practices in accordance with national law, to ensure that lawful safeguards are in place for the cross broader transfer of Ugandan users’ personal data and to align their privacy frameworks with domestic regulatory standards. Non-compliance may attract administrative sanctions under the Act…