In a major turn of events, Google LLC officially withdrew its court appeal against a ruling by the Personal Data Protection Office (PDPO) of Uganda. The decision means Google will now comply fully with Uganda’s data-protection law, marking a significant victory for digital rights enforcement in the region.
The legal battle arose after four Ugandan citizens submitted a complaint accusing Google of collecting and processing personal data without complying with national data-protection statutes. The complaint, lodged in November 2024, argued that Google failed to register as a data controller under the country’s Data Protection and Privacy Act (DPPA) and unlawfully transferred personal data abroad without the required consent or safeguards.
In July 2025, PDPO issued a landmark ruling. The regulator determined that Google qualifies as a data controller and collector under Ugandan law. It ordered Google to register locally within 30 days, appoint a Data Protection Officer based in Uganda, and submit a compliance framework for cross-border data transfers. The ruling underscored that the law applies to any entity processing Ugandan citizens’ data whether or not it maintains a physical presence in Uganda.
Google responded to the ruling initially by challenging it, arguing that its global privacy policy provided sufficient protection and asserting that since it lacked physical domicile in Uganda, the law did not apply to it. The company also maintained that existing corporate structure exempted it from registration obligations.
But on November 5, 2025, Google withdrew its appeal and committed to meet all PDPO requirements. The move triggers immediate enforceability of the PDPO’s orders. Google must register as a data controller/processor in Uganda, appoint a local Data Protection Officer, and ensure that future cross-border data transfers meet the DPPA’s standards.
What This Means for Digital Rights and Tech Firms in Africa
This outcome sends a strong signal: African regulators will enforce data protection laws against even the largest global technology firms. Regulators in other African nations may feel emboldened to pursue similar enforcement efforts and international companies may now treat compliance with local data laws as non-negotiable.
For Ugandan users, the development promises greater control over personal data. They now benefit from legal backing for data privacy, local accountability through a Data Protection Officer, and more transparency around cross-border data flows.
For Google and other global tech platforms, the decision resets the rules for operating in Africa. Compliance will likely involve registering locally, appointing local officers, and demonstrating adequate data-transfer safeguards. Firms may need to reassess global privacy policies to meet varying national standards.
This resolution may mark the start of a new era one where African regulators assert digital sovereignty and hold international companies to local law. As this trend spreads, tech firms will need to navigate a patchwork of data-protection requirements but users may gain stronger rights and protections as a result.
