Context and Background

As of March 2025, Uganda had approximately 14.2 million internet users, representing 28% of the population, marking a modest increase from 13.3 million (27%) in early 2024. Digital services continue to expand, particularly in fintech and e-commerce, with the digital economy projected to reach US$2.5 billion in 2025, up from US$1 billion in 2022. Mobile money platforms now support over 27 million active accounts, reinforcing digital financial inclusion.

Government digitisation has also advanced, with an estimated 62% of public services accessible online through integrated systems such as the Parish Development Management Information System (PDMIS) and the Integrated Health Management Information System (IHMIS). However, rural–urban disparities in broadband infrastructure and digital literacy continue to limit equitable access. Compared to the 2024 analysis, which cited a 43% internet penetration rate, the 2025 figures suggest recalibrated measurement methodologies or updated population baselines rather than regression. What remains consistent across both assessments is Uganda's expanding digital ecosystem alongside low public awareness of privacy rights and limited access to enforcement mechanisms.

Positive Developments and Emerging Issues

Uganda retains a progressive statutory framework anchored in Article 27 of the Constitution, which guarantees the right to privacy. The Data Protection and Privacy Act (DPPA) operationalises this right through principles of lawful, fair, and secure data processing, including prior consent requirements under Section 7(1).

The Personal Data Protection Office (PDPO) has demonstrated increased assertiveness since 2024. Notably, in 2025 it directed Google to register as a data controller and collector within 30 days, finding violations relating to registration and cross-border transfers under Section 19 of the DPPA and Regulation 30. This decision represents a significant precedent in applying Uganda's data protection law extraterritorially and signals greater regulatory confidence compared to 2024.

Public awareness initiatives launched in 2023 under the "Stop, Think, Own Your Privacy" campaign remain relevant and form part of ongoing efforts to strengthen digital literacy. Judicial engagement also continues, particularly regarding biometric data oversight linked to the National Identification Registration Authority (NIRA).

Despite progress, implementation gaps persist:

• Limited clarity regarding mechanisms for withdrawal of consent under the DPPA
• Continued surveillance concerns under the Regulation of Interception of Communications Act
• Expanding digital ID and biometric systems under the Registration of Persons Act, raising proportionality and oversight concerns
• Capacity limitations affecting proactive audits and risk-based oversight

Compared to 2024, enforcement visibility has improved (notably through the Google determination), but systemic constraints remain largely unchanged.

Legal and Institutional Framework

Uganda's data protection regime is grounded in the Constitution and principally governed by the Data Protection and Privacy Act. The Act is implemented through the Data Protection and Privacy Regulations, 2021, which establish procedures for complaints, objections, and breach notification.

The DPPA applies extraterritorially, extending obligations to foreign entities processing Ugandan data subjects' information. This approach aligns with international human rights standards, including the International Covenant on Civil and Political Rights and the Universal Declaration of Human Rights, to which Uganda subscribes.

Supporting legislation includes:

• The Access to Information Act, governing public data disclosure
• The Computer Misuse Act, addressing cyber offences and unlawful access
• The Electronic Transactions Act, supporting secure digital transactions

Institutionally, oversight rests with the National Information Technology Authority - Uganda (NITA-U), established under the NITA-U Act, 2009, with the PDPO functioning as a semi-autonomous office within it. As noted in 2024, concerns regarding regulatory independence remain. The PDPO's structural placement within NITA-U continues to raise questions about autonomy and political insulation. While enforcement activity has become more visible in 2025, institutional architecture has not materially changed.

Enforcement Dynamics and Challenges

The 2024 assessment highlighted weak enforcement mechanisms, limited regulator engagement, and resource constraints. In the current assessment period, efforts were made to engage Uganda's Personal Data Protection Office, to obtain updated and detailed information concerning registration data, enforcement actions, institutional capacity, public awareness initiatives, and ongoing compliance monitoring.

Although contact was established, the engagement did not result in the provision of comprehensive or updated supervisory data. Consequently, this analysis is primarily based on publicly available sources, which limits the extent to which enforcement effectiveness, regulatory priorities, and the overall status of implementation under Uganda's data protection framework can be fully evaluated.

By 2025, the PDPO's determination against Google demonstrates increased willingness to confront large multinational platforms and enforce cross-border transfer provisions. Earlier precedents, such as the SafeBoda investigation (2023), remain important benchmarks for domestic enforcement and continue to inform regulatory practice.

However, several systemic challenges endure:

• Regulatory Independence: The PDPO remains embedded within NITA-U, limiting perceived autonomy.
• Resource Constraints: Financial and human capacity limitations continue to hinder proactive oversight.
• Limited Public Awareness: Citizens' understanding of complaint procedures and rights remains low.
• Consent Ambiguities: Withdrawal procedures remain insufficiently clarified in statute or regulatory guidance.
• Surveillance and Biometric Risks: Expansion of digital ID systems and interception laws continues to generate human rights concerns.

Overall, Uganda's 2025 position reflects incremental enforcement strengthening within an unchanged institutional structure. The legal framework remains robust on paper, consistent with the 2024 assessment, but effective protection continues to depend on enhanced independence, resource allocation, clearer regulatory guidance, and expanded public engagement.