On February 20, 2026, Uganda’s Personal Data Protection Office (PDPO) issued a landmark ruling that could reshape how multinational tech companies operate across Africa. The PDPO ordered Meta Platforms Inc. and its subsidiary WhatsApp LLC to comply fully with Uganda’s Data Protection and Privacy Act of 2019, marking a decisive step toward asserting digital sovereignty on the continent.
Context of the Ruling
The decision follows a complaint by Adlegal International Ltd, a Kampala-based legal advocacy group. The complaint challenged WhatsApp’s 2021 privacy policy, which required Ugandan users to share personal data with Meta companies without any option to opt out. Meta and WhatsApp had argued that they were outside the jurisdiction of Ugandan law due to their lack of incorporation or physical presence in the country. The PDPO rejected this argument, establishing that the processing of personal data belonging to individuals in Uganda is sufficient to trigger local data protection obligations.
Key Findings
The PDPO identified several breaches of the law:
- Lack of Consent: WhatsApp’s practice of sharing user data with Meta for analytics and cross-platform purposes failed to meet Uganda’s standard of “freely given, informed, and explicit consent.”
- Excessive Data Collection: While basic data such as phone numbers and messaging metadata was considered necessary, additional data collected for ecosystem integration violated the principle of data minimization.
- Discriminatory Treatment: Ugandan users were offered weaker privacy protections compared to European users under GDPR, a disparity flagged as a regulatory concern.
Mandatory Compliance Measures
The PDPO’s order requires Meta and WhatsApp to take concrete steps to align with Uganda’s law:
- Registration: Both entities must formally register as data controllers and processors with the PDPO.
- Cross-Border Data Safeguards: They must implement lawful safeguards for transferring Ugandan users’ data to servers outside Uganda, including in the U.S. and Ireland.
- Policy Alignment: WhatsApp must revise its privacy policy for Ugandan users to comply with national law within a defined timeline.
Implications for Africa’s Digital Landscape
This ruling is a significant milestone for data governance in Africa. By enforcing national laws on global tech giants, Uganda has signaled that local data protection frameworks cannot be bypassed, even by companies operating virtually. The decision also brings Uganda closer to global privacy standards such as GDPR, and mirrors regulatory actions seen in Nigeria and other African markets.
For data governance professionals, this case underscores the importance of digital sovereignty;the principle that countries have the right to enforce local rules on the collection, processing, and transfer of citizens’ data. It also highlights the growing expectation that multinational companies will design policies that respect not only global compliance obligations but also local laws and user rights.
As African regulators increasingly assert themselves, organizations operating across borders will need to prioritize contextualized data protection strategies, ensuring that both global standards and local legal requirements are met. Uganda’s ruling could set a blueprint for similar actions across the continent, ultimately strengthening the protection of personal data for millions of users.