BY SAM ALFAN.
Giant search engine Google has been ordered to register as a data collector and processor by the Uganda Personal Data Protection Office, within 30 days.
The Data Protection Office in Uganda ruled that Google qualifies as a data controller and collector within the meaning of the Data Protection and Privacy Act.
The office said the failure by Google to register with as a data processor, was a violation of Section 29 of the Act and the Regulations.
PDP office further declared the move by Google transfer citizens personal data to jurisdictions outside Uganda, without demonstrating adequate safeguards or accountability, was in breach of the Act.
“Google LLC shall submit, within thirty (30) days of this decision, documentary evidence of its compliance framework for cross-border transfer of personal data of Ugandan citizens, including the legal basis and accountability measures in place, as required by Section 19 of the Act and Regulation 30 of the Regulations,” ordered PDPO office.
The office said the failure by Google to comply with the directive the orders would amount to an offence under the Regulations and attract a fine not exceeding three currency points of each day in default of the notice or to imprisonment not exceeding six months or both.
PDPO made the decision in a complaint filed by Ssekamwa Frank, Leni Sharon Pamela, Amumpaire Raymond and Awino Mercy against Google LLC.
The Complainants alleged that Google LLC violated Uganda’s Data Protection and Privacy Act, and the Data Protection and Privacy Regulations.
In particular, the complainants asserted three main breaches that Google LLC, as a data collector, controller, and processor failed to register with PDPO as required by the Act.
They also argued that Google had unlawfully transferred their personal data outside Uganda without meeting the legal conditions enshrined in the law, contrary to the Act and its Regulations.
The Complainants claimed the actions infringed on their data protection and privacy rights and caused them distress, for which they sought remedies and compensation.
They further submitted that the failure to register with PDPO, as well as its ongoing transfer of personal data outside Uganda without meeting the required legal safeguards, exposed them and other Ugandan users to risk of unauthorized access and misuse of their data.
They further stated that the absence of a registered Data Protection Officer meant their concerns could not be promptly addressed.
They said attempts to communicate with Google by email went unanswered, leaving them with no recourse or reassurance regarding the protection of their personal data.
The Complainants argued that this lack of transparency, accountability, and redress has caused them anxiety, uncertainty, and distress, and is likely to continue to do so for other Ugandans using Google service.
In response, Google acknowledged processing personal data of Ugandan users but maintained that its various corporate entities are separate and that, without a Gazette notice under Regulation 15(2), no registration obligation currently arises.
The company asserted that its global privacy policy adequately safeguarded personal data and meets accountability requirements under Uganda’s law.
Google contended that Section 19 of the Act and Regulation 30 apply only to controllers or processors domiciled in Uganda, and that Google LLC has no such domicile.
The giant search engine denied that its actions have caused or are likely to cause any actual damage or distress to the Complainants or other Ugandan users.
The company argued that it maintains comprehensive global privacy controls and that the Complainants have not provided specific evidence of harm.
“This statutory requirement is not merely procedural; it is designed to ensure that data controllers and processors remain accountable and accessible to data subjects, providing a clear and direct channel through which individuals may raise and resolve their concerns regarding the processing of their personal data,” said PDP.
Google LLC’s failure to register with PDPO meant that the Complainants had no means of knowing or contacting the designated Data Protection Officer for Uganda.
As a result, when the Complainants sought to have their concerns addressed, they were left without any official point of contact. The Complainants’ attempt to reach out by sending an email dated 9 October 2024 to the Google Chief Compliance Officer, raising their data protection and privacy concerns, went unanswered.
The inability to identify or contact a responsible person at Google or contact a responsible person at Google LLC, combined with the absence of any response to the Complainants’ communication, caused and is likely to continue causing genuine distress to the Complainants.
