Uganda Asserts Data Sovereignty, Orders Meta and WhatsApp to Comply with Local Laws
In a landmark ruling, Uganda’s Personal Data Protection Office (PDPO) has determined that Meta Platforms Inc. And its subsidiary, WhatsApp LLC, are subject to Uganda’s data protection laws, even without a physical presence in the country. This decision, stemming from a complaint filed by Kampala-based Adlegal International Ltd, establishes a significant precedent for data sovereignty in Africa.
The Ruling and Its Implications
The PDPO’s ruling, announced on February 20, 2026, asserts that the act of collecting, analyzing, storing, and transferring personal data of individuals located in Uganda creates a jurisdictional link, obligating these companies to comply with the Data Protection and Privacy Act, 2019. This includes mandatory registration with the national regulator. Meta and WhatsApp had previously argued that their lack of incorporation or a physical footprint in Uganda exempted them from local regulatory oversight, a position the PDPO rejected.
A Broader Trend Towards Data Sovereignty
This decision aligns with global frameworks like the European Union’s General Data Protection Regulation (GDPR), which similarly applies to foreign technology firms operating across borders. Experts view this as part of a growing continental push toward asserting data sovereignty, shifting African nations from passive markets to active regulators in the digital ecosystem.
Why Data Sovereignty Matters
Data sovereignty is crucial for protecting the rights of citizens regarding their personal information – how it’s collected, stored, shared, and used. Weak data governance can lead to identity theft, financial fraud, and other harms. As digital financial services and e-government systems expand in Uganda, trust in these systems is paramount.
The Human Cost of Data Breaches
The PDPO’s action underscores the importance of accountability throughout the data lifecycle. Transparency in data collection, lawful processing, clear consent mechanisms, and safeguards for cross-border transfers are essential rights protections. Instances of mishandled personal information have already exposed Ugandans to harm, eroding trust in digital infrastructure.
Compliance as an Opportunity
Compliance with data protection laws should not be seen as a barrier to innovation, but rather as a means to build predictability, strengthen consumer confidence, and create a level playing field for responsible actors. Multinational platforms can improve public trust by engaging with local regulatory environments and strengthening local compliance mechanisms.
Looking Ahead
Uganda’s recent action represents a maturing regulatory approach, recognizing that digital markets operating within national borders must respect national legal standards. Continued enforcement, strengthened institutional capacity, and increased citizen education are vital for ensuring effective data protection in Uganda and across the African continent. As artificial intelligence and data-driven economies expand, the effective regulation of digital platforms will become increasingly important.