On 10 July 2025, Uganda achieved a significant milestone in digital privacy enforcement with its first criminal conviction under the Data Protection and Privacy Act, 2019. The case arose from aggressive debt recovery practices by a digital lending company, Nano Loans Microfinance Ltd, where its Director created and disseminated a WhatsApp video containing a borrower’s photograph, name, and contact information, threatening public exposure on TikTok if the loan remained unpaid. Following the borrower’s complaint to the Personal Data Protection Office (PDPO), criminal charges were filed for operating without PDPO registration and for unlawful processing of personal data without consent.
The Standards, Utilities and Wildlife Court convicted the Director on the first count, imposing a fine and establishing a criminal record, while the second count was resolved through court-sanctioned reconciliation with compensation to the complainant.
This landmark decision signals a fundamental shift in how personal data violations will be treated across the region, with implications that extend far beyond Uganda’s borders.
The Precedent and Its Immediate Impact
The conviction established that unauthorized use of personal data for debt recovery constitutes a criminal offense, not merely a regulatory violation or civil wrong. The court further imposed criminal sanctions on the Director for operating without registration with the PDPO and for the unlawful processing of personal data without the consent of the data subject (the debtor).
Most significantly, the ruling transforms data protection from a compliance checkbox into enforceable criminal law. This shift has immediate implications for all sectors handling personal data, including financial services, telecommunications, healthcare, and e-commerce.
Reshaping Corporate Compliance Strategies
The decision has triggered an unprecedented compliance review across Uganda’s corporate sector. Organizations are now treating data protection as a boardroom priority, rather than solely an IT concern. The Act’s provision for administrative fines of up to 2% of gross annual turnover adds substantial financial incentive to ensure compliance.
Digital lenders in particular face significant operational changes. Common debt recovery practices such as sharing borrower information in WhatsApp groups or threatening public exposure now carry criminal liability. This risk applies to all industries where coercive use of data is employed.
Regional Implications for Data Protection Enforcement
Uganda’s conviction sets a compelling precedent for other jurisdictions. As East African countries work toward harmonizing their data protection regimes through regional initiatives, this enforcement action demonstrates that such laws can be meaningfully applied.
This is especially relevant in the context of the region’s rapid digital transformation. With mobile money usage exceeding 50% in several East African nations and digital financial services growing rapidly, robust enforcement is essential to ensuring data security and trust.
Practical Considerations for Businesses
Organizations operating in or processing Ugandan personal data should now prioritize the following:
- Immediate registration with the PDPO.
- Comprehensive consent mechanisms in line with statutory requirements.
- Review of all data processing activities, especially in customer communications and debt recovery.
- Board-level oversight of data protection compliance.
- Routine compliance audits to identify and address potential risks.
Given the criminal nature of violations, directors and senior managers now face personal liability, fundamentally altering the corporate risk landscape.
The Enforcement Landscape Going Forward
The Personal Data Protection Office has demonstrated its readiness and ability to enforce data protection laws through criminal prosecution. This marks a departure from a past approach focused on administrative enforcement.
According to the Acting National Personal Data Protection Director, this conviction represents the beginning of more assertive enforcement, not an isolated incident. Organizations should prepare for increased regulatory oversight, routine compliance checks, and swift action in response to breaches.
Implications for Cross-Border Data Flows
For multinational businesses, Uganda’s enforcement action raises serious considerations about data localization and cross-border data transfers. Companies must now ensure that their global privacy policies align not only with regulatory standards but also with Uganda’s criminal legal framework.
This is particularly critical for organizations using centralized data processing systems or cloud platforms that store or handle Ugandan data. The risk of criminal liability may necessitate restructuring data flows and governance frameworks to meet local standards.
Conclusion: A Watershed Moment for African Data Protection
Uganda’s first data protection conviction marks more than a legal first—it is a turning point in Africa’s digital privacy landscape. It affirms that digital rights are now enforceable, with real legal consequences for those who violate them.
For businesses, the message is clear: compliance is no longer optional. For individuals, the case provides meaningful assurance that their personal data is protected under the law.
As Africa continues its digital evolution, this case demonstrates that economic growth and data protection can go hand in hand. It sends a strong signal to other jurisdictions: data protection enforcement is not only necessary but achievable and will be crucial in fostering public trust in the continent’s digital economy.
Authors:Alice Namuli Blazevic (Partner) and Patrick Mugalula (Senior Associate) at LEX Africa member Katende, Ssempebwa & Company in Uganda. Alice and Patrick and be contacted directly onanamuli@kats.co.ug and pmugalula@kats.co.ug respectively or for more information visit https://www.kats.co.ug/
