Google folds for Uganda

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

HIGHLIGHTS

Google folds for Uganda

This week, the headline, straight from Condia is that Google LLC agrees to comply with Uganda’s data privacy law. "Agrees" is one word for it, although "was ordered to" is perhaps more accurate. After an extended legal skirmish with the Ugandan Personal Data Protection Office (PDPO). Google, a company that operates on the premise that global rules are, at best, suggestions, has been forced to acknowledge that its services, which harvest crucial data, make it a local entity for regulatory purposes.

If you're a major international tech company, there typically are two ways data from Africa and most of the developing world has been treated. The first is a global privacy policy approach, where the company acknowledges they operate globally, says "our one-size-fits-all policy is GDPR-compliant, so you're fine," and then proceeds to do whatever they were going to do anyway. Historically, this worked because, frankly, the local regulatory state either didn't exist or was under-resourced and largely ignored. Data was a free-range commodity, collected and processed, then immediately transferred out of the country to servers in Ireland, the US, or Singapore for use in global models and targeted ads. In this model, data is an extractive resource, flowing from the periphery to the core (i.e., from Kampala to Mountain View) without local oversight.

The second is more fun. Google’s whole legal argument in Uganda was, "Well, we are not domiciled here, so the law does not apply to us". Sure, they admitted to providing services and collecting data, but they argued the Uganda Data Protection and Privacy Act (DPPA) only applies to controllers and processors "domiciled in Uganda". The Ugandan PDPO pointed to the DPPA's extra-territorial reach, which, like most global data policies, explicitly applies to any person outside the country who collects or processes personal data relating to its citizens. 

Like many modern data laws (and heavily borrowing from the EU's GDPR, because, of course), the Uganda Data Protection and Privacy Act was intended to operationalize the constitutional right to privacy in Uganda and provide a clear framework for regulating the collection and processing of personal data. It requires every data controller and collector (which Google was declared to be, not merely a processor) to register with the PDPO. Google tried to argue that because the PDPO hadn't yet issued a gazetted notice of exemptions, the mandatory registration rule was "rendered inoperative". This is high-level corporate lawyering trying to find a loophole in administrative procedure. The PDPO, citing a prior High Court decision, politely replied that the general rule is mandatory until an exemption is actually invoked. The burden is on Google to comply, not on them to carve out exceptions. 

The PDPO acknowledged it doesn't have the authority to award compensation (the complainants sought damages for distress), leaving that to a competent court.

As we’ve covered several times, this isn't just about Google and Uganda. This is how the whole thing is changing across the continent. Africa is no longer the regulatory Wild West it was a decade ago.

Uganda is just one of many African countries that have been enforcing data protection laws. This year, South Africa has also dragged Google to court, as well as Meta, which has also been taken to court in Nigeria. 

In almost all these cases, extra-territorial scope and mandatory local registrations remain pertinent issues.

Africa in Sumsub fraud repiort

We are currently reading the Sumsub Identity Fraud Report, which, like every other fraud or security report this year, yaps a lot about the new AI frontline. The report identifies a "Sophistication Shift" driving fraud from high-volume, low-effort scams to fewer, sharper, and more damaging attacks driven by AI and professionalized fraud rings.

Africa received the lowest score globally on the Sumsub 2025 Global Fraud Index (an average regional score of 3.84, compared to the global average of 2.79). This means that relative to the rest of the world, African countries have the weakest policy, infrastructure, and resource capacity to fight sophisticated digital crime.

Africa's overall fraud rate increased by +9.3% between 2024 and 2025. Countries saw massive surges in sophisticated biometric fraud, with deepfake incidents growing by 269% in South Africa and 317% in Tanzania. Nigeria saw a massive -54% decrease in overall fraud rate (due to aggressive state efforts like SIM-ID crackdowns). Meanwhile, Tanzania recorded the highest rate in the region at 5.0%. 

This whole fraud report feeds perfectly into the AI-powered security craze.  

FEATURE

• Submarine fiber-optic cables, which carry over 95% of the world's international internet traffic are facing a combination of rising physical and geopolitical threats that severely jeopardize global connectivity. Historically, most cable breaks were accidental (fishing trawlers and ship anchors), but this article highlights a severe increase in state-sponsored sabotage risk, from nations like Russia and China, particularly in geopolitical flashpoints like the Baltic Sea and the Taiwan Strait. Read more.

HEADLINE

• Ghana, Burkina Faso launch free roaming to cut cross-border phone bills

• Cybersecurity – AI – Digital ID: Senegal and Azerbaijan move towards strengthened cooperation

• Ghana’s Ministry of Education announced AI-powered apps for educators. local AI players feel left out

• UAE Pledges $1 Billion to Expand AI in Africa

• Ghana opens a new front of digital cooperation with Poland

• SA regulators approve landmark fintech, fibre network deals

• Court dismisses ex-Binance executive Tigran Gambaryan’s unlawful detention suit

ACROSS THE WORLD

• Spanish airports ordered To Shut down biometric boarding gates, airport operator slapped with €10 million fine

• Binance accused of aiding terrorists in new lawsuit

• Teenagers seek to block Australia's social media ban

• NSO seeks to overturn WhatsApp case, saying it is ‘catastrophic’ for the spyware maker