Scroll Top


Legal Alert: Uganda Data Protection and Privacy Act, 2019


The Data Protection and Privacy Act, 2019 is a novel Act of Parliament that came into force on 1st March 2019. The Act was enacted into in order to operationalize Article 27 of the Ugandan Constitution, which deals with the right to privacy, which states that, “No person shall be subjected to interference with the privacy of that person’s home, correspondence communication or other property.”

A deeper theoretical analysis of the right to privacy leads us to the conclusion that the protection of privacy is grounded on the notion of human dignity and autonomy on one hand and social order on the other.

On May 25th 2018, the EU passed the General Data Protection Regulation (GDPR) to harmonise all data protection laws across all countries in the EU. The GDPR sought to give all citizens better control over their personal data and simplifying the regulatory environment for international businesses.

The GDPR is currently deemed as the global regulatory ‘gold standard’ for the protection of personal data. It has also been described as the global benchmark for the protection of personal data of consumers globally. (Source:

Flowing naturally, the Ugandan Data Protection and Privacy Act has borrowed heavily from the GDPR. Aspects such as some key definitions, the principles of data protection, the rights of the data subject and enforcement mechanisms mirror the GDPR.

According to Consumers International, more than half of African countries do not have existing data protection laws in place. Uganda is the first East African country with an enacted data protection law.  Other East African countries such as Kenya and Tanzania have Bills awaiting enactment.


The Data Protection and Privacy Act, 2019

Uganda’s Data Protection and Privacy Act applies to the collection, processing, holding or using of personal data within the territory of Uganda and in respect to persons in or outside of Uganda.

The aim of the Act was to protect the privacy of the individual and their personal data, to regulate the collection and processing of personal information, to provide for the rights of the persons whose data is collected, to provide obligations of data collectors and data processors. Additionally, to regulate the use or disclosure of personal information.

As for implementation and regulation the Data Protection and Privacy Act provides for the Personal Data Protection Office under the National Information Technology Authority. The regulatory authority is tasked with the implementation and enforcement of the Act. This includes, monitoring, investigating and reporting on the observance of the right to privacy. Receiving complaints and conducting investigations based on those complaints, as well as keeping raising public awareness about the Act. Its role also includes establishing and maintaining a data protection and privacy register.  (Source https:/ / system /files /legislation /act/ 2019/1/THE% 20DATA % 20PROTECTION  %20AND%20PRIVACY%20BILL%20-%20ASSENTED.pdf )

Notably the Act provides safeguards for the transfer of data out of Uganda’s jurisdiction. Additionally, the Act takes a liberal approach and provides for sanctions in the form of penalties for breach of the data subjects rights; this binds both natural and artificial persons.


Digital Uganda Vision and Vision 2040

The Government of Uganda has committed to a technological national policy and strategic framework known as the Digital Vision Uganda. This is in line with Uganda’s Vision 2040, which aims to strengthen the economy to give rise to more opportunities in the country.

The Vision aimed at building a digital society that is secure, sustainable innovative, transformative and to create a positive social and economic impact through technology based empowerment. The Government also aims at bringing all services online and safeguarding the citizens information as they access online services.

In line with furthering, the Digital Uganda Vision, the Data Protection and Privacy Act provides for various avenues to facilitate growth in the IT sector. To name a few examples in the Business Processing Outsourcing industry. The Act requires Ugandan players to comply with international standards, thus improving credibility and customer trust; this inevitably leads to more business.

Earlier on in the year, Uganda was ranked first in Africa and 44th in the world in the National Cyber Security Index with an index of 49.35 on a scale out of 100. In comparisons to Canada which was ranked at 37th with an index of 57.14. The first on the index was Czech Republic with an index of 90.91.The list also included the United States of America which was ranked at 29th with an index 63.64 and the United Kingdom was ranked 14th with an index of 75.32. Additionally, Italy ranked at 13th worldwide with an index of 76.62. This was as per a research conducted by the E-Governance Academy Foundation Company.



The Data Protection and Privacy Act is a step in the right direction for Uganda. It signifies Uganda’s eagerness to participate in the worldwide digital economy and promote digital transformation in all sectors.  Furthermore, understanding and promoting the importance of regulation in a digital, rapid, and ever changing world.


Mario Di Giulio
Kimberly Mureithi
Cheptum Toroitich


The contents of this publication is for informational purposes only. It is not intended to provide legal or other professional advice or opinions on specific facts or matters. Pavia e Ansaldo assumes no liability in connection with the use of this publication.