Why WhatsApp has been directed to stop processing Ugandan users data

____________________

OPINION

By Joel Basoga and Baraka A. Wanyanga

On Friday, 20th February 2026, Uganda’s Personal Data Protection Office (PDPO) delivered a landmark ruling against WhatsApp LLC and its parent company, Meta Platforms Inc., in a decision with significant implications for intra-group and cross-border data transfers.

The case stemmed from a complaint by AdLegal Uganda, a consumer protection advocacy group, challenging WhatsApp’s updated 2021 privacy policy. The complaint alleged that the policy permitted the sharing of data belonging to approximately 10 million Ugandan users with Meta without the freely given, informed, and explicit consent required by law. It further accused WhatsApp of collecting excessive data, offering weaker protections to Ugandan users compared to other jurisdictions, and transferring data abroad without adequate legal safeguards.

In its decision, the PDPO upheld the core complaints, finding the January 2021 privacy policy in breach of the Data Protection and Privacy Act. While the regulator accepted that data processing essential for core messaging and security was lawful, it ruled that WhatsApp failed to justify additional data collection for analytics and ecosystem integration, thereby violating the data minimisation principle.

The policy was also found to lack a clear link between the categories of data collected and the specific purposes and legal bases for their processing. These structural shortcomings, the PDPO concluded, fundamentally undermined users’ ability to exercise informed control over their personal information. Furthermore, the Office determined that transferring user data outside Uganda was done without sufficient evidence of compliance with statutory safeguards for cross-border data flows.

A pivotal aspect of the ruling was the PDPO’s decision to join Meta Platforms Inc. to the proceedings. This was justified not on the basis of its ownership of WhatsApp alone, but on the factual reality disclosed in the privacy policy: that user data collected by WhatsApp is shared with Meta, making them an integral part of the data-sharing ecosystem. Consequently, any remedial orders would be consequential for Meta. This nuanced position, while pragmatic, raises complex questions.

It appears to create an exception to the principle of separate corporate personality, potentially opening the door for liability against any third-party service provider, such as an independent hosting company, simply because data is shared with them. The decision leaves unclear where the line will be drawn in future cases.

The ruling builds on the precedent set in Ssekamwa and Ors v Google LLC, which first saw the PDPO address cross-border transfers. Consistent with that case, the PDPO reaffirmed that corporations must demonstrate that recipient countries offer data protections equivalent to those mandated by Ugandan law.

However, this decision broke new ground by substantively defining "material harm" in the data privacy context. The PDPO expanded the definition beyond physical or economic injury to include harms to autonomy, self-determination, and dignity. Although it found that WhatsApp’s conduct did not cause material harm in the traditional sense, it held that the structural deficiencies in transparency and control "materially impaired the statutory conditions necessary for fully informed user control and informational self-determination."

Implications for Business

The ruling carries profound implications for multinational corporations operating in Uganda. Firstly, where a group structure involves data sharing between a subsidiary and its parent, the parent company may be joined to proceedings.

Claims of corporate separateness will be viewed with scepticism if the factual circumstances demonstrate an integrated data value chain.

Secondly, entities engaged in cross-border data transfers must ensure that the recipient countries provide protections equivalent to those under Ugandan law. Finally, the decision underscores that global companies must tailor their privacy policies to Uganda’s specific legal requirements, or risk enforcement action, including fines and potential imprisonment for responsible officers.

The decision remains subject to appeal, but for now, it stands as a clear warning to parent companies deeply integrated in their subsidiaries’ data operations: heed local compliance requirements or face the likely consequences.

The writers Joel Basoga and Baraka A. Wanyanga are from H&G Advocates tmt@handgadvocates.com