Law: Data Protection and Privacy Act 2019 (the Act) and the Data Protection and Privacy Regulations, 2021 (the Regulations)

Regulator: The Personal Data Protection Office (PDPO) within the National Information Technology Authority - Uganda (NITA-U)

Summary: The Data Protection and Privacy Act, 2019 (the Act) was passed in 2019 and takes a relatively comprehensive approach to data protection, which mirrors the UK Data Protection Act, 1998. In particular, the Act provides for a data protection and privacy register, notable powers for the National Information Technology Authority - Uganda (NITA - U), and processes for the investigation of complaints relating to the infringement of data subject rights under the Act. In addition, the Act establishes consent as a central principle, specifies conditions for consent relating to minors as well as other special categories, and, notably, has extraterritorial scope and may apply to entities outside Uganda. The Data Protection and Privacy Regulations, 2021 (the Regulations), which were published in the Official Gazette on March 12, 2021, and provide for the establishment of the Personal Data Protection Office within NITA-U. The Regulations also establish a registration obligation for data collectors, controllers, and processors. Another key law in Uganda is the Computer Misuse Act 2011 which, among other things, criminalizes any unauthorized disclosure of personal data and confidential information.