What is AI regulation in Uganda?
AI regulation: countries and regions
Uganda has no dedicated AI statute. As of mid-2026 it governs AI through existing law: the Data Protection and Privacy Act 2019, the Constitution's privacy guarantee, and sector regulators. The Ministry of ICT and National Guidance is drafting a National AI and Emerging Technologies Strategy, supported by an 11-member National AI Task Force, aligned with the African Union's Continental AI Strategy. The strategy is still pending, so AI duties currently flow from data protection and sectoral rules.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
AI regulation in Uganda means the mix of laws, policies and institutions that govern how artificial intelligence is built, bought and deployed in the country. The defining feature is that there is no AI-specific law. Instead, AI is governed by general instruments that were written for data, computers and communications, plus the constitutional right to privacy.
The central instrument is the Data Protection and Privacy Act 2019, enforced by the Personal Data Protection Office (PDPO), which sits under the National Information Technology Authority Uganda (NITA-U). Because most AI systems process personal data, this law reaches a large share of AI activity even though it never mentions AI. Sector regulators (in finance, communications and health) and the Computer Misuse Act add further layers.
The forward-looking piece is policy, not statute. The Ministry of ICT and National Guidance is leading a National AI and Emerging Technologies Strategy, with AI as the flagship domain, guided by a National AI Task Force and the African Union's 2024 Continental AI Strategy. That strategy is being consulted on and finalised, but it is not yet a binding law.
Why it matters
For anyone deploying AI in Uganda, the practical point is that the absence of an AI law does not mean the absence of obligations. The duties that bite today come from data protection, sector rules and the Constitution, and they are being enforced. On 10 July 2025 the PDPO secured Uganda's first criminal conviction under the data protection law against a digital lender that misused a borrower's personal data, and on 18 July 2025 it ruled against Google, asserting that the law applies to any entity processing Ugandan citizens' data regardless of where it is based.
That extraterritorial reading matters for founders, operators and global vendors: if your model or service processes data about Ugandans, you may need to register with the PDPO, appoint a contact and document cross-border transfer safeguards, even with no local office. Policy direction also matters because a risk-based, sector-aware strategy is taking shape, and organisations that build governance now will adapt faster when the strategy lands. Getting this wrong risks criminal liability, fines and reputational harm in a market that is becoming more assertive about digital sovereignty.
How it works
The current model: govern AI through existing law
Uganda follows what the African Union and several analysts describe as governing AI through data protection and sector law rather than a single horizontal AI act. There is no AI statute and no AI-specific regulator. The architecture rests on four pillars: the Constitution, data protection law, sector regulation, and computer or cyber law. This places Uganda in the large group of African states that, as of 2025, had no binding AI legislation in force.
Constitutional foundation
Article 27 of the 1995 Constitution protects the privacy of the person, home, correspondence and communication. This is the root from which data protection law grows and the anchor for arguments about surveillance, automated decisions and biometric systems. Any AI deployment that touches personal data or monitoring engages this right.
Data protection law: the Data Protection and Privacy Act 2019
The Act (now also cited as Chapter 97) is the single most important instrument for AI today. It regulates the collection and processing of personal data by automated or other means, sets data protection principles, grants data subject rights (access, correction, objection, and the right to complain), and imposes duties on data collectors, controllers and processors. Where processing poses a high risk to rights and freedoms, the Act and the 2021 Regulations require a data protection impact assessment before processing begins, which is directly relevant to higher-risk AI. Registration with the PDPO is mandatory and renewable annually. Penalties include fines and imprisonment, with offences such as unlawful obtaining or disclosure carrying fines of up to 240 currency points (one currency point equals 20,000 shillings) or up to ten years' imprisonment; commentators note the regime can also reach administrative fines of up to 2% of gross annual turnover for serious breaches.
The Act applies inside Uganda and to entities outside Uganda that process Ugandan citizens' data. That extraterritorial scope was tested and affirmed in 2025.
Responsible institutions
The Personal Data Protection Office (PDPO) is the data regulator, established as an independent office under NITA-U and operationalised in 2021. It registers controllers and processors, investigates complaints and issues decisions. The Ministry of ICT and National Guidance holds the policy lead on AI and digital transformation; following a government rationalisation, NITA-U's functions are being mainstreamed into the Ministry. Sector regulators apply their own rules to AI used in their domains: the Uganda Communications Commission (UCC) in communications, the Bank of Uganda and capital markets and insurance authorities in finance, and the Ministry of Health in health.
Computer and cyber law
The Computer Misuse Act (2011, as amended) addresses unauthorised access, interception and related offences, and the Regulation of Interception of Communications Act governs lawful interception. Note an important recent change: in 2026 the Constitutional Court nullified the Computer Misuse (Amendment) Act 2022 and struck down several speech-related provisions for vagueness and a defective legislative process, which narrows the reach of that law.
The emerging strategy and institutions
The Ministry of ICT and National Guidance is developing a National AI and Emerging Technologies Strategy. It began as a Cabinet directive to draft an AI policy and was widened into an emerging-technologies strategy with AI as the flagship, covering AI, blockchain, cloud, big data and quantum computing. An 11-member National AI Task Force, bringing together expertise from government, academia and technical institutions, provides coordination and technical oversight; Dr Ambrose Ruyooka, Assistant Commissioner for Research and Development, is the National AI Focal Point and the designated UNESCO focal point. The strategy is being built through nationwide consultations and a UNESCO AI Readiness Assessment Methodology (RAM) process launched in February 2026, with Dr Joyce Nakatumba-Nabende, head of the Makerere University AI Lab, selected by UNESCO as Lead National Expert coordinating the assessment. The Ministry has signalled the strategy will address governance, ethical use, standards, infrastructure and investment, and align with UNESCO and OECD frameworks. Commentators report the direction is risk-based and sector-aware, drawing on the EU AI Act structure and standards such as ISO/IEC 42001, but this is policy intent, not enacted law.
Alignment with regional and continental instruments
Uganda's work is framed within the African Union's Continental AI Strategy, endorsed by the AU Executive Council in July 2024, which sets five focus areas (harnessing benefits, building capabilities, minimising risks, stimulating investment, fostering cooperation) and calls on member states to build national AI governance. Uganda also engages the East African Community's regional AI work and the UNESCO Recommendation on the Ethics of AI (2021). Uganda has not signed or ratified the AU's Malabo Convention on Cyber Security and Personal Data Protection, so its data regime is domestic rather than treaty-driven.
Examples
A foreign platform processing Ugandan data: In a decision dated 18 July 2025, the PDPO found Google in breach of the Data Protection and Privacy Act for failing to register and for not demonstrating adequate cross-border transfer safeguards. The case turned on "commercial nexus" after a November 2024 complaint by four Ugandan citizens; the regulator held that Google "collects, processes, and monetizes data from Ugandan users, thereby establishing a substantial and ongoing economic presence", so the law applied despite Google's lack of physical presence. Google was ordered to register, name a data protection officer and document its transfer compliance within 30 days, and later moved to comply. This shows how AI-driven global services are pulled into Ugandan law through data rules.
A digital lender misusing borrower data: On 10 July 2025, Uganda secured its first criminal conviction under the Act. Ronald Mugulusi, director of Nano Loans Microfinance Ltd (operator of the Quickloan app), pleaded guilty at the Makindye Standards, Wildlife and Utilities Court and was fined UGX 300,000 (about $80) for failing to register; he had misused a borrower's name, phone number and photograph in a threatening video, breaching the purpose limitation principle, and the complainant Michael Wonambwa was compensated through court-sanctioned reconciliation. The case warns that automated or app-based data practices, common in AI-enabled lending and scoring, carry criminal exposure.
A homegrown language model: On 11 October 2025 the non-profit Sunbird AI launched Sunflower (the open-source 14B and 32B models built on Qwen 3) covering 31 Ugandan languages, unveiled by Ministry of ICT Permanent Secretary Dr Aminah Zawedde at the AI for African Languages Conference. Sunbird AI reports the models "outperform existing systems, including ChatGPT and Gemini 2.5 Pro, on 24 out of 31 Ugandan languages." It illustrates the local innovation the strategy aims to support and the governance questions (data sourcing, accuracy, hallucination) that a future framework will need to address.
Common misunderstandings
"Uganda has an AI law." It does not. As of mid-2026 there is no AI-specific statute and no AI regulator. AI is governed through data protection, sector and cyber law.
"No AI law means no rules." Wrong. The Data Protection and Privacy Act, the Constitution and sector rules already impose enforceable duties on most AI that touches personal data, and they are being enforced.
"If we have no office in Uganda, the law does not reach us." The PDPO has held that the law applies to any entity processing Ugandan citizens' data, wherever it is based.
"The National AI Strategy is already in force." It is a draft policy under consultation and finalisation, not binding legislation. A strategy is soft policy direction, not a statute.
"Data protection compliance equals AI compliance." Data rules are necessary but do not cover everything an AI framework would, such as algorithmic transparency, automated decision-making safeguards or model risk classification.
Risks and boundaries
This page describes a jurisdiction in transition, so several boundaries apply. First, legal status: there is no enacted AI law, and the National AI and Emerging Technologies Strategy is pending, with finalisation timelines that have shifted; treat any date as provisional until the Ministry publishes the final text. Second, the data protection law does not address AI-specific issues such as algorithmic transparency, automated decision-making or model governance, so gaps remain that current law does not fill. Third, enforcement capacity is uneven: the PDPO has issued strong decisions but has acknowledged it cannot award compensation and faces practical limits against large global actors. Fourth, surveillance and biometric deployments raise live human-rights concerns that existing law addresses only partly. Finally, this article is general explanation, not legal advice; specific compliance design should be checked against the primary instruments and current PDPO guidance.
What to do next
Treat data protection as the operative AI rulebook today. If you build or deploy AI that processes Ugandan personal data, register with the PDPO, appoint a data protection officer or contact, and run a data protection impact assessment for higher-risk uses. Document the legal basis and safeguards for any cross-border data transfer, because the PDPO expects records available for inspection and reads the law extraterritorially.
Map your sector overlay. Financial, communications and health deployments attract additional regulator expectations; identify the relevant authority early.
Build governance that anticipates the strategy. Adopt risk classification, human oversight, transparency and bias testing now, drawing on recognised standards such as ISO/IEC 42001, so you can adapt quickly when the National AI and Emerging Technologies Strategy is adopted.
Track three triggers that would change your plan: publication of the final national strategy; any move from strategy to a binding AI bill; and new PDPO guidance or decisions. Until those land, the data protection regime remains the benchmark.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Uganda have a dedicated AI law?
No. As of mid-2026 there is no AI-specific statute and no dedicated AI regulator. AI is governed through the Data Protection and Privacy Act 2019, the Constitution and sector rules.
What governs AI in the absence of an AI statute?
The constitutional right to privacy (Article 27), the Data Protection and Privacy Act 2019 enforced by the PDPO, sector regulators in finance, communications and health, and computer and cyber law.
Who regulates data and AI-related processing?
The Personal Data Protection Office (PDPO), an independent office under NITA-U, is the data regulator. The Ministry of ICT and National Guidance leads AI policy.
Does Ugandan law apply to companies based abroad?
Yes. The PDPO has held the Data Protection and Privacy Act applies to any entity processing Ugandan citizens' data regardless of physical presence, as in its 18 July 2025 decision against Google.
Is there a national AI strategy?
A National AI and Emerging Technologies Strategy is being developed by the Ministry of ICT, guided by an 11-member National AI Task Force and aligned with the AU Continental AI Strategy. It remains in draft and finalisation.
How does Uganda align with the African Union?
It frames national work within the AU Continental AI Strategy (2024) and engages the UNESCO AI ethics recommendation and East African Community AI initiatives. Uganda has not ratified the Malabo Convention.
What penalties apply under the data protection law?
Offences carry fines (measured in currency points, up to 240 currency points for several offences) and imprisonment of up to ten years, and serious breaches can attract administrative fines of up to 2% of gross annual turnover. Uganda recorded its first criminal conviction under the Act in July 2025.
Will Uganda adopt a risk-based AI model?
Officials and commentators indicate the emerging strategy leans risk-based and sector-aware, referencing the EU AI Act and ISO standards, but this is policy intent rather than enacted law.