Uganda does not implement any de minimis threshold, which is the minimum value of goods below which customs do not charge duties. However, it is reported that there is an informal threshold of USD 50.

The Electronic Transactions Act provides a comprehensive framework for consumer protection that also applies to online transactions. Sections 24-28 set consumer protection requirements for ICT suppliers, including providing relevant information such as the legal names, addresses of the supplier(s), price, description, and applicable warranties of products, as well as provisions for cancellation of electronic transactions.

Uganda has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

Uganda has adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

Uganda has adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

The Investment Code Act (ICA) underscores the importance of the Government’s national content policy and the Buy Uganda Build Uganda (BUBU) policy, which requires foreign investors to use local services, raw materials and labour. Under the ICA, investment licenses carry specific performance conditions varying by sector, such as the use of Ugandan goods and services to the greatest extent possible. Section 17 provides for the requirements for application of an investment licence, including local content requirements which every investor must meet before an investment certificate can be issued.

Section 19 of the Data Protection and Privacy Act stipulates that in the event that a data processor or data controller based in Uganda processes or stores personal data outside Uganda, the data processor or data controller must ensure that the country in which the data is processed or stored has in place adequate measures for the protection of personal data at least equivalent to the protection provided for by this Act, or that the data subject has consented. In addition, Regulation 30 of the Data Protection and Privacy Regulations provides further details, including that any personal data processed outside Uganda shall not be further transferred to or processed in a third country without the express consent of the data subject.

Uganda has not joined any free trade agreement committing to open transfers of cross-border data flows.

The Data Protection and Privacy Act provides a comprehensive regime of data protection in Uganda. It, in particular, provides for a data protection and privacy register and processes for the investigation of complaints relating to the infringement of data subject rights under the Act. In addition, the Act establishes consent as a central principle, specifies conditions for consent relating to minors as well as other special categories, and, notably, has extraterritorial scope and may apply to entities outside Uganda.

Section 7 of the Data Protection and Privacy Act provides that, where necessary for the proper performance of a public duty by a public body, cases of national security or for the prevention, detection, investigation, prosecution, or punishment of an offence or breach of law, or for medical purposes, the public authority may collect data even at the objection of the data subject. It is not clarified whether a court order is needed.

The Regulation of Interception of Communications Act of 2010 introduces obligations to intermediaries to collect customer information (names, addresses, ID numbers), install surveillance equipment, and disclose information to authorities when presented with a warrant. It is, however, reported that state security agents violated such provisions in 2018 when security agents stormed a telecom provider’s data centre without a court warrant.
In addition, intermediaries are obliged to assist “the monitoring centre” and ensure that their services can render real-time interception. Failure to assist the monitoring centre is an offence that, upon conviction, may result in a fine, imprisonment for up to five years, or cancellation of the intermediary license. In addition, an application for interception can be made orally before a judge as long as the written application follows within 48 hours of the oral application.

The Electronic Transactions Act No. 8 of 2011 establishes a safe harbour regime for intermediaries for copyright infringements. According to Section 29 of the Act No. 8 of 2011, a service provider is not subject to civil or criminal liability with respect to third-party material, which is in the form of electronic records to which it merely provides access. This is provided that the intermediary is not directly involved in the making, publication, dissemination, or distribution of the material or a statement made in the material or the infringement of any rights subsisting in or in relation to the material. In addition, pursuant to Art. 30 of the Act, service providers are not liable for infringement for referring or linking to a “data message or infringing activity” if the service provider is unaware of the infringement, does not receive financial benefit from the infringement, and “removes or disables access to the reference or link to the data message or activity within a reasonable time after being informed that the data message or the activity relating to the data message infringes the rights of the user.”

The Electronic Transactions Act No. 8 of 2011 establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Section 29 of the Act No. 8 of 2011, a service provider is not subject to civil or criminal liability with respect to third-party material, which is in the form of electronic records to which it merely provides access. This is provided that the intermediary is not directly involved in the making, publication, dissemination, or distribution of the material or a statement made in the material or the infringement of any rights subsisting in or in relation to the material. In addition, pursuant to Art. 30 of the Act, service providers are not liable for infringement for referring or linking to a “data message or infringing activity” if the service provider is unaware of the infringement, does not receive financial benefit from the infringement, and “removes or disables access to the reference or link to the data message or activity within a reasonable time after being informed that the data message or the activity relating to the data message infringes the rights of the user.”

Section 9 of the Regulation of Interception of Communications Act obliges all telecommunication service providers to ensure that, before they enter into a contract with any person for the provision of telecommunication services, such a person is duly registered. Every person who purchases a SIM card for telecommunications or internet services is required to register their personal details.

The Regulation of Interception of Communications Act of 2010 introduces obligations to intermediaries to install surveillance equipment, assist “the monitoring centre”, and ensure that their services can render real-time interception. Failure to assist the monitoring centre is an offence that, upon conviction, may result in a fine, imprisonment for up to five years, or cancellation of the intermediary license.