The Quickloan privacy violation marks a significant milestone for data protection enforcement in Uganda, demonstrating that non-compliance carries real consequences. In July 2025, Uganda’s Personal Data Protection Office (PDPO) secured its first-ever criminal conviction under the Data Protection and Privacy Act, 2019 (DPPA). The conviction was against a director of Nano Loans Microfinance Ltd for misusing borrowers’ data for debt collection, processing data without consent and failing to register with the PDPO. It sends a strong warning to fintechs and digital lenders about the risks of mishandling personal information.

What happened

The PDPO successfully prosecuted Ronald Mugulusi, director of digital lending company Nano Loans Microfinance Ltd, operator of the Quickloan app, for two violations committed between 2023 and 2025. Mugulusi had failed to register his company with the PDPO, despite ignoring invitations from the PDPO to engage with him to comply. This led to the criminal investigation, which resulted in a plea bargain entered into before the Makindye Standards, Wildlife and Utilities Court. The court then fined Mugulusi UGX 300,000.

The second offence arose from a complaint lodged by Wonambwa Michael, a customer of Nano Loans. The complaint involved Mugulusi’s misuse of Michael’s personal information (name, phone number and photograph), which had been recorded in a video and sent via WhatsApp as a threat. The message warned that the lender would publish his data on TikTok to publicly shame him if he failed to repay his loan. The PDPO clarified that using personal information to intimidate borrowers violated the purpose limitation principle under the Act.

Ultimately, the complainant and Mugulusi reached a court-sanctioned reconciliation under Uganda’s Magistrates Courts Act and Judicature (Reconciliation) Rules of 2011, resulting in compensation and a stay of further proceedings.

Compliance failings

This case reflects critical compliance gaps:

  • The organisation failed to register as a data controller or data processor under the DPPA.
  • It processed personal data without a valid legal basis, such as consent or legitimate interests.
  • It ignored repeated regulator engagement and guidance.
  • It had no clear internal safeguards to prevent misuse of data by employees or management.
  • The organisation used personal data in ways that caused harm and violated the rights and freedoms of the data subject.

Consequences

The Quickloan privacy violation is more than a first conviction – it’s a signal of intent from the PDPO. The case demonstrates that:

  • The PDPO no longer tolerates non-compliance and is willing to prosecute.
  • The regulator has placed fintechs, mobile lenders, and digital platforms under increased scrutiny.
  • It now clearly recognises the use of personal data for public shaming as unlawful, especially in debt recovery.
  • The PDPO rejects ignorance of its guidance as a defence. If you process personal data, the law expects you to understand it and apply it.

Key takeaways

The key takeaway from the Quickloan conviction is that non-compliance with Uganda’s data protection law (or any other jurisdiction’s data protection law) can lead to criminal consequences, especially for company directors. To avoid similar legal and reputational risks, we recommend taking these practical steps:

  • Register with your jurisdiction’s regulatory authority as a data controller or processor in terms of the relevant data protection law.
  • Establish a lawful basis for processing before collecting or using personal information and make sure it aligns with the specified purpose.
  • Conduct awareness training sessions for all staff. Personnel involved in the handling of personal data should know what data they can lawfully use and how.
  • Never use personal information to shame or pressure customers. It’s unlawful and erodes trust.
  • Implement robust internal controls and safeguards that prevent the misuse of personal data.
  • Engage with the regulatory authority early. If you’re contacted by your regulator, respond constructively. Ignoring guidance may escalate matters unnecessarily.