Today, a Director of Nano Loans Microfinance Limited appeared before the Makindye Standards, Wildlife and Utilities Court, facing two charges under the Data Protection and Privacy Act, Cap. 97 and its Regulations. The charges include failure to register with the Personal Data Protection Office (PDPO) and processing personal data without consent.
The accused, whose identity has been withheld, pleaded not guilty to both charges. He has been remanded until Wednesday, April 30, 2025, pending a bail hearing.
It is alleged that between 2023 and 2025, the director along with other individuals still at large collected and processed a victim’s personal data, including his name, telephone number, and facial photograph, while operating digital money lending services without registering with the PDPO, as required by Section 29 of the Data Protection and Privacy Act and Regulation 15(1)(3)(4) of the 2021 Regulations.
It is further alleged that in July 2024, the company unlawfully processed the same personal data through a video recording without the victim’s consent, in violation of Section 7 (1) of the Act and Regulation 34 of the Regulations.
This occurred after the victim applied for a UGX60,000 loan via the Quickloan digital lending app, operated by Nano Loans Microfinance Limited. However, after deductions for processing fees, only UGX34,800 was disbursed. Upon the loan’s due date, the company’s agent sent the victim a WhatsApp message containing a video recording displaying his name, telephone number, and photograph, accompanied by a threat to upload it to TikTok if the loan was not repaid.
The victim reported the incident to the Personal Data Protection Office, which, together with the Criminal Investigations Directorate (CID), initiated investigations. Findings established that Quickloan is operated by Nano Loans Microfinance Limited, which is not registered with the PDPO, despite being a data collector and processor as defined by the law. The personal data in the video recording was processed without the victim’s consent.
Today’s matter sheds light on “borrower-shaming” tactics used by digital lending apps in a bid to expose borrowers to force loan repayment publicly. It also highlights a new privacy twist: the borrower did share his details to get the loan, but a company can’t reuse that data for a different purpose – like a humiliation video, which is not a valid legal justification as per the principles of the Data Protection and Privacy Act, Cap 97.
The Personal Data Protection Office (PDPO) is Uganda’s independent data protection and privacy regulator responsible for overseeing the implementation and enforcement of the Data Protection and Privacy Act Cap 97 and its Regulations through effective regulation and monitoring of the collection and processing of personal data in Uganda.
