The Office of the Data Protection Commission (ODPC) is set up under the Data Protection Act, 2019 vide its part (ii) to regulate personal data processing in Kenya. The Data Commissioner heads the ODPC. Her powers include investigation of complaints made under the Act and imposition of fines.
The data commissioner has been hailed for the bold steps she has taken in order to ensure compliance with the Data Protection Act anchored towards the realization and upholding of the right to privacy as instructed and intended by the constitution of Kenya, 2010. Some of the recent landmark moves that has stirred up and attracted the debate on data protection in the legal lens in Kenyacan be summarily be discussed as follows;
Pursuant to section 62 and 63 of the Data Protection Act, 2019 and Regulation 20 and 21 of the Data Protection (complaints Handling Procedure and Enforcement) Regulations, 2021. On the 26th of September, the office of the data protection commissioner issued three penalty notices totaling to Kshs. 9,375,000 vide a press release to three data controllers for failing to observe data privacy rights to data subjects and also not complying with the Data Protection Act.
Mulla Pride Limited, a digital credit providerwhich operates KeCredit and Faircash mobile lending Apps was the first data controller that received a penalty of KES 2,975,000. The digital credit provider was found liable for using names and contact information of the complainants which were obtained from third parties and subsequently used to send threatening messages and phone calls. This penalty serves to ensure that digital lenders and financial institutions notify data subjects when collecting and processing their data, and the intention of processing the said data. It will further ensure that the data controllers are limited to strictly dealing with data subjects who have consented to the collection and processing of their data.
The second data controller that the data commissioner penalized wasNairobi’s Casa Vera lounge. It was finedKshs 1.8 million for using a reveler’s image without consent. According to the Data Commissioner, the popular club located along Ngong Road shared the reveler’s image on its social media pages. In levying such penalty, the Data commissioner added that, the penalty seeks to ensure that other lounges, clubs amongst others seek consent from their customers prior to posting.
This decision has been met with mixed reactions across all divides whether in legal field or not. Quite a number propose that, an entity whether it is a pub, school, photographer etc., they should individually sign consent form from their customers in order to publish their photos. It is notable that some have disclaimer notices which have been in itself construed as a violation of the Public Order Act since it purports or impliedly gives clients what has been termed as “photography curfew”. A section of the club owners tends to believe that such notices have got much supremacy accorded to the constitution which enshrines the bill of rights.
Roma school which is a learning institution was fined a sum of KES 1,850,000 for posting minors’ picture without parental consent. This has equally served as wake-up call to schools and other institutional bodies handling minors’ personal data to obtain consent from parents/guardians prior to processing minors’ data considering it has served as the first and highest penalty to an educational facility.
The office has also conducted a compliance audit on WhitePath, (a digital credit provider) and an inspection on Naivas Supermarkets on recent Data Breach and is yet to give out its findings on the same.
All the above is in tandem with the provisions of the Data Protection Act which under part (viii) empowers the data commissioner to undertake such enforcement and compliance measures. Under Kenyan law, firms are required to comply with the Data Privacy Rights Act and the Data Protection Act.
From the face of it, these stern measures can be construed as great attempts to breathe life into the right to privacy by showing the practical consequences associated with data privacy. The decisions arrived upon have implications to various data controllers at large. It is observable that implications of non-compliance where minors are involved is markedly higher as seen from penalty imposed to Roma school. The gravity of the penalty in this instance is higher than that imposed in casa vera since rights of minors are involved. This is in line with the Data Protection Act which places more restrictive requirements on the processing of any personal data relating to minors as compared to other types of personal data.
Aside from the satisfaction of seeing justice served on privacy violators, complainants may also be compensated if the Data Commissioner so orders. If the Data Commissioner does not issue compensation orders, the complainants may still file lawsuits seeking compensation for any resulting damage. Any financial loss or distress suffered as a result of the violations is considered damage. Compensation limits are set at the discretion of the courts and the Data Commissioner. In other words, no law specifies the maximum monetary compensation for privacy violations.
In conclusion, the 2023 ODPC press release will to a large extent work towards compliance with the Data Protection Act. This is because businesses and other entities found culpable of violations could also be liable for damages in civil proceedings arising from the infringements of rights of data subjects under the DPA as well as image rights.
By David Odero,
Lawyer; Oseko Advocates LLP.