KENYA: THE OFFICE OF THE DATA PROTECTION COMMISSIONER ISSUES DECISIONS IN THE DETERMINATION OF COMPLAINTS

By Sharon Odeny,George Ndung'u,Ariana Issaias,Terry Mwango Thursday, January 19, 2023
  • SHARE THIS ARTICLE

The Office of the Data Protection Commissioner (“ODPC”) has recently issued two decisions by which it has determined the rights and liabilities of parties in respect of the provisions of the Data Protection Act (“the Act”). We have highlighted these decisions below together with our predictions on the impact of the ODPC’S decisions on future complaints. 

ODPC dismisses data protection complaint against former law firm employees

In one of its recent decisions, the ODPC dismissed a complaint alleging a breach of the Act. 

The complaint was filed by partners of the law firm, Wamae & Allen Advocates (“the Complainants”) on both the firm’s and its clients’ behalf. They alleged that one of the firm’s former employees, while in employment, sent sensitive confidential information to her personal email and to another former employee who had at the time left the firm’s employment (collectively, “the Respondents”). The documents allegedly shared included court documents, legal opinions, bank statements, and correspondences. The Complainants alleged that the Act prohibits data controllers and data processors from unlawfully disclosing personal data to third parties and that the Respondents had breached this provision. The Respondents contested that the firm was not registered as a data controller or a data processor at the time of filing the complaint and therefore the obligations of these roles did not apply in the present case, and that the court documents cited by the Complainants were public documents. The Respondents also argued that the firm’s clients were not data subjects under the Act since they were not natural persons.

The ODPC affirmed its jurisdiction on the basis that the complaint was properly filed and related to issues that fell within the Act. The ODPC dismissed the Respondents' challenge to its jurisdiction on the basis that the firm had not registered as a data controller or processor.  Lack of registration did not preclude compliance with a data controller’s and data processor’s obligations under the Act (please also refer to our update on registration here). The ODPC also acknowledged that the Act defined a data subject and personal data in terms of a natural person and therefore the complaints regarding the data of corporate persons could only be protected in the form of notification of a data breach rather than by a complaint to the ODPC. 

Ultimately, the complaint was dismissed on the principal basis that most of the documents cited by the Complainants were either not availed to the ODPC for inspection to determine the nature of the information disclosed or on the basis that most of the documents cited were already in the public domain. It was therefore impossible to determine whether there had been a breach as alleged by the Complainants. The ODPC carried out its investigations and found most of the documents cited as having been disclosed were reported in relation to cases at the Kenya Law Reports website and other publicly available websites. On this, the ODPC found that judicial records containing personal data are public records collection which would not amount to a breach of the Act. In the end, the ODPC held that the Complainants had not shown how their own personal or sensitive data had been infringed in their capacity as data subjects. 

Implication and conclusion

The take-homes from this decision are: 

  1. The protections under the Act on the filing of complaints accrue for the benefit of natural persons and not legal/ juristic persons such as corporate entities.
  2. A data controller and a data processor need not be registered under the Act for the obligations in the Act to apply to them.  Registration is a compliance requirement in and of itself.
  3. A complainant must avail all the documents it alleges as the subject of a breach of the Act for the ODPC to decide on whether the documents contain personal data and whether there has been unauthorised disclosure. 
  4. The ODPC has investigatory powers and, contrary to traditional Kenyan dispute resolution mechanisms, the ODPC will not solely rely on the evidence produced by parties in making its decision. It may collect and use its evidence to determine any complaint pleaded before it. 
  5. Information in judicial records is public in nature and indirect collection of personal data contained in public records is permitted under the Act. 

We anticipate that more complaints will continue to be investigated by the ODPC this year and that the ODPC will start to build jurisprudence over the tests for breaches of data protection laws and create legal thresholds for future complainants to surmount. 

ODPC issues its first penalty notice against Oppo Kenya

In its other decision, the ODPC issued its first penalty notice under the Act. An enforcement notice is served by the ODPC when it is satisfied that a person has failed, or is failing, to comply with the Act, requiring that person to take such steps within such period as may be specified in the notice. Where a person fails to comply with an enforcement notice, the ODPC may issue a penalty notice requiring the person to pay a specified amount.

The ODPC issued an enforcement notice against Oppo Kenya after it infringed the privacy of a complainant by using their photo on its social media platform without their consent contrary to the Act. Failing to receive a response from Oppo, the ODPC issued a penalty notice and indicated that Oppo refused to cooperate by:

  1. Failing to adduce and/or develop a policy for compliance with the Act; and
  2. Failing to adduce a data protection policy pursuant to the Enforcement Notice issued and proof that it has developed an internal complaints mechanism to address data subjects’ complaints.

In the end, the ODPC penalised Oppo KES. 5,000,000 for its failure to comply with the Act and its Regulations.

Implication and conclusion

The lessons from this decision are:

  1. The ODPC has started to take enforcement action and there is an urgent need for data processors and data controllers to ensure compliance with the Act and its Regulations.
  2. Enforcement notices must be taken seriously to avoid the ODPC issuing penalty notices.  Enforcement notices will set out areas of non-compliance under the Act and these are often remediable areas of a company’s operations and processes.
  3. The fine of KES. 5,000,000 issued, is a large sum and the highest available under the Act and its Regulations meaning that the ODPC will not hesitate to impose high fines for breaches of the Act.
  4. The decision was reported in the media and posted by the ODPC on social media.  The potential adverse reputational impact of publicly issued decisions should not be understated.  Businesses should be aware of the reputational risk that may result from an adverse decision by the ODPC.

It is important to note that the decisions by the ODPC may be appealed to the High Court for determination and it remains to see whether the parties in these recent decisions will appeal the ODPC’s findings.

These decisions highlight the importance of ensuring that your legal advisors have a thorough and comprehensive understanding of the Act and the practical steps that you can take to ensure compliance.