Data protection compliance in Kenya: ODPC issues penalty notices to three data controllers

Data protection in Kenya is regulated by the Data Protection Act, 2019 (the Act). The Office of the Data Protection Commissioner (the ODPC) is mandated to ensure compliance with the Act.

The ODPC issued Penalty Notices to three data controllers in late September 2023 for failing to comply with the provisions of the Act on processing of personal data of data subjects. The ODPC has imposed fines ranging from Kshs.1,850,000/= to Kshs.4,550,000/= on three businesses including a school for various breaches of the Act.

The Act and the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 (the Regulations) enable the ODPC to investigate complaints by data subjects and make a determination on the findings of investigations. One of the remedies for violation of the Act and the Regulations is the issuance of a Penalty Notice imposing an administrative fine of up to Kshs.5,000,000/= where a data controller and/or data processor fails to comply with an enforcement notice issued under the Act.

Protection of minors

Of the three data controllers, the school received the highest fine of Kshs.4,550,000/= which is a little shy of the maximum fine of Kshs.5,000,000/=. The school has been fined for posting images of minors without parental consent in breach of the provisions of the Act. The Act requires data controllers and data processors to obtain the consent of a parent or guardian before processing personal data relating to a child. This includes their image. Such processing must also be in the best interests of the child as enshrined in the Constitution and the Children Act.

Use of images without consent

The ODPC has also imposed a fine of Kshs.1,850,000/= on a restaurant in Nairobi for posting the image of one of its data subjects on the restaurant’s social media platform without the consent of the data subject. The Act expressly prohibits the processing of personal data of a data subject where their consent has not been obtained. It is upon the data controller and/or data processor to prove that they obtained the consent of the data subject before processing their personal data.

According to the ODPC Guidance Note on Consent, consent must be express, unequivocal, free, specific and a clear agreement by the data subject to have their personal data processed. Protection of image rights under the Act is in line with Article 31 (c) of the Constitution which protects the privacy of information relating to a person’s private affairs which is ultimately intertwined with the right to dignity. This has been confirmed by the Kenya High Court in Joel Mutuma Kirimi & Another v National Hospital Insurance Fund (NHIF) [2020] eKLR. Consent does not however waive the obligations of data controllers and/or data processors under the Act. Data controllers and data processors must therefore ensure that processing of personal data is in line with all the other requirements of the Act and any other laws.

Collection of personal data to be direct

Finally, the ODPC has fined a Digital Credit Provider (DCP) Kshs.2,975,000/= for using contact information obtained from third parties without the consent of the data subjects. The DCP used the contact information to send threatening messages and phone calls to the data subjects as part of its debt recovery processes.

The Act requires data controllers and processors to collect personal data directly from a data subject unless the personal data is contained in a public record or the data subject consents to collection of their personal data from another source. Even where a data subject consents to collection of their personal data from another source, such collection should not harm the interests of the data subject. The relatively high fine imposed on the DCP is meant to deter data controllers and processors and particularly DCPs from processing personal data of third parties without their consent. DCPs have in the past been subject to several concerns and complaints of breach of privacy of third parties.

In conclusion, businesses should ensure that collection and processing of personal data is done in line with the provisions of the Act or risk penalties by the ODPC. For more information on data protection in Kenya please reach out to us.