When Yes means No – A Look at Kenya’s evolving Data Protection Framework

Privacy is a fundamental human right and is central to the protection of human dignity. In its simplest form, the right to privacy allows each human being to be left alone in a core that is inviolable. As we continue to celebrate Data Privacy Day, we look at key takeaways from recent decisions issued by the Office of the Data Protection Commissioner (ODPC) as data protection jurisprudence continues to evolve in Kenya.

 

Background


The ODPC has taken proactive steps and efforts to protect the right to privacy of data subjects since its establishment in 2019. The ODPC’s key determinations in 2023 expounded on the principles of consent, issues around the transfer of personal data, and vicarious liability for data breaches.

 

Consent as the Cornerstone of the Right to Privacy


Consent is one of the lawful bases for the processing of personal data. In 2021, the ODPC published a Guidance Note on Consent to guide data subjects and entities on the meaning and features of consent. The ODPC’s enforcement actions against unauthorised harvesting of personal data from third parties and unauthorised use of images of data subjects illustrated the ODPC’s commitment to imposing sanctions for breaches of consent requirements under the DPA.

 

For consent to be a lawful basis for the processing of personal data, the data subject must be offered control and have a genuine choice about accepting or declining the terms offered or declining them without detriment. In 2023, the ODPC evaluated the implications of consent as a condition to access financial benefits, and the effect of invalid consent on transfers of personal data outside of Kenya. The ODPC also left the door open on circumstances in which employers may be found vicariously liable for data breaches by employees.

 

Despite the ODPC’s publication of the guidance note, consent continues to be a misunderstood principle under the DPA. In particular, the ODPC clarified that situations where consent is a pre-condition to access a financial benefit, the consent may be invalid because of the coercive effect of the conditions imposed.

 

2023 Enforcement Actions for Unauthorised Contact and Unauthorised Use of Images


The ODPC issued penalty notices to three data controllers on 26 September 2023 for failing to observe data privacy rights and obligations under the DPA:

  1. Mulla Pride Ltd, a Digital Credit Provider (DCP) which operates KeCredit and Falcrash mobile lending Apps received a penalty notice of KES.2,975,000 (approx. USD 18,310) for using the names and contact information obtained from third parties to send threatening messages and phone calls;
  2. Casa Vera Lounge, a restaurant based along Ngong Road in Nairobi, was fined KES. 1,850,000 (approx. USD 11,385) for posting a patron’s image on its social media platform without the data subject’s prior consent; and
  3. Roma School, an educational institution based in Uthiru, was fined KES. 4,550,000 (approx. USD 28,010) for posting images of minors without parental consent.

The Worldcoin Project


The events surrounding the Worldcoin project made headlines last year prompting the ODPC to initiate its own suo moto investigation into the activities surrounding the Worldcoin project. The project run by the Tools for Humanity Corporation (TFH) and the Worldcoin Foundation entailed the scanning of data subjects’ irises in exchange for a digital ID and digital tokens worth KES. 7000. The investigation looked at whether the processing of personal data, which included an iris scan, facial image, name, date of birth, age range, and gender, was lawful. In its determination, the ODPC evaluated whether TFH and the Worldcoin Foundation obtained proper consent for the processing of sensitive personal data and whether the transfer of personal data outside Kenya was in compliance with the DPA and the regulations.

 

In its determination published in September 2023, the ODPC found that the consent obtained by TFH and the Worldcoin Foundation was invalid. According to the ODPC, in making Worldcoin tokens conditional on the provision of consent to process biometric data, TFH and the Worldcoin Foundation exerted influence upon the data subject’s expression of free will, thereby invalidating consent as a ground for the lawful basis of processing personal data. On the transfer of personal data out of Kenya, the ODPC found that the transfer of the Kenyan data subject’s sensitive personal data out of Kenya was unlawful as the consent was invalid.

 

In its analysis, the ODPC held that the TFH and the Worldcoin Foundation did not demonstrate that they had met the requirement of express consent as a basis for transferring personal data out of Kenya. According to the ODPC, explicit consent should be given after a complete, forthright, and clear disclosure as to the type of data collected, the purpose of collection, its security, and why consent is important. Once the data subject has read and appreciated the risks of the transfer of sensitive personal data, they need to do more than just tick a box. The data subject must give an express statement of consent.

 

Vicarious Liability and Employee Liability for Personal Data Breaches


In addressing data breaches arising in the course of an individual’s employment, the ODPC cautioned that nothing in the DPA excludes the possibility of vicarious liability for employers due to their employees’ conduct, and that each case will be determined on its own facts.

In Pauline Muhanda v Safaricom PLC ODPC Complaint No. 1212 of 2023, the ODPC had to deal with the issue of whether an employer can be vicariously liable for an employee’s misconduct under the DPA. In this case, an advocate discovered that her MPESA statements of transactions had been produced in court in a matter where she and her law firm had been under private investigation. The MPESA statements had been disclosed by an employee of Safaricom PLC who had access to them in her ordinary course of work. She had disclosed the MPESA statements without the complainant’s consent or a court order compelling Safaricom to disclose them.

 

The ODPC found the employee personally culpable for disclosing the complainant’s MPESA statements. It explained that the fact that her employment at Safaricom gave her the opportunity to access personal data, this was not sufficient to impose vicarious liability on Safaricom as her employer for her wrongful act.

 

Key Takeaways from the Decisions Highlighted


The above decisions demonstrate that the ODPC is vigilant and actively enforcing the provisions of the DPA. In addition, consent is the bedrock of processing personal data. Consent may be found an invalid basis for processing data where the data subject does not have control or is influenced to accept the terms of any action. Employers should continue to put in place robust safety and security measures in place to ensure that their employees comply with the DPA. This requires, amongst other things, appropriate policies for all staff to adhere to as well as regular training and retraining on the principles of data protection, as employers can become vicariously liable for their employees’ data breaches.

 

 

--

Read the original publication at ALN.