Data Hub
Data protection trends, enforcement in Kenya
Monday February 20 2023
It has been just over three years since the Kenyan Data Protection Act 2019 (“DPA”) was enacted.
Its implementation has moved at a brisk pace with, among other things, the establishment of the Office of the Data Protection Commissioner, the introduction of supplementing laws, sustained public awareness campaigns and most recently, regulatory action and enforcement.
Last month’s International Data Privacy Day provided an opportunity to reflect on some of the recent enforcement trends locally and abroad and their implications for data controllers and processors in Kenya in 2023 and beyond.
One of the mandates of the ODPC is to conduct audits on organisations that process personal data and establish whether such processing aligns with the data protection principles and other requirements set out in the DPA and supporting regulations.
On 5 October 2022, the ODPC issued a notice that it was conducting an audit and assessment on 40 Digital Credit Providers (DCPs).
It also issued an enforcement notice against the Aga Khan University Hospital for failure to comply with the data protection laws.
Read: Closing the data protection information gap for SMEs
The notices laid out some of the most pertinent issues that the ODPC would consider when conducting an audit against a data controller or a data processor.
These include proof of registration as the data controller or processor or submission of an application, description of processing operations undertaken, demonstration of compliance with the notification requirement under the DPA and demonstration of compliance with conditions of consent, among other requirements.
The particular significance of the October audit notifications was that they represented the first overt regulatory action by the ODPC focusing on enforcement of the DPA for alleged breaches of the law.
Up until that time, the ODPC’s public actions had largely comprised of creating public awareness of the DPA and the ODPC’s regulatory mandate.
The ODPC’s focus on enforcement was further demonstrated in late December 2022, when the regulator issued its first fine under the DPA for a violation of the statute.
OPPO Kenya, a smartphone manufacturer, infringed on the privacy of a customer by using their photo on the company’s Instagram account without the client’s consent.
The customer lodged a complaint with the ODPC, which issued an enforcement notice directing OPPO Kenya to remove the image from its social media page. The company failed to comply with the enforcement notice and was also found not to have a data protection policy as required under the DPA and regulations.
For these violations, the ODPC imposed a fine of Sh5 million on OPPO Kenya, which represents the maximum fine the regulator can impose under the DPA.
In Europe, data protection authorities also actively penalised various entities for breaches of the GDPR. The Irish Data Protection Commissioner fined Meta, the social media giant that owns Facebook, Instagram and WhatsApp, EUR 405 million concerning the processing of personal data of child users on the social networking service Instagram.
Clearview AI Inc, an American facial recognition company, was also fined EUR 20 million each by French and Italian data protection regulators for processing personal data, including biometric and geolocation information, illegally in contravention of the GDPR.
Google also had to part with EUR 10 million following a fine by the Spanish data protection regulator for not properly giving effect to data subject requests.
The cases discussed above indicate that the ODPC and equivalent data protection and privacy regulators abroad are placing more reliance on enforcement actions as a means of driving compliance with data protection laws.
Read: Let’s all respect law on personal data, privacy
Businesses in Kenya must keep abreast of such regulatory action in order to ensure that their data protection and privacy compliance frameworks are robust enough to mitigate the risk of enforcement action being taken against them.
Some key risk points to glean from the cases above include the use of personal data, such as photos, for marketing and other commercial purposes; use of online profiling applications such as cookies and AI; adequacy of data protection impact assessments to flag high-risk processing; and failure or delay in responding to regulatory notices.
We expect more enforcement action in Kenya and beyond in 2023 and businesses need to be diligent about managing data protection and privacy risk to avoid being in the regulators’ line of sight.
Every business that processes personal data should ensure that its staff receive adequate training on data protection and privacy risks.
It should also prepare an inventory of all the personal data it processes.
Further, they should undertake comprehensive data protection and privacy risk gap assessment of their operations and implement measures that address any identified gaps.
A business that processes personal data needs to continuously monitor its operating environment to identify potential new sources of data protection and privacy risks.
Tracy Odipo and Jehaan Kassam also contributed to this article. The authors are Legal Business Solutions advisors with PwC Kenya.