The Office of the Data Protection Commissioner (ODPC) has again sided with another Kenyan whose complaints about receiving emails in error from a commercial bank were ignored, in a growing crackdown on lenders who breach data protection laws.
In a new ruling, Data Commissioner Immaculate Kassait has ordered Family Bank to pay Jackson Irungu Sh250,000 after finding it liable for breaching his privacy rights by continuously sending him emails despite not having an account with it, and subsequently ignoring his complaints.
This comes just days after the same office ordered SBM Bank to pay another person Sh450,000 for a similar complaint, signalling a growing regulatory crackdown on banks that ignore user complaints of privacy violations as recently enacted laws continue to challenge age-old norms among Kenyan businesses.
In her latest ruling, Ms Kassait said that the bank should have ensured that “any inaccurate personal data in its custody is erased or rectified without delay” as required by the Data Protection Act of 2019.
“The Respondent (Family Bank) erroneously captured its customer’s email address leading to the sending of several emails to the complainant’s email address. Despite requests to erase his personal data, the respondent failed to do so in a timely manner,” Ms Kassait said.
Mr Irungu told the ODPC that he had been receiving emails from Family Bank for over six months containing statements purporting to be for his bank account, even though he did not have an account with the bank.
He visited the lender’s Nyeri branch to complain about the issue and later sent an email when the physical visit failed to resolve the issue, but still no action was taken, forcing him to take the matter to the regulator in April 2024.
According to the ODPC, Family Bank continuously ignored Irungu’s complaints and only took action after receiving a notice of inquiry from the regulator, which amounted to a violation of his rights.
In the earlier case of SBM Bank, the complainant had received emails for a year despite persistent complaints, which also amounted to a violation of his rights by the lender.
In both cases, Ms Kassait found the banks guilty not because they had mistakenly sent emails to the wrong addresses, but because they had consistently ignored their victims’ complaints, thereby violating their rights and causing them distress.
The banks’ violated the victims’ right to erasure, which under the Data Protection Act requires a data processor to erase and cease processing an individual’s personal data within 14 days of learning of an inaccuracy, as in these cases.
These decisions are based on the precedent set by the ODPC that an individual’s email address is personal data and should only be processed by a data handler with the express consent of the owner. Both banks and their respective complainants will have up to 30 days to appeal the ODPC’s decision to the High Court, Ms Kassait said.
