Data privacy in Kenya has become an increasingly critical issue with the rapid advancement of technology and digital communication. The right to privacy is enshrined in the Constitution of Kenya under Article 31, which serves as the foundation for data protection laws and practices in the country. This article explores the constitutional basis for privacy rights, relevant legal frameworks, key provisions of the Data Protection Act, implications of data breaches, economic exploitation of privacy, and the roles of key institutions such as the Data Commissioner and the High Court.
The Right to Privacy in the Constitution of Kenya
The Constitution of Kenya, promulgated in 2010, includes a robust Bill of Rights that guarantees fundamental freedoms. Article 31 explicitly protects individuals’ right to privacy, stating:
“Every person has the right to privacy, which includes the right not to have—
- their person, home or property searched;
- their possessions seized;
- information relating to their family or private affairs unnecessarily required or revealed, or
- the privacy of their communications infringed.”
This constitutional provision emphasizes that interference with an individual’s privacy must be justifiable and fair. The courts have upheld this right in various rulings, reinforcing that unauthorized use of personal information violates this fundamental right.
Key Terms in Data Privacy
Understanding the terminology used in data privacy is essential for comprehending the obligations and rights under Kenyan law:
- Data: It is any information processed by equipment(s) operating automatically, recorded and/or stored by a private or a public entity.
- Personal Data: Refers to any information relating to an identified or identifiable natural person. Examples include names, identification numbers, location data, email addresses, bank accounts, blood groups and online identifiers.
- Data Subject: The individual to whom personal data relates.
- Data Controller: A person or entity determining the purpose and means of processing personal data.
- Data Processor: A person or entity that processes personal data on behalf of the data controller.
- Data Processing: Refers to any operation performed on personal data, including collection, recording, storage, retrieval, and destruction.
- Sensitive Personal Data: Data that require higher protection due to their nature, such as health information, biometric data, political opinions, sexual orientation or religious beliefs.
- Consent: Freely given, specific, and informed agreement by a data subject for their data to be processed.
- Breach of Data Privacy: Any unauthorized access, loss, alteration, disclosure, or destruction of personal data.
- Data Protection Impact Assessment (DPIA): This process assesses risks in data processing activities. It involves identifying risks, mitigating risks, managing risks and governing data protection.
- Privacy by Design: Integrating privacy when designing and throughout the business processes, systems and data processing activities.
- Privacy by Default: Ensuring that business processes, systems and data processing activities always revert to privacy- this should happen without requiring any input from the user
- Anonymization: Removal of identifying particulars or details from data to make it NOT personally identifiable to a person
- Pseudonymisation: Processing personal data in ways that delink it from a specific data subject. This can be done by removing some information or keeping some information about the data subject separately.
- Encryption: Converting data into coded/unreadable form. Once encrypted, data needs to be decrypted to be legible.
Governing Laws on Data Privacy
The Data Protection Act 2019 (DPA) serves as Kenya’s primary legal framework governing data privacy. It aims to give effect to Articles 31(c) and (d) of the Constitution by establishing guidelines for processing personal data. The Act outlines the principles of data protection, the rights of data subjects, and the obligations of data controllers and processors. It also establishes the ODPC and registration, compliance, and enforcement procedures.
Key Provisions of the Data Protection Act
The DPA contains several essential provisions aimed at protecting individuals’ privacy rights. Some key provisions include:
- Principles of Data Protection (Section 25):
- The right to privacy Principle: Personal data must be processed, giving credence to the right to privacy.
- Lawfulness, fairness and transparency Principle: Personal data must be lawfully and transparent only when there is a valid explanation.
- Purpose Limitation Principle: Data collection should be only for specific reasons limited to what is necessary for its intended purpose.
- Data minimization Principle: Only process data that is adequate, relevant and limited to what is necessary concerning the purpose for which it is processed.
- Accuracy Principle: Data must be collected and stored accurately. Any inaccuracies must be deleted.
- Storage Limitation Principle: Data should not be Kept in a form that identifies the data subjects for no longer than is necessary for the purpose for which it was collected.
- International Transfers Principle: Data should not be transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject
- Integrity and confidentiality Principle: Data Subjects have the right to be informed of the use of their data.
- Rights of Data Subjects:
- Right to Access: Individuals can request access to their data held by a controller or processor.
- Right to Rectification: Data subjects can correct inaccurate or incomplete personal data.
- Right to Erasure: Individuals can request deletion of their data when it is no longer necessary for its purpose.
- Right to Object: Individuals can object to processing based on legitimate interests or direct marketing.
- Right to Data Portability: Individuals can request their data in a structured format for transfer to another service provider.
- Right Not to Be Subjected to Automated Decision-Making: Individuals cannot be subjected to decisions based solely on automated processing that significantly affects them without human intervention.
- Consent Requirements:
- Explicit consent must be obtained from data subjects before processing their personal data (Section 28).
- Data Security Obligations (Section 30):
- Data controllers and processors must implement appropriate technical and organizational measures to ensure data security.
- Breach Notification (Section 34):
- Organizations must notify the Data Protection Commissioner and affected individuals within 72 hours of becoming aware of a data breach.
- Extraterritorial Scope:
- The DPA applies to entities within and outside Kenya that process personal data about Kenyan citizens (Section 3).
Other laws relating to data processing
Kenya’s legal framework for data processing is not limited to the Data Protection Act but extends to sector-specific laws to ensure comprehensive regulation and compliance. In the realm of consumer protection, the Consumer Protection Act of 2012 and the accompanying Consumer Protection Guidelines provide safeguards for consumer data, ensuring their privacy and fair treatment. Similarly, the Kenya Information and Communications Act, 1998, and the Kenya Information and Communications (Consumer Protection) Regulations, 2010, outline compliance standards for licensed information and communication service providers, who act as data collectors and controllers, emphasizing transparency and accountability.
When it comes to financial data, the National Payment System Act and its National Payment System Regulations, 2014, alongside the Central Bank of Kenya Prudential Guidelines for Institutions Licensed under the Banking Act, the Guidelines on Cybersecurity for Payment Service Providers, and the Banking (Credit Reference Bureau) Regulations, 2013, ensure the secure handling, confidentiality, and integrity of sensitive financial information.
Additionally, elections data is regulated through the Elections Act, 2011, the Elections (Registration of Voters) Regulations, 2012, and the Political Parties Act, 2011. These laws safeguard the accuracy, protection, and transparency of voter information throughout electoral processes.
Collectively, these laws reinforce Kenya’s commitment to robust data governance, ensuring that data processing across key sectors—consumer protection, finance, and governance—meets stringent regulatory standards. This multi-layered approach promotes trust, accountability, and compliance in the nation’s rapidly growing digital and information-driven economy.
Economic Exploitation of Privacy
The economic exploitation of privacy involves the unauthorized use of personal data for financial gain. This can include activities such as selling personal data to third parties without consent, using personal data for targeted advertising, and engaging in fraudulent activities. In the famous case of Jessicar Clarise Wanjiru v Davinci Aesthetics & Reconstruction Centre & 2 others [2017] eKLR, the learned Justice John M. Mativo opined that:
“An unauthorized use of a person’s image (Protected Attribute) for commercial or other exploitative purposes without their consent violated their right to privacy and human dignity.”
Notable Court Cases
- Ann Njoki Kumena v. Kenya Tea Development Agency (KTDA) [2019] eKLR: In this case, Ann Njoki Kumena filed a lawsuit against KTDA for using her photograph without her consent in their marketing materials. The High Court ruled in favor of Kumena, emphasizing the right to privacy and the unlawful use of a person’s image. The court awarded Kshs 1,500,000 in damages to Ann Njoki Kumena. This case underscores the need for organizations to obtain explicit consent before using personal data for commercial purposes.
- Wanjiru v Machakos University (Petition E021 of 2021) [2022] KEHC 10599 (KLR) (3 August 2022) (Judgment): Catherine Njeri Wanjiru sued Machakos University for using her image in advertising materials without her consent. The High Court found that the university violated her rights to privacy and publicity, awarding her Kshs 800,000 in damages. This case highlights the commercial exploitation of personal data and the importance of respecting individuals’ rights to control their personal information.
- T O. S v Maseno University & 3 others [2016] eKLR: T O. S filed a petition against Maseno University and others for disclosing his private medical information without consent. The High Court ruled that the Petitioner’s and the minors’ rights to privacy were violated. However, the Respondents could not be held liable as the Petitioner did not prove their involvement.
Notable Cases from the Office of the Data Protection Commissioner
Esther Kanza Mbuvu Vs. Grain Industries Limited (2024): The ODPC fined Grain Industries KES 1 million for using a woman’s image in a national billboard and YouTube marketing campaign without her consent. The complainant discovered her unauthorized likeness on a billboard and sought erasure and compensation.
Kennedy Wainaina Mbugua Vs. Bolt Operations OU & Bolt Kenya Limited
The Complainant alleged that the Respondents unlawfully accessed and processed his personal information, resulting in the unlawful disclosure of his personal data to third parties who used his Bolt driver account information for fraud. The ODPC found the Respondent liable for violating the Complainant’s right to access his personal data under Section 26 (b) of the Act, correction of false or misleading data under Section 26(d) of the Act and failure to fulfil its obligations under the Act. Subsequently, the Respondent was ordered to pay the Complainant Kshs 500,000 as compensation.
Recourse for Data Privacy Breaches
Individuals whose privacy rights are violated under the DPA have several avenues for recourse:
- Right to Compensation: Victims can seek compensation from data controllers or processors for damages incurred due to non-compliance with the DPA.
- Administrative Sanctions: The Office of the Data Protection Commissioner (ODPC) can impose fines for violations. Offenders may face penalties of up to KES 5 million (approximately USD 50,000) or imprisonment.
- Criminal Offences: The DPA establishes criminal liabilities for various offences related to data processing without consent or failure to comply with registration requirements.
Role of the Data Commissioner
The Office of the Data Protection Commissioner (ODPC) is tasked with enforcing compliance with data protection laws. The Commissioner’s responsibilities include:
- Overseeing registration processes for data controllers and processors.
- Investigating complaints regarding breaches of data privacy.
- Promoting public awareness about data protection rights and responsibilities.
The ODPC has been proactive in issuing penalties for non-compliance and has played a crucial role in educating organizations about their obligations under the law.
Role of the High Court of Kenya
The High Court serves as a critical venue for adjudicating disputes related to data privacy. Individuals can file petitions challenging decisions made by the ODPC or seeking redress for violating their privacy rights. The court applies a proportionality test to determine whether any limitations on privacy rights are justified. This judicial oversight ensures that governmental actions comply with constitutional principles.
Conclusion
Kenya’s legal framework for data privacy is grounded in its Constitution, and mechanisms for enforcement are established through legislation like the Data Protection Act. The DPA provides comprehensive protection and clearly outlines individual rights and organizational responsibilities regarding personal data handling. As technology evolves, public and private entities must adhere strictly to these laws to protect citizens’ personal information from economic exploitation. The roles played by the ODPC and the High Court are vital in maintaining accountability and safeguarding individual rights against potential abuses in an increasingly digital landscape.