A PICTURE IS WORTH A THOUSAND WORDS BUT IS IT WORTH A MILLION SHILLINGS?

On 26 September 2023, the Office of the Kenyan Data Protection Commissioner (ODPC) issued a press release indicating that it had imposed penalties on a number of data controllers for the infringement of the privacy rights of data subjects and non-compliance with the requirements of the Data Protection Act (DPA).

Top of the list was Casa Vera lounge located on Ngong Road that was penalized K

sh 1,850,000 for using a revelers image without consent. The fine was issued by the Office of the Data Protection Commissioner (ODPC) to serve as a warning to all social joints to seek consent of their customers before using their photos.

Secondly Roma School a mixed day and boarding primary school in Uthiru, was fined Ksh 4,550,000 for posting a minor’s image without parental consent, the school had used an image of a minor to advertise the school without consent from the parent or guardian of the said child. The ODPC termed it as a warning to other data controllers that were misusing the data they collected and defied Data Protection Act requirements.

Penalty imposed on Roma School is markedly higher than that which was imposed on Casa Vera Lounge despite the fact that the form of infringement appears to be largely similar in these two cases. The distinguishing factor presumably comes from the fact that Roma School’s infringement involved a minor while Casa Vera’s non-compliance didn't.

The DPA prohibits the processing of personal data belonging to a child without consent from the parent or guardian of the child and requires any such processing to be carried out in a manner that protects and advances the rights and best interests of the child.

The final penalty was against Mulla Pride Ltd who faced a complaint that many Kenyans have grapled with in recent times. The company, a digital lender operating KeCredit and Faircash mobile lending apps, and was fined Ksh.2.975.000. They were found to have used names and contact information of the complainants which were obtained from third parties, and subsequently used it to send threatening messages and phone calls.

The data commissioner said the ksh2, 975,000 fine will ensure that the micro lending only deals with the data of the subjects who have only consented to their data being collected. The penalty will ensure that digital lenders and financial institutions notify data subjects when collecting their data and the intention of processing the said data.

The Data Protection Act came into effect on November 25, 2019 and provides laws that govern the collection, processing and storage of personal data both by the government and the private sectors. According to the office of the data commissioner, the penalty notices have been issued pursuant to Sections 62 and 63 of the Data Protection Act, 2019 (Act) and Regulation 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.