On 5 October 2022, the Office of the Data Protection Commissioner (ODPC) issued a press release stating that it would be conducting a preliminary documentary assessment and audit on 40 digital lenders that have been subject to complaints raised by various members of the public. In the press release, the ODPC stated that it had received a total of 1,030 complaints by the end of September 2022, out of which, 555 complaints had been admitted for investigation.
Through its press release, the ODPC indicated that an audit process has begun on 40 digital lenders who it now requires to provide documents relating to their data protection systems by 18 October 2022. Failure to meet this requirement is deemed to constitute an offence under the Data Protection Act (Act).
This article discusses the powers of the ODPC, the complaints mechanisms and remedies for data subjects and the penalties that may be imposed on data controllers and data processors under the Act and the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 (Regulations).
The Act clothes the ODPC with broad supervisory powers in relation to the processing of personal data. Firstly, the ODPC is mandated to register all data controllers and data processors that meet the threshold for registration under the law. Our legal alert on the requirement for registration with the ODPC as a data controller or data processor may be read here.
The registration process gives the ODPC some insight into the sort of personal data and sensitive personal data that data controllers and data processors are processing, the risks involved, the measures taken to manage these risks, and the size of the operations of any applicants for registration. The registration process forms a good starting premise for the execution of the ODPC’s supervisory mandate. However, as at September 2022, it had not gained much traction as only a reported 19% of surveyed firms had actually registered as data controllers or data processors. The ODPC’s own press release (also in September) indicated that only 1,660 applications had been received and only 332 applicants had been issued with registration certificates.
Besides its mandate as a registrar for data controllers and processors, the ODPC has the following broad oversight functions under the Act:
The Act also provides the ODPC with the broad supervisory power to:
The above powers (especially the last two) are manifestly broad in their wording, purpose and applicability and offer legitimacy to the ODPC’s ongoing audit process.
The Act allows for complaints to be lodged orally or in writing, including through electronic means such as email or web posting (e.g., through the ODPC’s website). Complaints must be investigated and concluded by the ODPC within 90 days in line with the Regulations and may be lodged by a complainant in person or by a person acting on their behalf or even anonymously.
The ODPC is required to acknowledge a received complaint within 7 days and thereafter to vet it prior to either admitting it for investigation or advising the complainant that the matter falls outside its mandate or within the mandate of another institution, and then referring it to that other institution. Complaints may also be denied admission if they don’t raise any issues under the Act.
Upon admission of a complaint, the ODPC is required to notify the respondent of the complaint lodged against them within 21 days and may conduct an inquiry or investigation, or facilitate the resolution of the complaint through mediation, conciliation, negotiation or other mechanisms. Within the 21-day period, the respondent is also required to make representations and provide any relevant material or evidence in support, review the complaint with a view of summarily resolving the complaint to the satisfaction of the complainant, or provide a response with the required information. Upon the conclusion of investigations into a complaint, the ODPC is required to make a determination in writing setting out, among other things, its decision and the remedy to which the complainant is entitled. Such decisions of the ODPC are binding and enforceable in the same manner that court orders are enforced.
Where the ODPC finds fault with any respondent pursuant to a complaint, it may issue an enforcement notice requiring the respondent to take certain prescribed steps to correct its contravention of the law. Where any recommended remedial measures prescribed under the enforcement notice are not carried out by the respondent within the timeframe set out, an offence is committed under the law. The concomitant penalty upon conviction is a fine of up to KES 5 million and/or a jail term of up to 2 years. An administrative penalty of up to KES 5 million or, in the case of an undertaking, up to 1% of its annual turnover for the preceding financial year (whichever is lower) may also be issued by the ODPC.
The issuance of the assessment and audit notice is a clear signal to all entities that handle personal data and sensitive personal data that the ODPC is actively exercising its oversight mandate and keeping a close eye on the sectors that are experiencing widespread abuse of data subject rights under the Act. Reports of inappropriate use of personal data for commercial purposes (such as marketing and debt collection purposes in the digital lending sector) have dominated the instances of reported abuse of data subjects’ rights and have no doubt contributed to the ongoing assessment and audit. It is likely that other sectors that leverage the digital usage of personal data for commercial purposes as well as entities that handle large volumes of sensitive personal data will also be brought under the ODPC’s scrutiny. Relevant stakeholders therefore ought to take measures to align their data processing activities with the Act and Regulations so as to avoid becoming the subject of the exercise of any supervisory or oversight directives from the ODPC. Examples of possible compliance measures include:
--
Read the original publication at Cliffe Dekker Hofmeyr.