Kenya: The High Court and the Office of the Data Protection Commissioner issue decisions on complaints and the right to privacy in the use of CCTV cameras

With the increasing awareness of the Kenyan Data Protection Act (DPA) comes an increasing amount of precedents being set by both the courts and the Office of the Data Protection Commissioner (ODPC).

This latest update summarises two recent decisions issued by the High Court of Kenya and the ODPC.

The High Court issues a decision on the violation of the right to privacy in the context of domestic CCTV systems

On 31^st May 2023, in Ondieki V Maeda (Petition E153 of 2022), the High Court allowed a petition on violation of the constitutional right to privacy in the context of the installation of CCTV cameras in a residential area.

On 19^th August 2019, Ondieki (“Respondent”) installed CCTV cameras on her premises for security purposes and on 29^th March 2022, Maeda (“Petitioner”), who is the adjacent neighbour of the Petitioner, lodged a Petition claiming that the CCTV camera installation was done in a manner that breached his right to privacy. The Petitioner stated that the cameras were positioned in a manner that could spy, monitor and record the images of his property and individuals on his property and therefore urged the Respondent to uninstall the CCTV cameras. The Respondent did not take any action citing that the installation was necessary for security reasons.

The High Court stated that as per the DPA, the Respondent was deemed a data controller processing personal data through her CCTV of the Petitioner as a data subject. Based on this view of the Respondent being a data controller, the High Court held that the Respondent was required to be registered with the Data Commissioner and to have sought the Petitioner’s consent to collect data through the CCTV cameras. Ultimately, the High Court, in allowing the claim made a declaratory order that the actions of the Respondent violated the Petitioner’s rights under Article 31 of the Constitution and his rights as a data subject under the DPA. 

Implications and conclusion

Unfortunately, this decision creates a dangerous and, in our view, incorrect precedent which is inconsistent with the provisions of the DPA:

1. In the first instance, by disregarding the general exemptions for processing personal data by an individual in the course of a purely personal or household activity under the DPA. The DPA stipulates that individuals processing personal data during a personal or household activity shall be exempt from complying with data protection principles relating to lawful processing, minimisation of collection, data quality, and adopting security safeguards to protect personal data.
2. Relying on consent as the only lawful basis for processing personal data by a data controller or data processor and ignoring indirect collection of personal data by the Respondent as prescribed in Regulation (6)(1)(c) of the Data Protection (General) Regulations, 2021. As per the DPA, a data controller or data processor shall not process data unless the data subject consents to the processing or the processing is necessary for; the performance of a contract; the compliance with a legal obligation; to protect the vital interests of the data subject; the performance of a task carried out in the public interest or the exercise of official authority vested in the controller; for the performance of any task carried out by a public authority; for the exercise, by any person in the public interest, of any other functions of a public nature; for the legitimate interests pursued by the data controller or data processor by a third party to whom the data is disclosed; or for historical, statistical, journalistic, literature and art or scientific research.
3. Even though not applicable in our view, by misinterpreting the registration requirements under the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, which provide that a data controller or data processor is exempt from registration if it has an annual turnover or annual revenue of less than Kenya Shillings 5,000,000 and has less than 10 employees. The terms “revenue” and “turnover” are defined in the context of profit and non-profit making entities.
4. Failing to recognise the jurisdiction of the ODPC on complaints handling procedures. In our article discussed here, we noted that the ODPC had dismissed a complaint lodged by Wamae & Allen (also discussed below) and reaffirmed its jurisdiction on complaints handling related to issues within the DPA. Therefore, the High Court herein should have referred the case to the ODPC and maintained its appellate nature on decisions and actions made by the ODPC after lodging a complaint.

The ODPC dismisses data protection complaints against former law firm employees upon re-investigation

As set out in our update here, the ODPC recently re-dismissed a complaint filed on 20^th July 2022 by the partners of the law firm, Wamae & Allen Advocates (“Complainant” or “Law Firm”) on both the firm’s and the client’s behalf against their former employees Florence Mathenge (“1^st Respondent”) and Ambrose Waigwa (“2^nd Respondent”) (collectively “Respondents”).

The Complainants alleged that the Respondents had violated the DPA by gaining unauthorised access to the Complainant's systems ad sharing sensitive, confidential information between themselves to their personal emails. At the first instance of lodging the complaint, the ODPC dismissed the complaint. Unsatisfied with the ODPC’s determination, the Complainant filed an appeal against the ODPC’s decision to dismiss the complaint. As a result, the High Court issued an order compelling the ODPC to readmit the complaint dated 20^th July 2022 for fresh investigation and determination.

Upon re-investigation of the Complaint, the ODPC, in response to the 1^st Respondent’s challenge on the jurisdiction of the ODPC, noted the fact that the Complainant was not registered as a data controller or processor at the time the complaint was instituted and the existence of other disputes between the Complainant and the Respondents before other forums, did not preclude the ODPC’s jurisdiction or obligations under the DPA.

Furthermore, the ODPC observed that under the DPA, only natural persons or any other person duly authorised by the data subject can lodge a complaint alleging unauthorised access to the data subject’s personal data under the DPA. Therefore companies, limited liability partnerships and corporations cannot lodge complaints under the DPA as they are not considered as data subjects. In the re-investigation, the ODPC noted that the Complaint had been lodged by the law firm's partners, on behalf of the law firm and clients’ behalf. The partners being natural people, can only lodge a complaint on their behalf and not on behalf of their law firm, a limited liability partnership.

The ODPC proceeded to re-dismiss the complaint on the basis that notwithstanding the ODPC’s request for further documents, the documents cited by the Complainant were not provided to the ODPC for inspection and determination as to whether the information disclosed qualified as personal data under the DPA. Additionally, the ODPC reaffirmed its position by stating that a data subject cannot lodge a complaint for unauthorised access to personal data under the DPA relating to information that is publicly available either as government records or published information.

Implications and conclusion

This decision re-affirms that:

1. A data subject in exercising their rights under the DPA as a natural person or through a natural person authorised by the data subject may lodge a complaint with the ODPC under the DPA. Therefore, companies, partnerships and corporate entities cannot institute complaints with the ODPC alleging unauthorised access to personal data as they are not deemed data subjects under the DPA.
2. If the personal data in question is publicly available through government records or publicly published information, then such personal data is excluded from unauthorised access by a data controller or a data processor who may indirectly collect data held in a public record pursuant to s. 28 of the DPA and regulation 6(1) of the Data Protection (General) Regulations, 2021. Consequently, a data subject cannot file a complaint with the ODPC alleging unauthorised access to publicly available personal data by a third party.

--

Read the original publication at Bowmans.