Privacy is a fundamental human right and is central to the protection of human dignity. In its simplest form, the right to privacy allows each human being to be left alone in a core that is inviolable. As we continue to celebrate Data Privacy Day, we look at key takeaways from recent decisions issued by the Office of the Data Protection Commissioner (ODPC) as data protection jurisprudence continues to evolve in Kenya.
Consent is one of the lawful bases for the processing of personal data. In 2021, the ODPC published a Guidance Note on Consent to guide data subjects and entities on the meaning and features of consent. The ODPC’s enforcement actions against unauthorised harvesting of personal data from third parties and unauthorised use of images of data subjects illustrated the ODPC’s commitment to imposing sanctions for breaches of consent requirements under the DPA.
For consent to be a lawful basis for the processing of personal data, the data subject must be offered control and have a genuine choice about accepting or declining the terms offered or declining them without detriment. In 2023, the ODPC evaluated the implications of consent as a condition to access financial benefits, and the effect of invalid consent on transfers of personal data outside of Kenya. The ODPC also left the door open on circumstances in which employers may be found vicariously liable for data breaches by employees.
Despite the ODPC’s publication of the guidance note, consent continues to be a misunderstood principle under the DPA. In particular, the ODPC clarified that situations where consent is a pre-condition to access a financial benefit, the consent may be invalid because of the coercive effect of the conditions imposed.
The ODPC issued penalty notices to three data controllers on 26 September 2023 for failing to observe data privacy rights and obligations under the DPA:
The events surrounding the Worldcoin project made headlines last year prompting the ODPC to initiate its own suo moto investigation into the activities surrounding the Worldcoin project. The project run by the Tools for Humanity Corporation (TFH) and the Worldcoin Foundation entailed the scanning of data subjects’ irises in exchange for a digital ID and digital tokens worth KES. 7000. The investigation looked at whether the processing of personal data, which included an iris scan, facial image, name, date of birth, age range, and gender, was lawful. In its determination, the ODPC evaluated whether TFH and the Worldcoin Foundation obtained proper consent for the processing of sensitive personal data and whether the transfer of personal data outside Kenya was in compliance with the DPA and the regulations.
In its determination published in September 2023, the ODPC found that the consent obtained by TFH and the Worldcoin Foundation was invalid. According to the ODPC, in making Worldcoin tokens conditional on the provision of consent to process biometric data, TFH and the Worldcoin Foundation exerted influence upon the data subject’s expression of free will, thereby invalidating consent as a ground for the lawful basis of processing personal data. On the transfer of personal data out of Kenya, the ODPC found that the transfer of the Kenyan data subject’s sensitive personal data out of Kenya was unlawful as the consent was invalid.
In its analysis, the ODPC held that the TFH and the Worldcoin Foundation did not demonstrate that they had met the requirement of express consent as a basis for transferring personal data out of Kenya. According to the ODPC, explicit consent should be given after a complete, forthright, and clear disclosure as to the type of data collected, the purpose of collection, its security, and why consent is important. Once the data subject has read and appreciated the risks of the transfer of sensitive personal data, they need to do more than just tick a box. The data subject must give an express statement of consent.
In addressing data breaches arising in the course of an individual’s employment, the ODPC cautioned that nothing in the DPA excludes the possibility of vicarious liability for employers due to their employees’ conduct, and that each case will be determined on its own facts.
In Pauline Muhanda v Safaricom PLC ODPC Complaint No. 1212 of 2023, the ODPC had to deal with the issue of whether an employer can be vicariously liable for an employee’s misconduct under the DPA. In this case, an advocate discovered that her MPESA statements of transactions had been produced in court in a matter where she and her law firm had been under private investigation. The MPESA statements had been disclosed by an employee of Safaricom PLC who had access to them in her ordinary course of work. She had disclosed the MPESA statements without the complainant’s consent or a court order compelling Safaricom to disclose them.
The ODPC found the employee personally culpable for disclosing the complainant’s MPESA statements. It explained that the fact that her employment at Safaricom gave her the opportunity to access personal data, this was not sufficient to impose vicarious liability on Safaricom as her employer for her wrongful act.
The above decisions demonstrate that the ODPC is vigilant and actively enforcing the provisions of the DPA. In addition, consent is the bedrock of processing personal data. Consent may be found an invalid basis for processing data where the data subject does not have control or is influenced to accept the terms of any action. Employers should continue to put in place robust safety and security measures in place to ensure that their employees comply with the DPA. This requires, amongst other things, appropriate policies for all staff to adhere to as well as regular training and retraining on the principles of data protection, as employers can become vicariously liable for their employees’ data breaches.
--
Read the original publication at ALN.