Save 20% off! Join our newsletter and get 20% off right away!

Data privacy litigation: Analysing the inaugural determination of the Office of the Data Protection Commissioner (ODPC) in Allen Gichuhi v Ambrose Waigwa ODPC Complaint No. 677 of 2022

The ODPC is a regulatory office established pursuant to Section 5 of the Act.[1] The ODPC is mandated with regulating personal data processing, ensuring that the processing of a data subject’s personal data is guided by the principles set forth in Section 25 of the Act, protecting individuals’ privacy, establishing a legal and institutional mechanism to protect personal data, and providing data subjects with rights and remedies to protect their personal data from processing that is not in accordance with the Act.[2]

Section 8(f) of the Act guarantees that the ODPC can receive and investigate a complaint by any person on infringements of the rights under the Act.[3] Furthermore, Section 56(1) provides that a data subject who is aggrieved by a decision of another person under the Act may lodge a complaint with the Data Commissioner in accordance with the Act.[4]

The complaint

In July 2022, the ODPC received a complaint from law firm partners (the Complainants) against its ex-employees (the Respondents). The basis of the complaint is that the Respondent allegedly sent confidential information from the firm to her personal email as well as to a third party, without consent from the data subjects and the Complainants. It was alleged that some of the documents shared included court documents such as pleadings and supporting documents, applications, affidavits, submissions, and legal opinions. Other documents allegedly shared included bank statements, correspondences, invoices, and subscription emails.

The Respondents averred that the ODPC lacked jurisdiction to interrogate the alleged IP breaches and that the documents in question were public documents according to the Evidence Act.[5] They took the position that at the time in question the Firm had not been registered as a data controller or a data processor, therefore, the provisions of the Act could not be applied retrospectively. Finally, the Respondents argued that the complaint was an abuse of process and the sub judice doctrine because the Firm had filed similar related claims in the High Court, the Law Society of Kenya Disciplinary Tribunal, and the Directorate of Criminal Investigations.

The response

The Respondents averred that the ODPC lacked jurisdiction to interrogate the alleged IP breaches and that the documents in question were public documents according to the Evidence Act.[6] They took the position that at the time in question the Firm had not been registered as a data controller or a data processor, therefore, the provisions of the Act could not be applied retrospectively. Finally, the Respondents argued that the complaint was an abuse of process and the sub judice doctrine because the Firm had filed similar related claims in the High Court, the Law Society of Kenya Disciplinary Tribunal, and the Directorate of Criminal Investigations.

Issues and determination

Regarding jurisdiction, it was decided that the ODPC operates to protect personal data within the limits of the Act and does not have the jurisdiction to determine issues of intellectual property infringement.

On the question of whether there was a breach of the Act, it was held that there was no violation. This was on the grounds that; the documents provided formed part of the public record, and the parties referred to in some of the documents were companies and not natural persons who are the data subjects specifically protected under the Act. Additionally, the Complainants did not demonstrate that their own personal data had been infringed and did not show that they had the authority to represent any other data subjects referred to in the complaint.

Since the Complainants failed to demonstrate a breach of the Act, it was found that a remedy could not ensue from such circumstances. The complaint was dismissed.

Key take-aways

This decision was relevant to presenting evidence in the complaint handling process before the ODPC, defining a data subject, and how a data subject should be represented. It further implied the need to understand the Data Protection Act when engaging with ODPC to avoid the dismissal of complaints.

Additionally, the following stood out in the decision;

  1. The ODPC does not have jurisdiction over intellectual property infringement, but only to issues that fall within the Act.
  2. The protection afforded under the Act relates to data subjects that are natural persons and does not extend to legal/juristic persons such as corporate entities. Therefore, the complaints regarding the data of legal/corporate persons could only be protected in the form of notification of a data breach rather than by a complaint to the ODPC.
  3. A complainant must demonstrate that their own personal or even sensitive data has been infringed in their capacity as data subjects.
  4. Third parties need consent from the data subject to indirectly obtain the personal data of the data subject.
  5. It is important to obtain express authority to act for the individual whose data has allegedly been breached, when representing a complaint.
  6. Sharing documents that form part of a public record does not amount to a breach of the Data Protection Act. Court pleadings for reported cases are public records collection and sharing them would not amount to a breach of the Act. This implies that the Act permits the indirect collection of personal data contained in public records.
  7. He who alleges breach of data must prove and provide evidence to the ODPC showing what personal data had been compromised. This will assist the ODPC in deciding whether the documents contain personal data and whether there has been unauthorised disclosure.
  8. The non-registration as a data controller or data processor does not preclude the applicability of the Data Protection Act. This is because there is no relationship between the handling of complaints and the registration of data controllers.

Implications of the ODPC determination

Despite the weak nature of the complaint, it set the ball rolling on data privacy litigation and led the ODPC to make its inaugural determination on data privacy infringement. Some of the salient areas impacted by this decision include procedural justice, presentation of evidence, representation of data subjects and the right to appeal.

First, the procedural aspect of the ODPC dispute resolution process was demonstrated as established under the Act and the Regulations.[7] This included the procedure for lodging,[8] admission[9] and response to complaints. The ODPC is required to notify the respondents of the complaint and gives them 21 days to respond.[10] Following the response, the ODPC investigates[11] the matter and then makes a determination.[12]

Second, the decision is critical as it has now set guidelines on the presentation of evidence and the applicable standard of proof where a complaint is lodged with the ODPC. Where a document containing personal data was allegedly shared, the said document should be produced for verification to determine whether there is a breach. The ODPC will dismiss the claim for lack of evidence if the documents are not produced. The one who alleges breach of data privacy must produce the documents.

Third, there should be express authorization from the data subject, allowing a complaint to be brought on their behalf. A data subject should issue clear instructions to any person or firm, representing them in a complaint. This is in harmony with the Regulations which defines a “complainant” as a data subject or a person who has lodged a complaint.[13] It further provides that the complaint may be lodged by the complainant in person, by a person acting on behalf of the complainant, or by any other person authorized by law to act on behalf of a data subject or anonymously.

Lastly, the right of appeal was also emphasized. Section 64 of the Act allows a person to appeal to the High Court if dissatisfied with an administrative action taken by the Data Commissioner, including in enforcement and penalty notices.[14]

The future of the ODPC and data privacy litigation

The ODPC plays a crucial role in the future of data privacy litigation due to the responsibility of enforcing data protection laws and regulations to ensure compliance. The ODPC’s investigation and enforcement powers, as well as its role in educating the public, are crucial in protecting personal data and promoting data privacy.

Going forward, data privacy litigation in Kenya is likely to involve an increasing number of cases as more individuals and organizations become aware of their rights to protect their personal information. The increasing use of technology, leads to a corresponding increase in the amount of personal data that is collected, stored, and shared. As a result, data privacy is a significant concern for many individuals and organizations, and it is likely that this trend will continue in the future.

The ODPC this year is expected continue investigating more complaints going forward. This will start to build jurisprudence over the tests for breaches of data protection laws and create legal thresholds to be surmounted by future complainants. The anticipated increase in data privacy litigation necessitates the establishment of an Alternative Dispute Resolution (ADR) framework. Some of the personal data complaints can be resolved using ADR as envisioned in the Data Protection Act, 2019 and Data Protection (Complaint Handling Procedure and Enforcement) Regulations, 2021 on conciliation, mediation, and negotiation.

Conclusion

Daily, vast amounts of personal data are collected, transmitted and stored globally by ever-growing computing and communication technologies. Personal data is becoming a critical resource that drives economic growth and development in this century as oil was in the past. As a result, personal data protection is increasingly becoming a critical area that requires to be managed carefully.[15] There is still the need to strengthen the data protection laws, increase enforcement, raise public awareness, encourage self-regulation, and review the data-sharing process. These steps are crucial in ensuring that the personal data of individuals is better protected and that organizations are held accountable for any violations of data protection laws.

The development in jurisprudence in Kenya and internationally will strengthen the recognition of privacy as a fundamental human right, thereby, making the protection of personal data a key pillar in the respect for human dignity. This recent decision by the ODPC is therefore an impactful contribution to data privacy litigation, in the face of an anticipated increase in the number of cases as awareness of data privacy rights grows.

The author is a Trainee Lawyer at Anjarwalla and Khanna LLP and a UON LLB Graduate. Currently, he is a Postgraduate Diploma (ATP) student at the Kenya School of Law. He can be reached at calebweisiko@gmail.com


[1] Article 31, The Constitution of Kenya 2010.

[2] The Data Protection Act, 2019.

[3] The Data Protection Regulations 2021.

[4] The Universal Declaration of Human Rights 1948, at <https://www.un.org/en/about-us/universal-declaration-of-human-rights> (accessed on 13 January 2023).

[5] International Covenant on Civil and Political Rights 19761, at <https://www.ohchr.org/en/instruments-mechanisms/instruments/international-covenant-civil-and-political-rights> (accessed on 13 January 2023).

[6] Section 5, The Data Protection Act, 2019.

[7] Ibid.

[8] Section 8(f), The Data Protection Act, 2019.

[9] Section 56(1), The Data Protection Act, 2019.

[10] Section 79, The Evidence Act, cap 80.

[11] Section 79, The Evidence Act, cap 80.

[12] Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

13] Regulation 4, Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

[14] Regulation 5, Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

[15] Regulation 11, Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

[16] Regulation 13 (1) (d), Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

[17] Regulation 14, Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

[18] Regulation 2, Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

[19] Section 64, The Data Protection Act, 2019.

[20] The ODPC Strategic Plan FY 2022/23 – FY2024/25, at <https://www.odpc.go.ke/wp-content/uploads/2021/06/ODPC-Strategic-Plan.pdf> (accessed on 16 January 2023).

Avatar
Caleb Weisiko is a Trainee Lawyer at Anjarwalla & Khanna LLP, and an LL.B Graduate from The University of Nairobi. He is currently undertaking his Post-Graduate Diploma at the Kenya School of Law. He is also a part-time Associate Editor and Writer with JURIST, a Legal News and Commentary Organisation affiliated with the University of Pittsburgh School of Law, US.