Consent: Consequences of Non-Compliance

The law provides for consent as one of the lawful basis for processing personal data. 

As defined in the Data Protection Act, for consent to be fully satisfied, a data controller or data processor must prove the following elements:

- There must be an express manifestation from the data subject. The word “express” in this context would mean that the data subject has in a very apparent, clear, distinct, evident, obvious, and plain manner manifested their “permission” for the processing activity. There is no lawful recognition of implied consent;
- Consent needs to be unequivocal, that is free from uncertainty and ambiguity. Further, for the consent to be unequivocal, it must be unmistakable and indisputable from the data subject’s perspective. The data subject must not be confused about what they are being asked to agree to and why;
- Consent should be free, affording the data subject with a real choice of being able to refuse or withdraw their consent without negative consequences;
- Consent should be specific to the purpose. The specificity of the consent means that consent cannot be obtained for general or blanket processing activities. A data controller or data processor must seek permission for a specific use to which the personal data will be processed, including how long it will be retained and with whom it will be shared. Data controllers and processors are therefore required to give the particulars of the intended processing activities with a high degree of detail before obtaining consent; and 
- Consent should be informed, meaning that a data subject must receive full and accurate details of the processing activities together with any associated risks of the processing, in addition to any other terms and conditions.
 
The consequences of failing to meet the statutory consent threshold have recently been meted out against three entities on 26 September 2023 when the ODPC issued three penalty notices totalling KES 9,375,000 [USD 63,301.82]. The first entity, a Digital Credit Provider was penalised KES 2,975,000 [USD 20,087.78] for contacting third parties without having obtained their consent. The second entity, a Nairobi-based restaurant was penalised KES 1,850,000 [USD 12,491.56] for posting photos of its guests on its social media platforms without their consent. The third and highest entity to be penalised was an educational institution which received a penalty of KES 4,550,000 [USD 30,722.48] for posting photos of a minor without parental consent.
 
When relying on consent as a ground for processing personal data, compliance with all the statutory elements of consent is key.
 
The CMS Kenya | Daly Inamdar Advocates Data Protection Team comprising certified privacy professionals is happy to come on board as your resource partner in supporting your compliance efforts. For more information on data protection please click here.
 
This alert serves the purpose of general guidance and is not intended to constitute specific legal advice. For legal advice with respect to this alert, please contact our Partner at Collette.Akwana@CMS-DI.com.

Contributors*
Wilson Mrima – Associate