The Office of the Data Protection Commissioner (the Regulator) on 21 December 2022 issued its first penalty against OPPO Kenya for the sum of KES 5 million (USD 40,600) for default to comply with an enforcement notice issued against it. The enforcement notice was issued following the company’s infringement of the complainant’s privacy by using the complainant's photo on the company's Instagram account without the complainant's consent. OPPO Kenya failed to comply with the Regulator’s enforcement notice directing the company to develop a policy in compliance with Section 37 of the Data Protection Act.
This Section provides that a person shall not use, for commercial purposes, personal data obtained according to the provisions of the Act, unless the person has sought consent from the data subject or only as permitted under any written law.
The imposition of this penalty makes it clear that the Regulator’s determination on enforcement of the Kenya data protection laws is uncompromising. This added to the fact that the regulator has in the recent past advertised vacancies for Regional Commissioner and Data Protection Officers posts at a county level.
The Regulator's progress in the implementation and enforcement of the data protection laws is noteworthy. In an October 2022 press release, it was published that as of 30 September 2022, the Regulator had received 1,030 complaints, 54% of which were against digital lenders, prompting the issuance of an audit notice against 40 digital lenders. In October 2022, the Regulator issued an enforcement notice to Aga Khan University Hospital following the hospital’s breach of data protection laws by contacting the complainant contrary to the Data Protection Act. It is these two significant acts of enforcement that make it even more critical for companies to be wholly compliant with the Kenya data privacy laws.
The Regulator in implementing its statutory mandate to carry out audits has already issued a public notification of its intention to carry out data protection compliance audits. The key focus of the audits will involve proof of registration in accordance with the law, a record of processing activities and the requisite policies and documents which found a basis for these activities, which will further determine the extent to which data subjects exercise their privacy rights prior to such processing activities.
Commonly effected in the context of multi-national companies, the transfer of personal data outside Kenya will be audited on the acute basis of the proof of safeguards for international data transfers as set out in the Regulations.
As we await a plethora of judicial reviews of the Regulator’s sanctions and guided by the outcome of data privacy decisions under the EU General Data Protection Regulations [GDPR], it is imperative that companies do fully comply with the data protection laws.
The CMS Kenya | Daly Inamdar Advocates Data Protection Team comprising of certified privacy professionals is happy to come on board as your resource partners in supporting your compliance efforts. For more information on data protection please click here.
This alert serves the purpose of general guidance and is not intended to constitute specific legal advice.
For legal advice with respect to this alert, please contact our Partner, Collette Akwana at Collette.Akwana@CMS-DI.com
*Contributors
Faridah Munyi - Associate
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.