Emerging Principle on the use of CCTV Cameras in Kenya
The ODPC has confirmed that the collection, transmission, viewing and storage of CCTV footage amounts to personal data processing under the Data Protection Act. In Mark Ross v Graeme Thompson, the Data Commissioner held that CCTV systems involve multiple “operations” on personal data, including the collection, recording, transmission, storage and viewing of live and recorded footage. These operations are carried out through automated systems and apply to both stored media and real-time monitoring. The practical implication of this finding is that anyone who installs or operates CCTV cameras becomes a data controller or data processor and must comply with the full range of data protection obligations, including having a lawful basis, observing the data protection principles and respecting data subject rights.
In the case of Islim S. Imran v Everest Park Estate and 2 Others, the ODPC held that CCTV surveillance is only lawful if it is supported by one of the lawful bases provided under the Data Protection Act. In that case, the estate relied on legitimate interests as its lawful basis. The ODPC found that this was justified because the cameras were installed only in common areas such as the main gate and water points, were intended to enhance security and prevent vandalism and were preceded by a public participation process in which residents were consulted and contributed financially. Importantly, no cameras were installed inside private homes or in a manner that intruded into private spaces.
Similarly, in Lilian Nyawira Nderitu & Another v Josephat Karungo and Another, the Data Commissioner held that although security is a legitimate purpose for processing, it must be pursued in a manner that is lawful, fair and proportionate. This means that even where a person has a genuine security concern, the method chosen must not go beyond what is reasonably necessary and must comply with data protection principles.
The High Court in Ondieki v Maeda [2023] KEHC 18290 (KLR), the High Court held respondent’s cameras were positioned in such a way that they were visible from the petitioner’s compound, could be accessed remotely over the internet by anyone with a password and could be manually adjusted using an allen key. This meant that the cameras were capable of continuously monitoring the petitioner’s private space, even if they were not always being actively used for that purpose. On this basis, the Court held that the positioning and accessibility of the cameras violated the petitioner’s constitutional right to privacy under Article 31.
The same principle was affirmed by the Data Commissioner in Lilian Nyawira Nderitu & Another v Josephat Karungo and Another, where it was held that CCTV cameras that capture images of a neighbouring property violate the data protection principles of privacy, lawfulness, fairness and data minimisation.
In Lilian Nyawira Nderitu & Another v Josephat Karungo and Another, the Data Commissioner held that the complainant’s home was a private space and that the continuous capture of images of that space from a neighbouring property through CCTV surveillance constituted unauthorised processing of personal data.
In Lilian Nyawira Nderitu & Another v Josephat Karungo and Another, the Complainants had made multiple requests over more than a year for the cameras to be repositioned. These requests were ignored. The Data Commissioner held that this delay breached the Data Protection (General) Regulations, 2021, which require rectification requests to be acted upon within fourteen days.
6. CCTV processing may be exempt from the Act where the surveillance is carried out solely for personal or household purposes
In Mark Ross v Graeme Thompson, the ODPC clarified the scope of the household exemption under the Data Protection Act. The exemption only applies where CCTV cameras are installed in a fixed position, do not point towards neighbouring property, do not capture a neighbour’s residence, and do not monitor movements into or out of another person’s home.
The High Court in Ngunjiri v Kiambi & another [2025] KEHC 3793 (KLR), has now confirmed that disputes arising from CCTV surveillance are, in substance, data protection disputes. In that case, the Petitioner alleged that the Respondent had installed a CCTV camera pointing directly at his house without consent, thereby violating his right to privacy under Article 31 of the Constitution.
