Kenya Data Commissioner Makes First Enforcement Move

On 5th of October 2022, the Office Data Protection Commissioner (“ODPC”) issued a public statement citing a raft of enforcement measures against 40 digital lenders and a leading healthcare provider. The move marks the first enforcement activity since the ODPC’s establishment. In this article, we consider the implications of the public notice issued by the ODPC. 
Q: What is the Office of the Data Protection Commissioner?
A: An office set up under the Data Protection Act, 2019 (“The Act”) to regulate personal data processing in Kenya . The Data Commissioner heads the ODPC. Her powers include investigation of complaints made under the Act and imposition of fines.
Q: Why did the ODPC put the digital lenders on notice?
A: According to the notice, members of the public raised several complaints to the Data Commissioner regarding the lenders’ personal data processing practices. The notice did not specify the nature or bases of the complaints. However, we believe the complaints arise from the lenders’ use of data especially during debt collection. An earlier article we penned on this issue sheds further light on this. Since publishing the article, we have received numerous complaints from borrowers centered on privacy intrusive practices such as debt shaming, most of which we have referred to the ODPC.
Q: What is the procedure for handling complaints?
A: The Act and the Data Protection (Complaints Handling and Enforcement Procedures 2021) (“the Enforcement Regulations”) set out the procedure for handling complaints. In summary, upon receipt of a complaint, the Data Commissioner should notify the respondent of the complaint and require a response within twenty one days. If the respondent fails to respond, the Data Commissioner may take appropriate enforcement measures. Apart from inviting the respondent to make submissions, the Data Commissioner has power to investigate the complaint. This includes the power to summon persons to produce documents or give submissions on the complaint. Once the investigation ends, the Data Commissioner must make a determination based on the findings. The determination options include issuance of enforcement and penalty notices, dismissal of the complaint, recommendation for prosecution or an order for compensation to the data subject.
Q: What enforcement action was proposed against digital lenders?
A:  According to the notice, the ODPC shall conduct a preliminary documentary assessment and audit against 40 digital lenders listed in the notice. The Act does not define the term “preliminary documentary assessment and audit”. However, it gives the Data Commissioner the power to carry out periodical audits of the processes and systems of data controllers and processors to ensure compliance.
Q:What does a documentary assessment and audit entail?
A: Since the purpose of the audit is to determine the extent of compliance, the audit will most likely focus on the following aspects:-
  • appropriateness of data protection policies in place
  • lawful bases for processing personal data
  • the extent to which automated data processing profiles borrowers and extent of borrower protection in these instances
  • consent management ; how and when lenders seek consent to process personal data
  • the extent of use of data protection impact assessments to comply with the Act
  • evidence of staff training on data protection
  • lender’s registration status
Notably, the ODPC did not issue any official guidelines or regulations on the conduct of preliminary documentary assessments and audits.
Q: If the outcome of the audit is negative, what are the likely consequences?
A: The enforcement powers of the regulator as per the Act and the Enforcement Regulations include the power to issue enforcement notices, penalty notices, administrative fines or make orders for compensation of the complainants.
Q: What is an enforcement notice?
A: Under section 58 of the Act, the Data Commissioner has power to issue an enforcement notice to any person that fails to comply with the provision of the Act. The notice may be issued by email, physical delivery or by post. In terms of content, enforcement notices must specify the provision of the Act contravened and the requisite compliance requirements. In addition, the notice must specify a compliance period of not less than twenty one days. Finally, the notice must specify whether the person has any right to appeal.
Q: What rights does a person have upon being issued with enforcement notices?
A: A person served with an enforcement notice may apply for review of the notice in two instances. First, a review is possible on account of change of circumstances or where new facts have arisen. Additionally, a right to review arises if the failure outlined in the notice is curable without carrying out some of the requirements of the notice. Apart from review, a person has the right to appeal to the High Court, against any decision arising out of the enforcement notice. Such an appeal must be filed within thirty (30) days of the date of service of the enforcement notice.
Q: What is a penalty notice?
A: Where a person fails to comply with an enforcement notice, the Data Commissioner has power to issue a penalty notice. A penalty notice obliges the respondent to pay the Data Commissioner the administrative fine specified in the notice. The notice specifies the reasons for imposition of the fine. In addition, it also outlines payment modalities and the respondent’s right to appeal. The maximum amount leviable under the notice is Kes. 5,000,000/- one 1% of gross annual turnover whichever is lower. In addition, a penalty notice may impose a daily fine of not more than ten thousand shillings for each breach identified until the breach is rectified.
Q: What enforcement action did the ODPC take against the healthcare provider?
A: According to the public statement, the ODPC issued an Enforcement Notice against the healthcare provider for breaching the Kenya Data Protection laws. In particular, the ODPC stated that a patient raised a complaint to the effect that after visiting the hospital, staff inappropriately contacted him/her. The ODPC ordered the healthcare provider to take certain specific actions to mitigate or eliminate the breach within 30 days.
Q: How will the complainants benefit from the enforcement measures?
A: Apart from the gratification of seeing justice being meted out against the privacy violators, the complainants may also receive compensation if the Data Commissioner so directs. If the Data Commissioner does not make compensation orders, the complainants still have the right to file law suits seeking compensation for any damage caused. Damage includes any financial loss or distress suffered as a result of the violations. The courts and the Data Commissioner have discretion to set the limits for compensations. In other words, the maximum monetary compensation for privacy violations is not defined in any law.
Conclusion
The recent enforcement action should act as a wake up call for all organisations to prioritise data protection compliance. For any meaningful compliance to take place, organisations must do thorough self assessments to determine to what extent people’s privacy is respected. Apart from that, the people and systems for processing data must be aligned to the data protection laws.

Leave a Reply

Your email address will not be published. Required fields are marked *