Since the coming into operation of the Data Protection Act (the DPA) on 25th November 2019, and the promulgation of various subsidiary regulations thereunder, effect continues to be given to the provisions of Articles 31 (c) and (d) of the Constitution of Kenya, 2010. In particular, the DPA establishes the Office of the Data Protection Commissioner (the ODPC), provides for the processing of personal data, and sets out the rights of data subjects as well as the obligations of data processors and data controllers.
The ODPC’s mandate requires it to protect the privacy of individuals and to oversee the enforcement of the DPA. Part of this man- date requires the ODPC to receive and investigate any complaint on infringement of privacy rights under the DPA. This article discusses recent decisions by the ODPC and a Judgement by the High Court (Chigiti, J) relating to the ODPC’s mandate, with a focus on some key considerations when filing or defending a com- plaint relating to unauthorised disclosure of personal or sensitive data.
Background
On 21st July 2022, the law firm of Wamae & Allen Advocates (the Complainants) filed a complaint with the ODPC against the firm’s former employees (the Respondents) in Complaint No. 677 of 2022 Allen Waiyaki Gichuhi and Charles Wambugu Wamae v Florence Mathenge and Ambrose Waigwa (the Complaint).
The Complainants alleged that, while under the employment of the law firm, the 1st Respondent unlawfully disclosed personal and sensitive data pertaining to the law firm’s clients with the 2nd Respondent, who had left the firm at the time of the disclosure. The Complainants alleged that the disclosure was done without their consent nor that of their clients. Upon investigating the Com- plaint, the ODPC, vide a determination dated 6th January 2023 (the First ODPC Determination), dismissed the Complaint.
Dissatisfied with the First ODPC Determination, the Complain- ants moved to the High Court through an application for judicial review seeking, amongst other things, to quash or set aside the First ODPC Determination.
The High Court, in holding inter alia that the ODPC had not de- termined the Complaint within the timelines set under the DPA, set aside the First ODPC Determination and issued an Order re- mitting the matter back to the ODPC to readmit the Complaint for a fresh determination within new timelines (the High Court Judgment). However, upon readmission and fresh consideration of the Complaint, the ODPC once again dismissed the Complaint (the Second ODPC Determination) on grounds similar to the First ODPC Determination.
Key Considerations
In the course of its determination, the ODPC and the High Court considered the following key issues, that are worthy of note:
Jurisdiction and Timelines
The Respondents, in opposing the Complaint, challenged the ODPC’s jurisdiction to investigate the Complaint, where they argued that – a) the law firm was not registered as a data controller or data processor at the time of filing the Complaint; and b) there were other ongoing legal proceedings between the parties before various other forums, including the High Court, the Advocates Disciplinary Tribunal and the Directorate of Criminal Investigations.
The ODPC held that the DPA mandated it to be responsible for the enforcement of data protection, including receiving and inves- tigating complaints relating to the unlawful disclosure of personal and sensitive personal data. As such, receiving and determining the Complaint was well within the scope of the ODPC’s functions. Furthermore, the ODPC observed that – a) the law firm’s registration status did not preclude the ODPC from handling the Complaint; and b) the existence of other legal proceedings did not prevent the ODPC from handling the Complaint. The ODPC also held that its jurisdiction did not extend to the protection of intellectual property rights.
At the High Court, it was the Complainants’ turn to contend that the ODPC had no jurisdiction – never mind that they were the initiators of the Complaint, arguing that while section 56 (5) of the DPA prescribes that a complaint should be investigated and determined within ninety (90) days, the First ODPC Determination was delivered six (6) months after the Complaint was filed, well outside the prescribed timelines. Despite attributing the delay to the Complainants’ conduct during the investigations, the High Court concurred with the Complainants that the First ODPC Determination was time-barred. As a result, the High Court determined that the ODPC’s jurisdiction to handle complaints was strictly time-bound, and once the prescribed ninety (90) days had lapsed, its jurisdiction was extinguished. As such, the Court held that the First ODPC Determination was rendered without jurisdiction and therefore lacked any force of law.
Locus Standi
One of the key issues to be determined was the question of whether the Complainants had locus standi i.e., the legal right or capacity, to bring a claim for breach of privacy and data protection rights on their own behalf and on behalf of their clients. In addressing this issue, the ODPC interpreted the scope of the DPA and noted that the law aims to protect the personal data of an identified or identifiable natural person. Further, the DPA defines a data subject as an identified or identifiable natural person who is the subject of personal data. As such, the DPA exclusively protects the privacy rights of natural persons and consequently, it is only natural persons who have the legal capacity to institute claims for breach of their data protection rights. The ODPC also drew a distinction between legal and juristic persons, who are neither considered as data subjects nor do they hold personal data, as per the definition provided. In the circumstances, the ODPC held that legal persons lack the right or capacity to bring a claim under the DPA.
Following this, the ODPC determined that the Complainants were excluded from filing a claim for breach of their data protection rights since – a) they had not demonstrated how their own data – personal or sensitive – had been disclosed; and b) the documents produced by the Complainants belonged to their clients, most of whom were legal and not natural persons. This position was affirmed by the High Court, which held that the DPA only applies to data subjects, who are defined as “identified or identifiable natural persons”. As such, it is important to note that corporate persons and other legal entities do not fall under the category of data subjects and therefore they cannot file complaints with the ODPC.
Breach of the DPA
The DPA prohibits the processing of personal data without consent or a lawful reason and purpose. An offence has been imposed un- der section 72 of the DPA for unauthorised disclosure from a data controller or processor without prior lawful purpose, consent or in a manner contrary to the principles of data protection. To that end, the ODPC considered whether there was any unlawful disclosure of personal and sensitive data, with a view to investigating whether there was an actual breach of the DPA.
…only natural persons identified as “data subjects” under the DPA are afforded protection of their privacy rights. Consequently, only such natural persons have the capacity to present and sustain a claim for breach of their privacy rights under the DPA.
As discussed above, the right to privacy is exclusive to natural per- sons. In this regard, the ODPC noted that most of the documents cited by the Complainants were not availed to the ODPC to determine the nature of the information disclosed. Further, the ODPC also noted that most of the Complainants’ clients were legal per- sons, and without examining the documents cited, it was impossible to ascertain whether the disclosure of the documents related to personal or sensitive data. Consequently, the ODPC could not ascertain whether or not there had been any breach as alleged.
In addition, the ODPC further observed that most of the documents provided related to cases that were either publicly available on various websites, including Kenya Law Reports website, the Complainants’ law firm’s website, or were deemed to be public records. Therefore, the ODPC held that no personal or sensitive data had been unlawfully disclosed and consequently, there had been no breach of personal data.
Under section 43 of the DPA, as read together with regulation 37 (1) and the Second Schedule of the Data Protection (General) Regulations, 2021, data controllers and data processors are re- quired to notify their data subjects and the ODPC where there has been unauthorised access of a data subject’s personal data. However, whereas the Complainants lodged a complaint for unauthorised access, the ODPC noted, in the Second ODPC Determination, that they had neither informed their clients nor the ODPC of the alleged data breach as required under the DPA.
Takeaway
In exercising its enforcement mandate, the ODPC, as the statutory body tasked with protecting the right to privacy, continues to develop jurisprudence on this area of law. Further, as its decisions are subject to judicial review and/or appeal, the High Court also has an opportunity to determine the soundness of ODPC’s decisions, when moved by an aggrieved party, which will serve to further enrich the jurisprudence in the field of data protection. It will therefore be interesting to see what the High Court, the Court of Appeal and possibly the Supreme Court, make of the decisions emanating from the ODPC.
For now, one of the key takeaways to be appreciated from the decisions under review is that only natural persons identified as “data subjects” under the DPA, are afforded protection of their privacy rights. Consequently, only such natural persons have the capacity to present and sustain a claim for breach of their privacy rights un- der the DPA. This was particularly upheld in the Second ODPC Determination which emphasised the importance of ensuring that only natural persons with the requisite capacity and necessary authority may exercise the rights provided under the DPA.
Another takeaway is that the determinations of the ODPC ren- dered beyond the ninety (90) days period are ultra vires of outside the jurisdictional timeline of the ODPC’s investigative mandate and hence ripe for quashing. As such, the ODPC must henceforth strictly abide by the timelines imposed under the DPA or risk having its decision set aside by the High Court.