THE LEGAL BASIS OF DATA PROCESSING
In September 2023, the Office of the Data Protection Commissioner (ODPC)
cause a media frenzy when it issued 3 Penalty Notices totalling to Kshs.
9,375,000 to three companies, which were deemed data controllers – Mulla
Pride Limited (Digital lending industry), Casa Vera Lounge (Entertainment
industry) and Roma School (Educational institution) for failing to observe data
privacy rights.
The complaints made against these companies consisted of using personal
data obtained from third parties to send unwarranted threatening messages
and phone calls; posting photos of patrons for commercial or marketing
purposes without consent; and posting photos of minors for commercial or
marketing purposes without the parent’s or guardian’s consent respectively.
The 26 th September, 2023 penalty notices were a wakeup call for Kenyans on
the existence of the Data Protection Act which was enacted in the year 2019.
Let’s discuss the salient aspects of data protection law.
Data controller
A data controller is defined as a natural or legal person who has authority to
determine the means and purposes of processing the data subject’s personal
data; while a data processor is defined as a person who processes the
data subject’s personal data on behalf of the data controller. Where a data
processor processes personal data other than what was instructed by the
data controller, the data processor will be considered to be a data controller in
respect of that processing activity.
Data controllers or data processors must seek and explicitly obtain consent of
users of services, clients, customers, and employees in various contexts such
as when using websites, applications (apps), attending events, concerts,
clubs, hotels, educational institutions, workplaces, churches, and
organizations. This consent is a requirement when personal data is intended
for commercial, marketing, or promotional purposes.
Individuals using these services have the right to be informed about the
intended use of their collected personal data, the freewill to withdraw consent,
and the right to object to the processing of their personal data at any time.
This is supported by Article 31 (c) and (d) of the Constitution of Kenya, 2010
which lays down the basis for the Data Protection Act, 2019. It provides that
every person has the right to privacy, which includes the right not to have
information relating to their family or private affairs unnecessarily
required, unnecessarily revealed or the privacy of their communications
infringed. Section 37 of the Data Protection Act, 2019 also states that the use
of personal data for commercial purposes is prohibited unless –
a) the person has sought consent from the data subject and it has been
expressly obtained;
b) the person is authorised to do so under any written law and;
c) the data subject has been informed of such use when collecting the data.
The data controller or data processor that uses personal data for commercial
purposes is also required, where possible, to anonymise the data in such a
manner as to ensure that the data subject is no longer identifiable.
What about minors?
In relation to consent and marketing of persons under 18 years, the Data
Protection Act, 2019 in Section 33 provides that every data controller or data
processor shall not process personal data relating to a child unless consent is
given by the child’s parent or guardian, and the data is processed in such a
manner that protects and advances the rights and best interests of the child.
Statutory Framework
Some of you may be wondering when the Legislature enact the Data
Protection Act, how long the Act existed and the meaning of the legal
terms referred above.
Data Protection in Kenya is regulated by the Constitution of Kenya, 2010, the
Data Protection Act, 2019 which came into force on 25 th November, 2019, the
Data Protection (Civil Registration) Regulations, 2020, the Data Protection
(General) Regulations, 2021, the Data Protection (Compliance and
Enforcement) Regulations, 2021 and the Data Protection (Registration of Data
Controllers and Data Processors) Regulations, 2021.
So, what is data?
Data is defined as facts or information about someone that can be processed
by means of equipment operating automatically in response to instructions
given for that purpose.
The different types of data include:
a) Personal data is defined as information relating to an identified or
identifiable natural person i.e. full name, ID number, passport number, phone
number, bank account number, email address, photo, social media handle or
house address.
b) Sensitive personal data means data revealing the natural person’s race,
health status, ethnic social origin, conscience, belief, genetic data, biometric
data, property details, marital status, family details including names of the
person’s children, parents, spouse or spouses, sex or the sexual orientation of
the data subject.
Data Processing on the other hand, is defined as any operation or sets of
operations which is performed on personal data or on sets of personal data
whether or not by automated means, such as:
a) collection, recording, organisation, structuring;
b) storage, adaptation or alteration;
c) retrieval, consultation or use;
d) disclosure by transmission, dissemination,
e) otherwise making available; or
f) alignment or combination, restriction, erasure or destruction.
Stakeholders of Data Processing
The stakeholders of data processing are the:
1. Data Subject – This is the identified or identifiable person who
the data relates to. The rights of a data subject are provided in
Section 26 of the Data Protection Act, 2019.
2. Data Controller – This is a person (natural or legal), public
authority, agency or other body who determines whether to
collect data from the data subject, the purpose of processing
data (explicit, specified and legitimate purpose), how the data is
to be processed and, the means of processing personal data.
3. Data Processor – This is a person (natural or legal), public
authority, agency or other body who does the actual processing
of the data on behalf of the data controller. They can be a third
party who has no direct relationship with the data subject.
4. Third Party – This is a person (natural or legal), public authority,
agency or other body, other than the data subject, data
controller, data processor or persons who, under the direct
authority of the data controller or data processor, are authorised
to process personal data.
Data Processing and Consent
The legal basis of data processing is Consent.
The Data Protection Act does not provide specifics on
how to seek consent from the data subject, however, the elements of a valid
consent are provided in Section 2 of the Data Protection Act, in particular:
a) The consent is expressly obtained from the data subject.
b) Any unequivocal, free, specific and informed indication by a
statement or by a clear positive action by the data subject, signifying
agreement to the processing of personal data.
The burden of proof of consent lies on the data controller or data processor to
show that they have obtained the data subject’s consent to the processing of
their personal data for an explicit, specified and legitimate purpose.
In the spirit of volition, the laws have provided that the data subject has the
option to withdraw consent of data processing at any time. The data subject
can also object to data processing at any time and the legal basis for
processing by the data controller or data processor is lost unless they
demonstrate compelling legitimate interests for the processing which
overrides the data subject’s interests.
Transfer of Data outside Kenya
Consent from the data subject is required in terms of cross-border or
international transfers of personal data. Data is not permitted to be transferred
outside Kenya unless the data controller or data processor has given proof to
the Officer of the Data Protection Commissioner on the appropriate
safeguards with respect to the security and protection of the personal data
who then give their approval.
Following the implementation of the Data Protection Act, sections of the
international community including the World Bank has requested Kenya to
revoke clauses in the Act that force multi-national companies such as Google,
Meta (Facebook’s Parent Company), Tools for Humanity (World Coin’s Parent
Company), TikTok, Netflix and Microsoft to store personal data on data
servers located within Kenya as opposed to abroad. The global lender says
such restrictions will hinder cross-border trade in digital services and
undermining Kenya’s digital economy; and that the required safeguards in
obtaining the consent of the data subject are too stringent. It remains to be
seen, what if any action the ODPC will take on this issue.
Authors:
SylviaJoy Moige Mong’are
Emmanuel Ndirangu
28th February, 2024