At the end of 2023, the Office of the Data Protection Commissioner (ODPC) adopted its guidelines on consent as a legal basis for processing personal data.
Consent and seven other legal bases
The ODPC’s guidelines recall the framework set out in the Data Protection Act (DPA), the national legislation on the protection of personal data adopted by Kenya on 11 November 2019. It contains eight main principles that cover those recognised by a majority of international bodies as essential principles of data protection: the right to privacy, the principles of lawfulness, fairness and transparency of processing, purpose limitation, minimisation and accuracy of data, retention limits, integrity and confidentiality, and accountability. One of Kenya’s specific features is the number of legal bases available to data controllers – eight. The wording of the text is also interesting: Section 30 states that “a controller shall not process personal data unless the data subject consents […] or the processing is necessary [for other legal bases]”. Consent therefore has a special place here, being clearly distinguished from the other legal bases.
Here again, despite the large number, we find in spirit the legal bases shared by a large proportion of the regulations considered to be the most protective, in particular the European General Data Protection Regulation (GDPR): the performance of a contract; compliance with a legal obligation; the protection of vital interests; the performance of a task carried out in the public interest, or by a public authority or for the exercise, by any person in the public interest of any other function of a public nature; a legitimate interest of the controller (to be balanced against the rights, freedoms and legitimate interests of the data subject) or the performance of historical, statistical, journalistic, literary, artistic or scientific research.
Very classic guidelines, in the spirit of those of the European EDPB
The ODPC’s guidelines, which are fairly short, point out that consent can only be an appropriate legal basis if the data subject has a genuine choice as to whether or not to accept the data processing, and that this choice must not entail any negative consequences for him or her. This point is also a condition of the free nature of consent.
Consent must also be given in an informed manner, in particular with the benefit of certain information listed by the ODPC: the identity of the controller and processors, the purposes of the processing, the processing carried out, and the right to withdraw consent.
With regard to the obligation to prove that consent has been obtained by the data controller, the DPA does not specify the various ways in which this can be done. The ODPC recommends, for example, keeping a register of declarations of consent, which would contain the date on which consent was obtained and the list of information that was sent to the data subject at that time.
The fact that the data controller obtains consent in no way exempts him from his other obligations under the DPA. Finally, a separate consent must also be obtained if the purposes of the data processing change (the ODPC specifies that there is no such thing as “evolving” consent, even in the case of “compatible purposes”).
Consent is the poor relation of legal bases… and all the better for it!
It is often thought that consent is the alpha and omega of personal data processing, as evidenced by the wording of Section 30 of the Kenyan DPA mentioned above. In reality, however, consent is rarely used, in favour of other more appropriate legal bases. In fact, with public interest missions, compliance with legal obligations and performance of a contract, we already cover a broad spectrum of personal data processing. Consent as a legal basis also carries with it a number of constraints, as outlined in the ODPC guidelines and Section 32 of the DPA: proof of consent must be preserved, it must be possible to manage its withdrawal, and it must be ensured that it is given freely, in an informed and specific manner. We therefore believe that other legal bases would be easier to mobilise. Lastly, the ODPC’s guidelines are part of a relatively traditional and protective framework, and so it is part of the chorus of nations that protect their citizens’ personal data.
By Thomas HONNET, Data Protection Officer & Teacher.