The processing of personal data, whatever its nature, must have a legal basis. This is what the Kenyan Personal Data Protection Authority (hereinafter “the ODPC”) criticised three Kenyan establishments for doing. In decisions no. 0778, no. 0607 and no. 0841 of September 2023, it imposed three record penalties totalling 9,375,000 Kenya Shillings (KES), or approximately 55,000 euros.
The first penalty of KES 2,975,000 was imposed on an online credit institution. This penalty was imposed following two different complaints lodged with the ODPC on 11 and 30 May 2023. The complainants accused the credit institution of having contacted them through messages and telephone calls without their consent. These calls and messages were accompanied by threats in the case of one and insults in the case of the other. In reality, these people had been contacted several times by the online credit institution about debts that they had not personally contracted. In fact, these debts had been taken out by people close to them. According to the credit institution’s modus operandi, the subscriber is asked to designate a contact person when taking out the loan and to give the credit institution access to his or her telephone directory via a mobile application. In the event of insolvency, the credit institution then contacts the contact person in order to put pressure on the policyholder. The credit institution has admitted these facts.
The second penalty, amounting to KES 1,850,000, was imposed on a restaurant-bar. This penalty followed the publication of images of their customers on social networks without their consent.
Finally, the third penalty is the most severe. The fine amounts to KES 4,550,000. This case involved a school that had published photos of minors for marketing purposes on its social networks, in particular Tik Tok, without the express consent of the parents. The ODPC then received a complaint from the parent of a pupil to whom the school refused to disclose the legal basis for the processing. Following its investigation, it emerged that the facts denied by the school were well-founded.
These are in fact unprecedented sanctions. In its press release, the ODPC stated that it wanted these sanctions to send a strong message to online credit institutions, restaurants and bars, and educational establishments, most of which process data on minors. It also pointed out that this is the first time that an educational establishment has been sanctioned so severely.
The ODPC accuses all these establishments of several breaches of Kenyan data protection legislation. The breach common to all the decisions is the failure to obtain the consent of data subjects before processing their data. This lack of consent was observed in both direct and indirect data collection. This lack of consent means that there is no legal basis for the processing. The absence of a legal basis is a cause of non-compliance with the data controller’s obligations under Kenyan law.
In short, several articles of the law have been ignored. The main focus should be on the violation of articles 26, 30 and 33, the latter relating to the processing of data on minors. It is important to remember that the point of convergence of the decisions is the lack of a legal basis for data processing, including the processing of data on minors. It should also be remembered that Kenya, through the ODPC, has made compliance with the Data Protection Act a priority. This priority is reflected in the increased number of checks, the enforcement of complaints and the penalties imposed on all entities subject to the 2019 Act.
According to Article 4 of the Act, all entities established on Kenyan territory that process data are subject to all the principles relating to data processing. Due to the nature of their activities and their geographical location, the three establishments in this case are subject to Kenyan legislation. They each process data such as telephone contacts, names and images of adults and minors, while being established on Kenyan territory.
Under the mechanisms put in place by law, no data may be processed without a legal basis. These are requirements established to ensure compliance with the principles of lawfulness and legitimacy of processing.
Moreover, by virtue of these principles, any data processing carried out must not be unlawful and must meet the requirements laid down by law. In this respect, Kenyan law provides several legal bases on which the data controller may base his processing, as do most national data protection laws.
These legal bases are not cumulative. Some authors rightly refer to them as hypotheses (1). Others make consent the legal basis of principle and the other legal bases exceptions (2). Aside from this divergence, some authors have chosen to align themselves with the position of the G29, which considers all legal bases to be equivalent (3). The Kenyan law seems to give consent pride of place.
To this end, Article 2 defines consent as “any manifestation of the data subject’s express, unequivocal, free, specific and informed wishes expressed by a statement or clear affirmative action signifying his or her agreement to personal data relating to him or her being processed” (4). It is consent as defined that forms the basis of the three recent ODPC decisions.
In the first case, the individuals concerned received no information about the credit institution’s practices. However, the credit institution had access to their contacts via the mobile application installed by the debtors. In its argument, the credit institution claimed that it had obtained the debtors’ consent to access their telephone directories. However, could the initial consent obtained from debtors be extended to the individuals concerned? Is this initial consent valid for subsequent processing of the data of the data subjects? The law requires consent to be personal, specific and clear.
Furthermore, it emerged from the controller’s arguments that the institution’s employees had exceeded their powers. The credit institution acknowledged that some of its employees had used intimidation to achieve their ends. Faced with this situation, it claims to have apologised for these excesses. However, could repentance and apologies prevent the full force of the law from being applied?
In the second case, customers’ images were collected and broadcast after they had visited the restaurant-bar. However, these customers in no way gave their consent for their images to be collected, let alone broadcast on social networks. In itself, could the mere presence of customers in the restaurant-bar constitute consent to the use of their images on social networks? The law states that consent cannot be tacit. Rather, it must be clear and express.
In the third situation, the controller initially resisted. In fact, in its arguments, it had denied the facts of which it was accused by the parent. It was only after investigations by the ODPC that he finally admitted the facts. However, he stated that he had informed the parents via a message posted on a discussion group.
So does the simple act of providing information constitute a legal basis for processing? Especially as the form of the information measure is highly questionable. The information measure, as provided for by law, must contain certain information. These include the purpose of the processing, the legal basis for the processing and the various rights of the data subject in relation to the processing in question. The collective information provided by the data controller to the mailing list did not comply with the requirements of the law. However, the ODPC’s main concern was the lack of parental consent. The authority deplores the fact that the parents were not given the opportunity to give their consent to the processing of their minor children’s data, as required by article 33 of the law. In the ODPC’s view, this constitutes an even more serious breach, as it removes the legal basis for such processing.
In all cases, the ODPC has imposed sanctions on the various data controllers for lack of a legal basis for the processing. By imposing these sanctions, the ODPC wanted to send a strong message to establishments called upon to process data subject to Kenyan law. The purpose of this message was to remind them that data protection is not a trend or an option. Rather, it is an obligation for everyone.
By Franck ADOPO, PhD Student in digital law and data protection.
Sources :
[1] Jacquemin H, Degrave E, eds. Le Règlement Général Sur La Protection Des Données (R.G.P.D./G.D.P.R.): Premières Applications et Analyse Sectorielle. Anthemis; 2020, p.25.
[2] Lo M. La protection des données à caractère personnel en Afrique: réglementation et régulation. Baol éditions; 2017, p.103.
[3] Tambou O, López Aguilar JF. Manuel de droit européen de la protection des données à caractère personnel. Bruylant; 2020, p.130.
[4] The Data Protection Act, 2019, article 2 (traduit).