By John Walubengo
The recent penalties slapped on three entities by the Office of the Data Protection Commission (ODPC) serve as a wake-up call to the realities of the Kenyan Data Protection Act (2019), enacted more than three years ago.
Whereas this is not the first time that ODPC has sanctioned entities mishandling personal data, it is the first time we are seeing significant fees being imposed and institutions coming under scrutiny for data privacy violations.
A regular primary school was found to have posted children’s photos without parental consent and was slapped with a Ksh 4.5 million fine.
Another entity, an entertainment club was fined Ksh 1.8m for posting a reveller’s picture without consent.
Finally, a mobile money lender was fined Ksh 2.9 million for accessing third-party contacts from a defaulting borrower’s phone and sending them threatening messages.
A school, a club, and a mobile money lender. These are fairly grass-roots entities that regular Kenyans interact with on a day-to-day basis.
The fact that they have been fined implies that the data privacy conversation is no longer as abstract or theoretical as many entities would want to imagine.
Many analysts have dissected the ODPC ruling with diverse opinions. Some have argued that the fines are too punitive and uncalled for, while others have hailed the decision as being timely and long overdue.
Those against the decision
Those against the decision argue that it may have a chilling effect on businesses and trigger frivolous complaints and accusations against personal data handlers engaging in routine business operations such as marketing, and loan recoveries amongst others.
Others felt that the legal provisions surrounding consents from customers or data subjects as they are known are too stringent and hampers business development.
The law expects that consent to process personal data from customers must be informed, explicit and demonstratable – in terms of curating and proving to the ODPC that you indeed have the consent.
This means that ‘implied’ consent from customers is not legally valid consent. In other words, putting a general notice in your entertainment club that ‘if you walk into our club, you consent to our use of your data’ is not sufficient consent from revellers and is in fact, legally null and void.
Some dissenting voices have also questioned the size of the penalties, arguing that the penalties charged for privacy violations should perhaps take into consideration the possibilities of the business enterprise shutting down upon payments of the same.
Those for the decisions
The pundits supporting the ODPC decisions argue that the law has been in place for more than three years and it is about time some misbehaving entities began to feel the full force of the law.
Whereas there should have been some grace period for the personal data handlers to get familiar with the expectations of the data protection law, that time was not provided in law -which became effective three years ago upon Presidential assent.
If anything, the ODPC has been too lenient, preferring the carrot, rather than the stick approach to regulating the data sector. However, at some point, the stick has to come out to reign in the errant data handlers.
Those who support the recent rulings and sanctions do believe that point arrived and passed a while back.
It is time for personal data handlers to wake up, smell the coffee and start implementing data privacy programs within their corporates.