
2 minute read
LAW&TAX Kenya sets tone for privacy
• Office breaks ground with ruling on personal data disclosure

Dennis Gathara ENSafrica
In January2023, the Office of the Data Protection Commissioner (DPC) delivered one of its first rulings under the Data ProtectionAct, 2019 since thecommencement of its operations.





Thecomplaint pittedthe partners of afirm, Allen WaiyakiGichuhi andCharles Wamae (theclaimants), against twoformer employees, Florence Mathenge and Ambrose Waigwa (the respondents), foralleged breach ofclients’ confidential information, includingpersonal data.
The claimants alleged that foralmost oneyear,while Mathenge was still working for the claimants, she leaked personal and sensitive personal datawithout authorisation fromher employersto Waigwa, whoat thetime was no longeran employeeat the firm.
Theclaimants provideda detailed list of the documents that had beenleaked by Mathenge, including the dates, the email addresses wherethe documentswere sentto andthenames ofthe documents. The claimants alleged thatthis disclosure was contraryto theprovisions ofthe actbecause the documents werethe firm’s intellectualpropertyandcontainedtradesecretsthatcould not be disclosedwithout their authorisation.
The respondents,on their part, challenged the DPC’s jurisdictiontohearanddetermine the matter on the basis that thecomplaint relatedto the claimants’ intellectual property rights andnot personaldata. Theyalsoalleged that allthe documentsin question werepublic documentsand,as such,couldnot becovered bytheprovisions of the act.
The respondents also challengedthe jurisdictionof theDPCongroundsthatsimilarsuitswerependingbefore thehighcourt,theDirectorate of Criminal Investigations (DCI) and theLaw Society of Kenya(LSK)thusviolatingthe principle of resjudicata. The respondents alsostated that the complainants’ firm had notbeenregistered asadata controller or processorat the time they responded to the complaint. They alleged that, on thisbasis, thelaw could notbe appliedretrospectively.Theyurged theDPCto dismiss the complaint.
THIS RULING HAS MADE IT APPARENT THAT WHERE A REPRESENTATIVE IS APPOINTED, PROOF MUST BE PROVIDED TO THE DPC
The DPC,having consideredthe complaintandthe response,cameupwiththree issues for determination:
● Jurisdiction;
● Whether therewas breach of the act; and


● Whether remedies were applicable under the act.
On thequestion ofjurisdiction, the DPC found that it had jurisdictionto hearand determine thecomplaint since thematter inquestion involved the disclosure of personaldata andsensitive personal data. Itwent on to state thatquestions ofintellectual propertywere not withinthe itsjurisdiction since itsmandate only extended to personaldata as defined in the act. The DPC wasalso notpersuadedby the respondents’ argument that thelack ofregistration as data controllersor dataprocessors precludedthe claimantsfrom lodginga complaint with the DPC.


Accordingto theDPC, registration and filing of complaints weremutually exclusive and theabsence of registration did not bar any-

THIS DECISION, BEING ONE OF THE FIRST DELIVERED BY THE DPC, WILL FORM THE FOUNDATION OF DATA PROTECTION JURISPRUDENCE one from filing a complaint with the DPC.The DPC also distinguished the proceedingsbeforeitandthosebefore the high court, the DCI and the LSK,holding thateach of these proceedingscovered differentissuesunderKenyan law. There wastherefore no conflict between the issues in the complaintand those before the other bodies.
On whether the respondents breached the provisionsof theact, theDPC noted thatwhile anextensive list of documents was provided inthe complaint,most of the alleged documents
CONTINUED ON PAGE 2
Kenya sets tone for privacy
CONTINUED FROM PAGE 1 werenot providedfor inspection to assist in the investigation anddetermination ofthe complaint.In some cases, it was further noted that even if the documents hadbeenprovided,theywere part of documents that were readily availableon various public resources and there wastherefore nobreachof the act.
Inothercases,thepersons affectedbythediscloseddocuments werecorporate persons who arenot covered by the act sincethe definition of personal dataonly covers natural persons.
Ininstanceswherenatural persons were affected, the DPC found that they were third parties to the proceedings and theclaimant had not demonstrated that they had authorisationto actonbehalf of those third parties. For the above reasons,the DPC found that thecomplaint was without merit and consequently dismissed it.
This decision,being oneof the first delivered by the DPC, will form thefoundation of data protectionjurisprudence in Kenya.
Itwill actasa guideon howtoframeandsuccessfully litigate future complaints.