Kenya delivers ground-breaking ruling on unauthorised disclosure of personal data
In January 2023, the Office of the Data Protection Commissioner (“DPC”) delivered one of its first rulings under the Data Protection Act, 2019 (the “Act”) since the commencement of its operations. The complaint pitted the partners of a firm, Allen Waiyaki Gichuhi and Charles Wamae (the “claimants”) against two of their former employees, Ms Florence Mathenge and Mr Ambrose Waigwa (the “respondents”) for alleged breach of clients’ confidential information, including personal data.
The claimants alleged that for almost one year, while Ms Mathenge was still working for the claimants, she leaked personal and sensitive personal data without authorisation from her employers to Mr Waigwa, who at the time was no longer an employee at the firm.
The claimants provided a detailed list of the documents that had been leaked by Ms Mathenge including the dates, the email addresses where the documents were sent to and the names of the documents. The claimants alleged that this disclosure was contrary to the provisions of the Act because the documents were the firm’s intellectual property and contained trade secrets that could not be disclosed without their authorisation.
The respondents, on their part, challenged the DPC’s jurisdiction to hear and determine the matter on the basis that the complaint related to the claimants’ intellectual property rights and not personal data. They also alleged that all the documents in question were public documents and, as such, could not be covered by the provisions of the Act.
The respondents also challenged the jurisdiction of the DPC on grounds that similar suits were pending before the High Court, the Directorate of Criminal Investigations (“DCI”) and the Law Society of Kenya (“LSK”) thus violating the principle of res judicata. The respondents also stated that the complainants’ firm had not been registered as a data controller or processor at the time they responded to the complaint. They alleged that, on this basis, the law could not be applied retrospectively. They urged the DPC to dismiss the complaint.
The DPC, having considered the complaint and the response, came up with three issues for determination:
- whether there was breach of the Act; and
- whether any remedies were applicable under the Act.
On the question of jurisdiction, the DPC found that it had jurisdiction to hear and determine the complaint since the matter in question involved the disclosure of personal data and sensitive personal data. It went on to state that questions of intellectual property were not within the its jurisdiction since its mandate only extended to personal data as defined in the Act. The DPC was also not persuaded by the respondent’s argument that the lack of registration as data controllers or data processors precluded the claimants from lodging a complaint with the DPC.
According to the DPC, registration and filing of complaints were mutually exclusive and the absence of registration did not bar anyone from filing a complaint with the DPC. The DPC also distinguished the proceedings before it and those before the High Court, the DCI and the LSK, holding that each of these proceedings covered different issues under Kenyan law. There was therefore no conflict between the issues in the complaint and those before the other bodies.
On whether the respondents breached the provisions of the Act, the DPC noted that while an extensive list of documents was provided in the complaint, most of the alleged documents were not provided for inspection to assist in the investigation and determination of the complaint. In some cases, it was further noted that even if the documents had been provided, they were part of documents that were readily available on various public resources and there was therefore no breach of the Act.
In other cases, the persons affected by the disclosed documents were corporate persons who are not covered by the Act since the definition of personal data only covers natural persons. In instances where natural persons were affected, the DPC found that they were third parties to the proceedings and the claimant had not demonstrated that they had authorisation to act on behalf of those third parties. For the above reasons, the DPC found that the complaint was without merit and consequently dismissed it.
This decision, being one of the first delivered by the DPC, will form the foundation of data protection jurisprudence in Kenya. It will act as a guide on how to frame and successfully litigate future complaints. It is apparent that making an allegation is not enough. Rather, it must be accompanied by evidence demonstrating the actual breach. The DPC has also emphasised that the Act only applies to natural persons meaning legal persons are excluded.
While the Act authorises data subjects to exercise their rights directly or through an appointed representative, this ruling has made it apparent that where a representative is appointed, proof must be provided to the DPC.
Finally, the principles of public records have been discussed at great length in this ruling and future litigants will need to ensure that the personal data in question is not part of the public record.
Reviewed by Mahesh Acharya an Executive at the ENSafrica Kenya office
- Digital lending and providing now regulated in Kenya
- ENSafrica Kenya and its practitioners given top rankings in the 2022 Legal 500