The penalties are as follows:

This is the third time that the ODPC has issued penalties for non-compliance with the DPA. The first penalty was imposed in December 2022 against Oppo Kenya for an alleged failure to comply with an enforcement notice that had been issued to it following the alleged unauthorised publication of a complainant’s picture on its Instagram account stories. The ODPC meted out the maximum possible penalty of KES 5 million (approximately USD 34,000 at the time of writing) for that infringement. This maximal approach to penalisation was most likely triggered by what the ODPC described as “neglect and/or default” in compliance on Oppo Kenya’s part and a refusal to “co-operate”. A similar maximal approach was taken against Whitepath Company Limited (a digital credit provider) and Regus Kenya (an office space services provider) when penalties of similar amounts were slapped on them in April 2023. The relevant statement from the ODPC alleged non-responsiveness and/or a lack of co-operation on the part of these two companies as well.

Notable non-compliance scenarios and related emerging penalty trends

The effects of a lack of co-operation by offending data controllers and data processors

It is notable that no mention of any outright lack of co-operation by Mulla Pride Limited, Casa Vera Lounge and Roma School has been made in the 2023 ODPC press release. The penalties imposed on them also fall below the maximum possible penalty under the DPA, suggesting that the degree of co-operation exhibited by an infringing data controller or data processor may be a mitigating factor in determining the quantum of penalties.

It is therefore critical for data controllers and data processors to be very responsive and co-operative when dealing with the ODPC. Having internal policies and procedures to guide staff or personnel on responsiveness protocols when responding to inquiries or requests from the ODPC would be useful. Further, the designation of a suitable, dedicated data protection officer to oversee the data controller or data processor’s engagement with the ODPC would also be likely to facilitate their degree of co-operation.

The implications of non-compliance where minors are involved

It should not escape the attention of business owners and operators of other relevant organisations that the penalty imposed on Roma School is markedly higher than that which was imposed on Casa Vera Lounge despite the fact that the form of infringement appears to be largely similar in these two cases. The distinguishing factor presumably comes from the fact that Roma School’s infringement involved minors while Casa Vera’s non-compliance does not appear to have done so.

It would appear that the ODPC’s approach is to assign a higher degree of gravity to incidents of non-compliance where the privacy rights of minors are involved. This approach is aligned with the law as the DPA places more restrictive requirements on the processing of any personal data relating to minors than it does on the processing of other types of personal data. The DPA prohibits the processing of personal data belonging to a child without consent from the parent or guardian of the child and requires any such processing to be carried out in a manner that protects and advances the rights and best interests of the child.

To this extent, it is imperative for business owners and operators of other relevant organisations to take extra precautions where there is a likelihood or possibility of processing of any personal data belonging to a child and to ensure that their internal policies offer clear guidelines on the compliance protocols for doing so.

Commercial use of images and photographs of data subjects

Notably, two of the three penalties set out in the 2023 ODPC press release relate to the unauthorised/unlawful publication of photographs of data subjects. This was also the case with Oppo Kenya’s infringement and the consequent penalisation by ODPC last year.

It is possible that this pattern serves as an indication of the gravity with which the ODPC regards infringements of the DPA in relation to images that constitute personal data. It could also indicate that complaints relating to the unauthorised use of personal data in the form of photographs are increasingly common, both generally and in the context of commercial activity. It should be noted that the commercial use of personal data is subject to a higher level of restriction under the DPA and as such the use of photographs of data subjects in this context rightly attracts tighter regulatory oversight.

Business owners and operators of other relevant organisations ought to have a clear policy or organisational guidelines on the processing/use of photographs of data subjects and should ensure that any such use is aligned with the requirements of the DPA, particularly where such photographs are used for commercial purposes.

Conclusion

The 2023 ODPC press release will no doubt incentivise business owners to work towards compliance with the DPA. In addition to penalties imposed by the ODPC, businesses and other organisations could also be liable for damages in civil proceedings arising from the infringement of rights of data subjects under the DPA as well as image rights under common law. Multiple penalties can also be imposed by the ODPC for various incidents of infringement by the same data controller or data processor. The financial consequences of non-compliance can therefore be quite significant even for large businesses or other operations.

As such, all businesses and other organisations generally would do well to manage their exposure to regulatory risk factors in this context by putting in place well thought-out compliance mechanisms. Registering with the ODPC, establishing documentary frameworks such as privacy policies and personal data retention schedules are mandatory minimums. Data controllers and data processors ought to consistently build up data protection compliant cultures within their businesses and organisations, including through conducting regular training for their staff and management on this subject, designating DPOs within their organisation and seeking support from legal and cyber security experts where the need arises.