The Complaints and Enforcement Regulations set out the procedure for lodging complaints with the Data Commissioner and for the issuance and management of enforcement, as well as penalty notices under the Data Protection Act, 2019 (the DPA).
The main objectives of the Complaints and Enforcement Regulations is to facilitate a fair, impartial, just, expeditious, proportionate, and affordable determination of complaints lodged with the Commissioner, as well as to provide a means through which enforcement notices and penalty notices can be issued.
Lodging a Complaint
Regulation 4 (1) of the Complaints and Enforcement Regulations state that, a data subject or any other person aggrieved on any matter under the DPA, may lodge a complaint with the Data Commissioner. Complaints may be made orally or through electronic or other means.
Regulation 4 (3) of the Complaints and Enforcement Regulations highlights that any person can lodge a complaint free of charge, including a person acting on behalf of the complainant or a person authorized by law to act on behalf of a complainant/data subject. Complaints may also be lodged anonymously. The Data Commissioner is mandated to keep an up-to-date register of all complaints lodged.
Under these Regulations, every complaint notice will clearly state that there are options available to resolve a complaint including determining the complaint through alternative dispute resolution mechanisms specified in the DPA and these Regulations.
Investigation of a complaint
The Data Commissioner is mandated to make an inquiry into complaints and to thoroughly investigate the same. In investigating a complaint, section 57 of the DPA notes that the Data Commissioner may:
- issue summons in Form DPC 4 set out in the Schedule requiring the attendance of any person at a specified date, time and place for examination;
- examine any person in relation to a complaint;
- administer an oath or affirmation on any person during the proceedings;
- require any person to produce any document or information from a person or institution; and
- on obtaining warrants from the court, enter into any establishment or premises and conduct a search and may seize any material relevant to the investigation.
The Data Commissioner is mandated to issue an investigation report and to conduct the investigative process in accordance with the Fair Administrative Action Act, 2015.
It should be noted however that not every complaint that is lodged with the Data Commissioner will be admitted and investigated. Regulation 6 of the Complaint and Enforcement Regulations states, upon receipt of a complaint, the Data Commissioner will make a preliminary finding on the admissibility of the complaint and whether the same lies within their jurisdiction. In certain cases, the OPDC may advise the complainant that the matter lies for determination before another body or institution. The ODPC may also refuse to admit a complaint where it does not raise any valid issues that are ripe for determination under the DPA.
Section 9 (1)(c) of the DPA highlights that the Data Commissioner has a duty to facilitate mediation, conciliation, or negotiation in accordance with the DPA, and to use “any other mechanisms” to resolve complaints. Where a complaint is declined, the complaint may be re-admitted within six months from the date of refusal/decline, where the complainant raises new issues for determination under the DPA. This particular provision is however unclear on what “any other mechanisms” would mean in the context of the resolution of a complaint.
Notification of complaints to respondents
Upon the admission of a complaint, the Data Commissioner is mandated to inform the respondent(s) of the complaint lodged against them in the prescribed form. The respondent must respond to the complaint within 21 days with a detailed reply setting out relevant evidence where necessary. If the Respondent does not take any action, the Data Commissioner has discretion to determine the complaint in accordance with the DPA and issue the enforcement notices or penalties where applicable.
Joinder of parties
If it becomes clear in the course of resolving a complaint that it is necessary that another party is enjoined in the same complaint the Data Commissioner has powers to issue orders for joinder of any such party.
Any person who has sufficient interest in the outcome of a complaint, may also apply to the Data Commissioner for leave to be enjoined as a party in the proceedings. The Complaints and Enforcement Regulations, however, do not provide for a test for what would constitute “sufficient interest” when parties seek or apply to be enjoined in proceedings. This provision could therefore be open to abuse by vexatious litigants.
Discontinuation and withdrawal of a complaint
Under Regulation 8 of the Complaints and Enforcement Regulations the Data Commissioner may discontinue an existing complaint where the complaint does not warrant further consideration or where a complainant refuses, fails or neglects to communicate without justifiable cause. A complaint may be withdrawn at any stage during its consideration but before a determination is made by the Data Commissioner. If a party wishes to re-lodge such a complaint, they may do so within six months from the date of withdrawal of such complaint after which the re-submitted complaint will be processed accordingly.
Complaints may be consolidated and jointly heard and determined with the parties’ consent. This process will apply to complaints procedures where two or more complaints are lodged in which similar issues are raised against the same respondent. If such an instance arises, the ODPC may consolidate the complaints and make a determination or treat one complaint as a “test” complaint and stay further action on the other complaints pending the resolution of the “test” complaint. The ODPC is at liberty to thereafter apply the determination made in the “test” complaint, to the rest of the stayed complaints.
Remedies for Complaints under the Regulations
Enforcement notice and penalty notices may be issued by the DPA as remedies following the determination of a complaint in the complainant’s favour. Penalties under a penalty notice are capped off at 5 million Kenya Shillings or 1% of annual turnover of the previous financial year whichever is lower. The penalty notice may also take the form of a daily fine of not more than 10,000 Kenya Shillings for each breach identified until the breach(es) is/are rectified. A party on whom an enforcement notice is served, may apply for review of the notice in the prescribed form or may appeal against the enforcement notice before the lapse of 30 days from the date of service of the notice. This appeal would be made before the High Court. A data subject/complainant may also be awarded compensation.
A complaint may however also be dismissed where it lacks merit or approved to proceed to prosecution where it is legally sound and meritorious. All decisions made by the Data Commissioner under the Complaints and Enforcement Regulations are final and binding and enforceable as orders of the court. Furthermore, the Complaints and Enforcement Regulations provide that any outcomes of negotiation, mediation or conciliation shall be deemed to be a determination of the Data Commissioner and shall be enforceable as such.