Approximately two years following its operationalisation, the Office of the Data Protection Commissioner (ODPC) has begun taking enforcement action against data controllers and data processors.

31 December 22

On 21 December 2022, the ODPC announced that it issued its first penalty notice under the Data Protection Act, 2019 (DPA) against Oppo Kenya, imposing a fine of KES 5 million (approximately USD 41,000), which is the highest penalty that can be imposed under the DPA. The penalty notice was preceded by an enforcement notice issued on 3 November through which the ODPC had directed Oppo Kenya to review some of its data handling practices following a complaint by a data subject whose photo was used on Oppo Kenya’s Instagram account without consent.

Under the DPA, using personal data for commercial purposes can only be done with the consent of the data subject. This includes the use of someone’s photograph for marketing purposes. Further, all data controllers and data processors are required to have in place a data protection policy. Through the enforcement notice, the ODPC provided Oppo Kenya with an opportunity to comply with the DPA. Oppo Kenya failed to do so and was fined as a result.

Earlier in October, the ODPC announced that it had issued Aga Khan University Hospital with an enforcement notice following a complaint by a data subject that a member of the hospital’s staff inappropriately contacted them. The ODPC directed Aga Khan Hospital to outline specific measures it would take to mitigate or eliminate the breach, and to establish structures for compliance which would be implemented in 30 days. In the same breath, the ODPC indicated that it would be auditing 40 digital credit providers, requesting them to provide information by a certain time. The basis for this audit was the fact that over half of the complaints admitted for hearing by the ODPC related to digital credit providers.

When announcing the penalty on Oppo Kenya, the ODPC provided an update in relation to Aga Khan Hospital and the audit exercise on digital credit providers. It indicated that Aga Khan Hospital had demonstrated compliance, and that the audit exercise was ongoing with 18 out of the 40 digital credit providers submitting the required information before the deadline.

What Does this Mean for Businesses Going Forward?
A survey on data protection compliance in Kenya conducted by EY Kenya in September 2022 revealed that a sizeable portion of businesses in the country are yet to fully comply with the DPA. A recurring theme in the survey was a lack of commitment by senior management to devote the necessary resources to enable compliance. Understandably, this hesitance may have been motivated by the lull in the implementation of the DPA following its enactment in 2019. However, this is changing rapidly. With the obligation to register with the ODPC having commenced in July 2022, and the ODPC having begun taking enforcement action, the risk of non-compliance is no longer remote. While the fines under the DPA are comparatively low on a global scale, businesses ought to be concerned about two main things: i) reputational risk; and (ii) the potential for civil liability far exceeding the maximum fines under the DPA.

The ODPC has yet to set a deadline for registration, and the rate of enforcement action is just gaining momentum. As a result, it is an opportune time for organisations to prioritise understanding their compliance obligations under the DPA and to put in place measures to ensure that they are compliant.

Should you have any questions regarding the information in this legal alert, please contact Sonal Tejpar and Wangui Kaniaru



Abdulmalik Sugow – Trainee Lawyer