The Office of the Data Protection Commissioner (ODPC) continues to exercise its enforcement mandate by taking action against data handlers in breach of the Data Protection Act, 2019 (DPA). Two companies, Whitepath Limited and Regus Kenya, are the latest entities to be issued with penalty notices on 11 April 2023 for breaching certain provisions of the DPA. The ODPC communicated that it had issued penalty notices imposing fines of KES 5 million (approx. USD 37,053) on each of these companies. This is the highest financial penalty under the DPA.

20 April 23

Whitepath, a mobile lending company, was fined on account of complaints from its customers alleging that the digital lender had accessed their mobile phone contacts without their consent. The company was accused of sending unwarranted and unsolicited text messages to the customer’s contacts. Further, the complainants (over 150 in number) alleged that Whitepath’s staff had also been harassing them and their contacts. Both these activities are in contravention of provisions of the DPA restricting the commercial use of personal data, and the principles of data protection.

In Regus’ case, the complainants alleged that the company had frequently spammed their inboxes despite numerous opt-out requests. Regus provides office spaces to let.

Aside from the fines imposed on Whitepath and Regus, the ODPC also issued an enforcement notice to Ecological Industries Limited for lack of cooperation with several ongoing complaints. The complaints arose from Ecological’s publishing of a data subject’s photo on its catalogue and calendar for marketing purposes without the data subject’s consent, offending the DPA’s provisions restricting the commercial use of personal data. An enforcement notice requires the data handler to take certain remedial steps, failing which a penalty will be imposed. In both Whitepath and Regus’ cases, enforcement notices were first issued. Whitepath did not comply, while Regus was uncooperative with the complaints process which gave rise to the enforcement notice. As a result, the ODPC issued penalty notices imposing administrative fines. Similarly, if Ecological fails to comply with the enforcement notice it has been issued with within the stipulated timeline, the ODPC may impose a similar administrative fine on it.

A Focus on Digital Money Lenders
The unscrupulous use of personal data by digital lenders (such as Whitepath), has been frequently publicised in the past few years and the outcry over the methods used by some of them to force repayment from their customers, led to the regulation of the digital lender industry in 2022.

The fine imposed by the ODPC on Whitepath recently indicates the ODPC’s commitment to ensuring adherence to data protection laws by players in the digital credit space. This trend is supported by the audit of digital lenders which the ODPC commenced in October 2022. It serves as a fair warning to others within the industry to prioritise their compliance obligations under the DPA and to put in place concrete measures to ensure that they are met.

The enforcement action taken against Whitepath, Regus, and Ecological points to the growing importance of data protection compliance in Kenya. The ODPC has shown itself to be receptive to complaints by data subjects, and its increasing proactivity in taking action indicates that the risk to data handlers is no longer as remote as it was when the DPA was first enacted. Businesses ought to be deliberate about their compliance with the DPA to avoid incurring steep penalties and severe reputational damage.

Should you have any questions regarding this alert do not hesitate to contact Sonal Tejpar or Wangui Kaniaru.