There is an ongoing buzz on privacy violations related to personal data, particularly regarding photographs of data subjects taken at events. According to the General Data Protection Regulation, photographs of individuals taken at events are classified as personal data. The Data Protection Act, 2019 defines personal data as any information relating to an identified or identifiable natural person. Under the Kenyan Constitution, the legal right of personality is recognised and safeguarded under Articles 22, 28, 31 and 40, highlighting the rights to privacy, dignity, and property.

On Tuesday 26th September 2023, Casa Vera Lounge was fined KES 1,850,000 for posting a reveller’s image on their social media platform without seeking the data subject’s consent. On the same day, Roma School, Uthiru, was also fined KES 4,550,000 for posting minors’ pictures without parental consent.

In other cases where images of data subjects have been used without the required consent for commercial use, the claims have not only been on infringement of data protection regulations but also on image rights and copyright rights. In Wanjiru v. Machakos University (Petition E021 of 2021) [2022] the High Court in Machakos ruled that the publication or use of the petitioner’s images without her consent violated her right to privacy and human dignity and awarded her KES 700,000 as damages.

It was stated in Jessica Clarise Wanjiru v. Davinci Aesthetics & Reconstruction Centre & 2 Others that a person has a right to commercialise aspects of his personality, such as physical appearance, pictures or caricatures, signature, personal logos and slogans, and the right to prevent others from commercially using them.

A data subject also has the right to personality, meaning they can decide what photographs can be published after obtaining consent.

As an event organiser, it is crucial to take note of the following aspects when it comes to photography during an event as liability falls on the party that bares the economic risk in such cases:

1. Where will the photographs taken at this event be published?

Publishing can be done internally or externally. In most cases, internal publications are used by the event owner for record-keeping and should be limited to group photos where data subjects are not identifiable directly or indirectly meaning the resolution is low enough that even zooming cannot aid in identification. In this case, no consent is required.

For external publishing, consent ought to be obtained in advance as this would mean that the photos from the event would be on a public platform where a data subject is easily identifiable.

2.           Who is being photographed in this event?

Here are the issues of children’s data privacy as well as the reputation of data subjects. It is important for the data processor, in this case the photographer and/or event organiser, to conduct a Legitimate Interest Assessment (LIA). The LIA is an essential balancing test that would furnish the decision to publish the photograph in the public domain. Again, consent must be obtained, and the photographs should not damage the data subject’s reputation.

3.           Is it a public or private event?

In both situations, consent would be needed. However, for a public event, due to the complexity of obtaining consent for, say, over 1,000 participants, the decisive factor is whose interest prevails in the case of publication, which is often the data subjects. It would be crucial to think along these lines:

1. Persons in a group picture can be considered accessories as long as they are not the focus and they are not identifiable, therefore, consent would not be required. Such a strategy would be used to depict the impression of the event. Group photographs are less likely to invite conflict as compared to individually focused ones.
2. Data subjects should be aware of when a photograph is being taken of themselves, and they do have a right to object to the processing of their image, meaning they can object to having their image published on any platform or withdraw consent that may have been given prior.
3. Having Data Processing Agreements with the external photographers hired for the event and any other party that may have access to the data collected from the conception to the end of the same. 

What is consent?

This is direct and not implied assent or approval given by the data subject. Consent given by the data subjects should be:

1. Expressly given –  data subjects should not be coerced into giving the approval to have their data processed.
2. Specific –  must refer to the event and data being captured.
3. Informed –  this means that the permission granted by a data subject voluntarily to be photographed is with full knowledge of where, when, how, and for what purpose the image is being taken.
4. Unambiguous –  it must be simple to understand and without any grey areas.
5. Given by a clear affirmative action. 
6. Easy to withdraw (opt-out) –  the data subject has a right to reconsider their consent even if given. As a data processor, one must act immediately to objections by data subjects.

Persons giving consent must have the capacity, meaning children and persons with disabilities must have a next of kin to guide or represent them while giving consent. Inebriated persons may not have the mental capacity to consent, so it is important to utilise best practice rules when dealing with such data subjects.

The notices and disclaimers being published by clubs and lounges may not suffice, given that they do not give the data subjects the option to give or withdraw consent when it comes to protecting their data. The onus is on the data processor to establish a data subject’s consent to processing the personal data for the specified purpose. In the event of a data breach, the data processor must report this to the Office of the Data Privacy Commissioner within 72 hours of becoming aware. It is also key to consider registering as a data processor to ensure compliance with the relevant regulations.