The Office of the Data Protection Commissioner (ODPC) 2024 Determinations analysis report is illuminating, but what is even more surprising is my case, Anne Ndung’u vs Zumaradi Capital & Credit Group Ltd, which I wrote about here on Vellum. It is cited as an example of an Alternative Dispute Resolution (ADR) case, but I am not sure I would categorise it as one, as explained in the article. 

However, several interesting determinations are of interest to businesses. In the determination of Kevin Kiprotich Rono Vs. SBM Bank Kenya, a client requested the bank to cease processing his data. The bank did not stop sending him information even after he made his request and therefore SBM was found liable. This highlights the importance of banking and other financial institutions ensuring a proper update of all banking systems. 

In the case of Eric Kariuki Vs. Ceres Tech Limited t/a Lemon Cash, the complainant was unable to establish that a barrage of calls that he received was regarding the payment of a loan he had not taken. The calls were so numerous that he had to switch off his phone. This led the ODPC to dismiss the case even though the respondent was uncooperative, denying investigators access to their systems to verify that the calls were from Lemon Cash. 

In a similar case, Victor Owino Vs. Mhasibu Housing Company Ltd, the complainant was bombarded with marketing information through calls and texts after finalising a transaction involving the Sacco. Even though the ODPC could not determine that the Sacco shared Owino’s information, it awarded him Ksh.650,000.

The tech industry was not spared either. In the case of Kennedy Wainaina Mbugua Vs. Bolt Operations OU and Bolt Support Kenya Limited, the claimant was awarded Ksh.500,000 for disclosure of his information that led to fraudulent activities. The case highlights the duty of care, which companies must exercise to protect the information they handle. 

Additionally, in the Caroline Wanjiru Kang’ethe Vs. Circus 254 ℅ Sarakasi Trust case, the complainant was awarded Kshs.500,000 after attending an event and being photographed in a demarcated photography and videography zone. Her photograph was then used on the respondent’s social media platforms (Facebook and Instagram) for promotional purposes without her consent. This case highlights that all imagery used in advertising must obtain the explicit consent of the bearer.

The report is structured in a way that highlights determinations by sector so that each industry is aware of the risks it runs in data privacy matters and data processing. Around 47% of determinations led to awards for damages ranging from  Ksh.25,000 to Ksh.1.2 million. So, as a business,  ignore data privacy matters at your peril. 

Employees must be properly trained and systems properly set up to avoid hefty penalties. The report cites an analysis that shows a non-compliance rate of  80% for data protection regulations. 2024 had a total of 34 determinations, but as the public becomes more aware, there are likely to be more complaints and determinations in the coming years, increasing compliance across the board.