- October 12, 2023
Accept all cookies?: Compliance and Enforcement Mechanisms under the Data Protection Act, 2019
Bruce Schneir, an American privacy specialist and computer security professional, famously stated that “data is the pollution problem of the information age and protecting privacy is the environmental challenge”. In Kenya, the Data Protection Act, 2019 (the Act) provides an elaborate regime for dealing with the “environmental challenge” that is protection of data through inter alia the establishment of the Office of the Data Protection Commissioner (ODPC), which is primarily tasked with overseeing implementation of the Act and comprises of the Data Protection Commissioner (DPC) and other staff appointed by the DPC.
To this end, the ODPC has, in conjunction with the Cabinet Secretary for matters relating to information communications and technology, promulgated the Data Protection (Compliance and Enforcement) Regulations, 2021 (the Regulations), which will come into effect on 14th July 2022.
In this article, we set out an overview of the compliance and complaint handling mechanisms under the Act and the Regulations, and we also highlight the consequences of non-compliance
Functions of the ODPC
The functions of the ODPC are contained in section 8 of the Act and include receiving and investigating any complaint by any person on the infringement of rights and obligations set out under the Act. Section 9 (1) of the Act gives the DPC wide powers to superintend compliance with the Act, including powers to conduct investigations; facilitate conciliation, mediation, and negotiation on disputes; issue summons to witnesses for purposes of investigation; and to impose administrative fines for failure to comply with the Act.
Pursuant to section 56 (1) of the Act, a data subject who is aggrieved by the decision of any person pertaining to the Act, can make a com- plaint to the DPC. Subsection 2 as augmented by Rule 4 (1) of the Regulations permits lodging of complaints either orally or in writing through electronic means, including by email, web posting, complaint management information systems, or by other appropriate means. The DPC is required to reduce a complaint made orally to writing.
Pursuant to Rule 4(3) of the Regulations, a complaint can be lodged in person, by a person acting on behalf of the complainant, or by any other person authorized by law to act on behalf of a data subject (such as an Advocate, an agent or anonymously). Once a complaint is received, the DPC is required to conduct a preliminary review upon which the ODPC may either admit the complaint, advise that the matter is not within its mandate, advise that the matter lies for determination by another body or institution and refer the complainant to that body or institution, or alternatively decline to admit the complaint altogether where the same does not raise any issue under the Act.
The various avenues through which a complaint may be lodged, coupled with the fact that there is no cost implication for lodging a com- plaint, conforms the process to the dictates of the right of access to jus- tice as enshrined under Article 48 of the Constitution of Kenya, 2010.
This is further buttressed by section 56 (5) of the Act which provides for an expeditious ninety (90) day period within which the DPC must investigate and make a determination on complaints made to it.
Admission and Investigation of Complaints
Rule 6 (4) of the Regulations provides that where a complaint is admit- ted, the DPC may either conduct an inquiry into the complaint; con- duct investigations; facilitate mediation, conciliation, or negotiation; or use any other mechanism to resolve the complaint. In this regard, the ODPC has recently published a draft Alternative Dispute Resolution (ADR) Framework which is currently at the public participation stage, and which are ultimately aimed at codifying the ADR processes con- templated under the Act.
Rule 11 of the Regulations requires the DPC to, upon admission of a complaint, notify the respondent of the same within fourteen (14) days so as to give the respondent a chance to either respond to the allegations against them; resolve the complaint made in a manner that is satisfactory to the complainant; or make representations and submit evidence relevant to support their representations. Where a respondent fails to act on the complaint against them, the DPC will proceed to determine the complaint without any responses thereto. However, the DPC re- serves the right to discontinue a complaint where the same does not merit further consideration or where a complainant refuses, fails or neglects to communicate further without justifiable cause. A complainant is also at liberty to withdraw the complaint before its determination. Section 57 of the Act, taken in conjunction with Rule 13 (1) of the Regulations, gives the DPC discretion to conduct investigations, issue summons requiring attendance of any person at a specified time and place for examination, administer an oath or affirmation on any person during proceedings, require any person to produce any document or information and upon obtaining warrants from the Court, enter into any establishment or premises to conduct a search and may seize any material relevant to the investigation. Upon the conclusion of the investigations, the DPC is then required to make a determination based on findings thereof. Under Rule 14 (2) of the Regulations, the said determination should be in writing and should state, among others, the remedy to which the complainant is entitled. The remedies contemplated include issuance of an enforcement notice to the respondent, issuance of a penalty notice imposing an administrative fine in case of non-compliance, dismissal of the complaint where it lacks merit, recommendation for prosecution, or an order for compensation to the complainant by the respondent.
In case of failure to comply with the Act, section 58 empowers the DPC to serve an enforcement notice requiring the recipient to take certain defined steps within a period of time specified within the notice itself. The enforcement notice must clearly indicate what provision of the Act has been or is likely to be contravened; what steps the recipient can take to address the actual or potential contravention of the Act; the time- frame within which the recipient is to implement the remedial steps; and any right of appeal available to the recipient. An appeal against a decision arising out of the enforcement notice may be made to the High Court within thirty (30) days from service of the notice.
Section 9 (1) of the Act gives the DPC wide powers to superintend compliance with the Act, including powers to conduct investigations; facilitate conciliation, mediation and negotiation on disputes; issue summons to witnesses for purposes of investigation; and to impose administrative fines for failure to comply with the Act.
Failure to comply with an enforcement notice constitutes an offence and upon conviction one is liable to a fine not exceeding KES. 5,000,000, or to imprisonment for a term not exceeding two (2) years, or to both. Further, the obstruction of the DPC in relation to the exercise of her functions under the Act attracts criminal liability and sanctions.
Penalty Notices, Administrative Fines and Compensation
In case of failure or likelihood of failure to comply with an enforcement notice, the DPC may issue a penalty notice requiring the person in de-fault to pay the ODPC an amount specified under the penalty notice. A penalty notice is to be issued for each breach identified in the enforcement notice and shall contain, among others, an administrative fine im- posed as contemplated under section 63 of the Act. Section 63 of the Act prescribes the administrative fine payable under a penalty notice as not more than KES. 5,000,000 or in the case of an enterprise, up to one percent (1%) of its annual turnover for the pre- ceding financial year, whichever is lower. Rule 20 (4) of the Regulations provides that a penalty notice may impose a daily fine of not more than KES. 10,000 for each breach identified until the breach is rectified. It is important to note that the right of appeal to the High Court has been preserved, as against any administrative action taken by the DPC, including as against the issuance of penalty notices.
The seemingly steep administrative fine is intended to deter non-compliance with the provisions of the Act. Indeed, data protection enforcement authorities in other jurisdictions such as the Information Commissioner’s Office (ICO) in the United Kingdom, have not shied away from imposing hefty fines against persons found to be in violation of data protection laws. For instance, the United Kingdom’s ICO fined American Express Services Europe (a credit card company) a sum of nine thousand euros (€ 9,000) for sending marketing emails to various customers who had not given their consent for the same. Should Kenya’s DPC follow the precedents set by other jurisdictions’ data protection enforcement authorities, then the importance of compliance with the Act will not need to be gainsaid. The DPC would how- ever do well to temper the need for compliance and enforcement of the Act with proportionality and reasonableness, in line with the principle that the punishment should fit the crime. In addition to administrative fines, section 65 of the Act provides that a data subject who suffers damage by reason of contravention of a requirement of the Act is entitled to compensation for that damage from the data controller or data processor, save where the data controller or data processor can establish that the damage occasioned on the data subject is not attributable to any fault on their part.
The Regulations offer comprehensive enforcement mechanisms coupled with penal sanctions for non-compliance. It is worth noting that the DPC is taking proactive steps to operationalize the Act and, in addition to the Regulations, has also embarked on a recruitment drive aimed at bolstering the human resource of the ODPC. It is yet to be seen how strict the DPC will be in dealing with complaints arising from breaches of the Act and imposing penalties where applicable. It is only matter of time before occasion for the DPC’s intervention arises, more so once the Regulations take full effect. It is therefore advisable for all data processors and data controllers to err on the side of caution by ensuring full compliance with the Act and the Regulations rather than being “caught off-side” by the imminent compliance and enforcement phase of the nascent data protection laws.