ODPC Fines Explained – The Elusive Mirage of Consent
DATA PRIVACY PULSE – From Basics to Compliance
An Educative Series by Sentinel Africa Consulting.
Kenya’s Data Protection Laws and the Challenge of Effective Consent Management – Lessons THROUGH CASA VERA LOUNGE, Mulla Pride Ltd, and Roma school
A Certified Data Protection Officer Expert cum Lawyer Explainer! – The recent ODPC fines experienced by Mulla Pride Ltd, Casa Vera Lounge, and Roma School are a clear indication that the misalignment between consent management and data protection laws has far-reaching implications.
In Kenya, as in many parts of the world, the protection of personal data has emerged as a pivotal concern in an increasingly digital society. Against this backdrop, the notion of consent has become a cornerstone of data protection laws—a fundamental guarantee that individuals have a say in how their personal information is collected, processed, and shared. Yet, as we delve into the intricacies of consent management, it becomes alarmingly clear that this vital safeguard is often more of a mirage than a meaningful defense of privacy.
The recent fines experienced by Mulla Pride Ltd, Casa Vera Lounge, and Roma School are a clear indication that the misalignment between the implementation of compliance and the specific data protection law’s requirements has far-reaching implications. In the case of Mulla Pride, the organization inadvertently obtained personal data from third parties and in turn used the information to send threatening messages to the complainants. The opacity of this not only endangers the essence of consent but also pushes the boundaries of what constitutes fair and ethical data processing in cases where personal data is collected via indirect sources.
The law is explicit, under section 28, on instances where personal data can be obtained indirectly and this is only in instances where; the data is contained in a public record, the data subject has deliberately made the data public, the data subject has consented to the collection from another source, the data subject has an incapacity, and an appointed guardian has consented to the collection from another source, and if processing is tied to the investigation of a crime, pursuant to a legal requirement or processed to protect the interests of the data subject or another person.
For Casa Vera Lounge and Roma School, the issue is centered around taking and posting photographs without obtaining consent not only from data subjects but parental consent with regards to minors. Consent, as enshrined in the law, is not just a legal formality but a fundamental principle that underscores the value of an individual’s personal data. When we post photos of others without their consent, we breach this principle, undermining the foundation of data protection. Moreover, Section 33 of the law is stringent with regard to processing child-related data, as such data is regarded as sensitive in nature because children constitute a vulnerable group. Where child data is involved, consent MUST be obtained from a parent or legally appointed guardian on behalf of the child and the same also ought to be recorded.
Where consent is relied on as a lawful basis for processing personal data, institutions and individuals must ensure that consent is informed. This not only means that individuals should have a clear understanding of what they are consenting to, but consent must be unambiguous, leaving no room for doubt about the individual’s willingness to permit data processing. Additionally, consent must be explicitly obtained leaving no room for implied agreement. Individuals must explicitly state their consent for the processing of sensitive data and have a record of such consent retained. Although the law does not specify that consent must be in writing, the spirit of the Law actively promotes the model that valid consent should involve a positive action indicating that the data subject has effectively signified agreement to such processing. The most practical and secure manner of how to implement this concept is by seeking written consent. Lastly, consent is not infinite. Individuals should be afforded a means to withdraw consent provided and must be informed of the mechanisms by which they can exercise this right.
It is worth noting that in the cases of public events or spaces, it is not enough to have publicly displayed notices informing patrons that photographs or videos are being taken, organizers must inform them of how they can opt out of appearing in such media and who they can contact to ensure their right to privacy is observed. If, due to the restricted circumstances, the organizer or individual is not in a realistic position to obtain consent and would still like to use the photographs or videos for purposes of sharing such media, blurring of the individuals should be considered as a possible approach to render the individual unidentifiable.
In Kenya’s ever-evolving data landscape, a profound understanding of data protection is very important. Recent cases starkly underline the crucial need for compliance with data regulations. To navigate this complex terrain, organizations must therefore prioritize the education of their teams. I recently had the privilege of facilitating the CDPO training by Sentinel Africa. It was a rewarding experience, collaborating with enthusiastic professionals from various organizations. This training extended beyond mere content, reinforcing the importance of certifying Data Protection Officers (DPOs). This step equips organizations to navigate the intricacies of data and privacy compliance, avoiding the risks of fines and reputational damage.
Sentinel Africa has an exciting line-up of upcoming CDPO training sessions in November and December. I look forward to welcoming you to these enriching sessions. Together, we’ll delve deeper into this critical topic, ensuring a stronger foundation for data protection and privacy compliance.
Read Ep 2 of the Data Privacy Pulse – WHAT IS CONSENT? – SIMPLIFIED!