Kenya’s Data Commissioner Sends Clear Message with Heavy Penalties

Data Commissioner fines nightclub, school and mobile loan app

It’s been 3 years since the first Data Commissioner for Kenya was appointed. Finally, the Kenyan data watchdog has started to bite.

Today, the Office of the Data Protection Commissioner (ODPC)  announced it had penalised three separate entities which violated the provisions of the Data Protection Act 2019.

One of the penalised is a Nairobi nightclub. Casa Vera Lounge has been issued with a fined KES 1,850,000 for posting a revellers image without consent. The ODPC states this precedence should serve as a warning to other establishments.

Indeed, this serves as a warning to Social Media Managers and teams handling digital communications. The commercialized use of images is fast growing in Kenya, with various sectors leveraging the use of images to boost their marketing and branding strategies.

Moreover, this fine also comes as a warning to content creators. Earlier this year, a UK tiktoker was ordered by a court to obtain documented content before uploading anyone on their feed.

Data Commisioner Warns Loan Providers

The ODPC also reigned in a Digital Credit Provider (DCP). Mulla Pride Ltd operates KeCredit and Faircash mobile lending. As a DCP it was found guilty of obtaining user data and proceeding to use the information to harass a client via messages and phone calls. Mulla Pride has been fined KES 2,975,000.

For sure, Kenyans will be interested on what actions the Central Bank of Kenya will take on this digital loan provider. Under the Digital Credit Providers Regulations 2021, the CBK has powers to revoke the licenses of firms which use third parties in name-and-shame tactics meant to recover the money.

The ODPC hopes the heavy penalty will ensure that the data controllers are limited to strictly dealing with data subjects who have consented to the collection and processing of their data.

Lastly, Roma School, an Educational facility based in Uthiru has been fined KES 4,550,000 for posting minors’ pictures without parental consent. The school sets precedence as the first educational institution to attract a penalty due to data privacy violations.

In Kenya, any institution handling minors’ personal data to obtain consent from parents/guardians

Data Commissioner Immaculate Kassait called upon Data Controllers and Data Processors to keep tabs with the law and ensure their activities are complying.

Failure to comply with the Act will result in instituting enforcement procedures.” said the statement from the ODPC.

Currently, local retail chain Naivas is under investigation. This is after it was revealed the company failed to report a 611GB customer data breach. The findings will be shared with the Data Controller for their swift action. If found guilty, Naivas faces a KES 5 million fine.

Finally, the ODPC will be embarking on conducting forty (40) Compliance Audits to various Data Controllers and Processors in various sectors this Financial Year.