Kenya’s Data Protection Act: Who Should Enforce Privacy Rights?

Published Jan 31, 2025 by Raymond M., CFE in Opinion

0

Kenya’s Data Protection Act: Who Should Enforce Privacy Rights?

The Data Protection Act faces a legal challenge that could redefine the ODPC’s enforcement powers with regard to the oversight of privacy rights.

In a digital era where data privacy is becoming increasingly important, Kenya’s Data Protection Act (2019) stands as a vital legal safeguard. Enacted to protect individuals from unlawful data processing, it empowers the Office of the Data Protection Commissioner (ODPC) to investigate violations, issue penalties, and enforce compliance.

However, the ODPC’s authority is now facing a significant legal challenge from lawyer Henry Stephen Arunda, who argues that the ODPC has unlawfully usurped the powers of the High Court. His petition, currently before the High Court, raises critical constitutional questions about the separation of powers and the enforcement mechanisms of data privacy laws in Kenya.

The Legal Challenge: Henry Arunda’s Petition

Arunda’s petition asserts that:

  • The ODPC’s ability to investigate, hear, and determine privacy rights violations is unconstitutional.
  • Only the High Court, under Article 165 of the Constitution, has the jurisdiction to rule on violations of fundamental rights and freedoms.
  • By handling privacy-related complaints and issuing penalties, the ODPC is functioning as a quasi-judicial body without constitutional backing.
  • The Data Protection (Complaints Handling and Enforcement) Regulations (2021), which allow the ODPC to enforce its decisions as court orders, are unconstitutional.

These arguments challenge the legitimacy of the ODPC’s enforcement powers and could redefine how data protection violations are handled in Kenya.

A Precedent: Roma School Uthiru v Data Protection Commissioner

Arunda’s challenge comes just months after the High Court upheld the ODPC’s powers in the case of Roma School Uthiru v Data Protection Commissioner; Muturi (Interested Party).

In that case, Roma School challenged a KES 4.55 million penalty issued by the ODPC over non-compliance with data privacy regulations. The school sought judicial review orders, including:

  • An Order of Prohibition to stop the ODPC from enforcing the penalty notice.
  • An Order of Certiorari to quash the ODPC’s decision.
  • An Order of Mandamus directing the ODPC to properly serve the enforcement notice.

The High Court dismissed the case, affirming that:

  • The ODPC acted within its mandate under the Data Protection Act (2019).
  • The penalty was lawfully issued, and the court had no jurisdiction to interfere with the ODPC’s enforcement powers.
  • Service of the penalty notice via email was valid, aligning with Order 5 Rule 22B of the Civil Procedure Rules.

This ruling solidified the ODPC’s authority as a regulator with enforcement powers, allowing it to issue binding penalties against data protection violators.

The Constitutional Debate: Who Should Enforce Privacy Rights?

The ongoing court battle between Henry Arunda and the ODPC raises a crucial debate: Should data protection enforcement remain with the ODPC, or should all privacy-related disputes be adjudicated exclusively by the High Court?

    Supporters of the ODPC’s role argue that:

    • A specialized regulator is essential for efficient enforcement of data laws.
    • The ODPC ensures quicker resolution of data complaints, unlike lengthy court processes.
    • Limiting the ODPC’s power would weaken Kenya’s data protection framework.

    On the other hand, critics—like Arunda—believe that:

    • Privacy rights are fundamental and should be adjudicated by the High Court.
    • The ODPC lacks judicial authority and should not impose binding penalties.
    • Allowing the ODPC to act as judge and enforcer creates a risk of overreach.

    What’s Next? The Implications of the Court’s Decision

    The High Court’s ruling on Arunda’s petition will have far-reaching consequences. If the court limits the ODPC’s powers, it could:

    • Weaken regulatory enforcement of data privacy laws.
    • Shift privacy disputes entirely to the courts, slowing down resolution timelines.
    • Increase legal uncertainty for businesses handling personal data.

    Conversely, if the court upholds the ODPC’s mandate, it will:

    • Strengthen the Data Protection Act’s enforcement mechanisms.
    • Cement the ODPC’s role as the primary regulator of data privacy violations.
    • Provide greater clarity and confidence for businesses and individuals on data protection enforcement.

    Final Thoughts: The Need for Stakeholder Engagement

    Regardless of the outcome, Kenya’s data protection landscape is at a crossroads. It is imperative for legislature, businesses, legal experts, and data protection professionals to engage in this discussion and shape a robust framework that balances:

    • Regulatory efficiency
    • Judicial oversight
    • The fundamental right to privacy

    What’s your take? Should the ODPC continue enforcing data privacy laws, or should enforcement powers be restricted to the courts? Join the conversation in the comments!

    By Raymond M., CFE
    Forensic & Cyber Security Consultant
    Opinion Privacy, Data Protection, Regulation, Data Protection Act, ODPC, Litigation, Kenya

    Prev: Regulation An Overview of GDPR and the Regulatory Risks it Poses