Consent is a cornerstone of Kenyan law, championing personal freedom and individual autonomy in a society that highly values dignity and respect. It holds a pivotal role in various legal domains, spanning from contract agreements to medical procedures, and, most notably, in cases related to sexual offenses. The legal principle of consent empowers individuals to make informed choices about their bodies and personal affairs, acting as a safeguard against coercion, exploitation, and violations of personal boundaries. This fosters a culture of accountability and respect for the rights of all Kenyan citizens.
The evolving field of Data Protection has also embraced the importance of consent, with Data Protection legislation and principles deeming it an indispensable element. The Data Protection Act No. 24 of 2019, designed to align with the Constitution, established the Office of Data Protection Commissioner. This office is tasked with safeguarding data subjects’ rights and providing checks and balances for data controllers and processors. Importantly, the Act recognizes consent as one of the eight lawful bases for processing data.
On September 26, 2023, the Data Commissioner issued penalty notices to three entities totaling Kes. 9,375,000/- following compliance audits. These penalties were imposed due to their failure to observe Data Privacy Rights and non-compliance with the Data Protection Act. Mulla Pride Ltd, a Digital Credit Provider, Casa Vera Lounge, a restaurant, and Roma School faced fines of Kes. 2,975,000/-, Kes. 1,850,000/-, and Kes. 4,550,000/-, respectively, as compensation to data subjects whose rights were violated. Remarkably, Roma School set a precedent by receiving the highest penalty fine for an educational institution. All three entities were penalized due to their failure to obtain proper consent for the data they utilized.
Subsequently, other establishments, predominantly restaurants and lounges, swiftly began issuing notices seeking or implying consent in exchange for admission. While this may appear to mitigate potential liabilities, it is essential to consult the Data Protection Act provisions on obtaining consent to ensure full compliance.
Additionally, the Office of the Data Protection Commissioner published the “GUIDANCE NOTE ON CONSENT,” offering clarification and guidelines for consent compliance. The notes stipulate the minimum criteria, including the necessity for a genuine (free) choice, an informed indication of the data subject’s wishes, and an agreement statement for data processing. It becomes evident that implied consent notices issued by these establishments still fall short of consent compliance.
Moreover, the notes elucidate the conditions for consent, the timing of consent acquisition, the interplay between consent and other lawful bases, and the limitations of consent. The crux of this publication is that data controllers and processors bear the responsibility of proving valid consent, which must be obtained prior to initiating processing activities, can be withdrawn, and does not grant absolute immunity from the provisions of the Act.
In essence, consent not only upholds the rule of law but also underscores the nation’s commitment to safeguarding fundamental human rights and freedoms enshrined in its constitution. It is a legal linchpin, preserving personal autonomy, and promoting a culture of respect and accountability.
Authors:
Zahra Nechesa – Partner
Nderitu Wang’ombe – Lawyer
