BUSINESS LAW &TAX
FEBRUARY 2023 WWW.BUSINESSLIVE.CO.ZA
A REVIEW OF DEVELOPMENTS IN CORPORATE AND TAX LAW
Kenya sets tone for privacy
Office breaks ground with •ruling on personal data disclosure Dennis Gathara ENSafrica
I
n January 2023, the Office of the Data Protection Commissioner (DPC) delivered one of its first rulings under the Data Protection Act, 2019 since the commencement of its operations. The complaint pitted the partners of a firm, Allen Waiyaki Gichuhi and Charles Wamae (the claimants), against two former employees, Florence Mathenge and Ambrose Waigwa (the respondents), for alleged breach of clients’ confidential information, including personal data. The claimants alleged that for almost one year, while Mathenge was still working for the claimants, she leaked personal and sensitive personal data without authorisation from her employers to Waigwa, who at the time was no longer an employee at the firm. The claimants provided a detailed list of the documents that had been leaked by Mathenge, including the dates, the email addresses where the documents were sent to and the names of the documents. The claimants alleged that this disclosure
was contrary to the provisions of the act because the documents were the firm’s intellectual property and contained trade secrets that could not be disclosed without their authorisation. The respondents, on their part, challenged the DPC’s jurisdiction to hear and determine the matter on the basis that the complaint related to the claimants’ intellectual property rights and not personal data. They also alleged that all the documents in question were public documents and, as such, could not be covered by the provisions of the act. The respondents also challenged the jurisdiction of the DPC on grounds that similar suits were pending before the high court, the Directorate of Criminal Investigations (DCI) and the Law Society of Kenya (LSK) thus violating the principle of res judicata. The respondents also stated that
THIS RULING HAS MADE IT APPARENT THAT WHERE A REPRESENTATIVE IS APPOINTED, PROOF MUST BE PROVIDED TO THE DPC
KEEP IT TO YOURSELF
the respondents’ argument that the lack of registration as data controllers or data processors precluded the claimants from lodging a complaint with the DPC. According to the DPC, registration and filing of complaints were mutually exclusive and the absence of registration did not bar any-
THIS DECISION, BEING ONE OF THE FIRST DELIVERED BY THE DPC, WILL FORM THE FOUNDATION OF DATA PROTECTION JURISPRUDENCE
/123RF — NIALOWWA the complainants’ firm had not been registered as a data controller or processor at the time they responded to the complaint. They alleged that, on this basis, the law could not be applied retrospectively. They urged the DPC to dismiss the complaint. The DPC, having considered the complaint and the
response, came up with three issues for determination: ● Jurisdiction; ● Whether there was breach of the act; and ● Whether remedies were applicable under the act. On the question of jurisdiction, the DPC found that it had jurisdiction to hear and determine the complaint
since the matter in question involved the disclosure of personal data and sensitive personal data. It went on to state that questions of intellectual property were not within the its jurisdiction since its mandate only extended to personal data as defined in the act. The DPC was also not persuaded by
one from filing a complaint with the DPC. The DPC also distinguished the proceedings before it and those before the high court, the DCI and the LSK, holding that each of these proceedings covered different issues under Kenyan law. There was therefore no conflict between the issues in the complaint and those before the other bodies. On whether the respondents breached the provisions of the act, the DPC noted that while an extensive list of documents was provided in the complaint, most of the alleged documents CONTINUED ON PAGE 2