Isaya Lemerketo-vs- The Kenya School of Law

Cases Detail

Cases

Isaya Lemerketo-vs- The Kenya School of Law

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: unauthorised use of personal data,data subject rights,data controller obligations,image rights

Case Summary

In the case,  Isaya Lemerketo, the complainant, filed a complaint against The Kenya School of Law, alleging a breach of privacy rights under the Data Protection Act. Isaya Lemerketo claimed that the school used his image on promotional materials without his consent, leading to an invasion of privacy. The Kenya School of Law made flyers featuring Isaya’s image in an advertisement for an application for a Diploma in Law course. Flyers were distributed in physical copies at events, and posts also had his image on social media pages, which were done without his consent. The Respondent, The Kenya School of Law, acknowledged the use of the Complainant's image and took swift action to address the issue by developing policies to protect the privacy of students and stakeholders. As a result, the complainant sought compensation of Kshs 5,000,000.00, a recommendation for prosecution and issuing an enforcement notice against Respondent.  

Issues of Determination 

  1. Whether the Kenya School of Law breached Isaya Lemerketo's privacy rights by using his image on promotional materials without his consent.
  2. Whether the Kenya School of Law took appropriate and swift action to address the breach of privacy once it was notified of the complaint.
  3. Is Isaya Lemerketo entitled to remedies, including compensation, for the alleged breach of his privacy rights?
  4. Whether The Kenya School of Law's actions were in compliance with the Data Protection Act and related regulations.
  5. Should the complaint be deemed resolved based on the actions taken by the Kenya School of Law and the absence of demonstrated loss by Isaya Lemerketo?

Determination 

The Data Commissioner's determination in the case between Isaya Lemerketo and The Kenya School of Law addressed several key issues. Firstly, it was established that The Kenya School of Law breached Isaya Lemerketo's privacy rights by using his image on promotional materials without his consent, as confirmed by the Data Commissioner. Despite this breach, the Commissioner noted that The Kenya School of Law took swift action to rectify the situation by implementing privacy protection policies and engaging in efforts to resolve the matter amicably with Isaya Lemerketo.

Regarding the entitlement to remedies, Isaya Lemerketo sought compensation of 5,000,000 for the breach of his privacy rights, citing precedents from similar cases. However, the Data Commissioner decided against awarding compensation based on two key factors. Firstly, the Commissioner acknowledged and considered the swift action taken by The Kenya School of Law in response to the privacy breach. The prompt measures implemented by the Respondent upon being notified of the complaint played a significant role in determining whether or not to award the requested compensation.

Secondly, the Data Commissioner assessed the situation and found no demonstrated loss suffered by Isaya Lemerketo due to the privacy violation. In cases where the complainant does not show clear evidence of significant harm or loss, the necessity for compensation may be deemed unnecessary. Therefore, based on the Respondent's quick response and the absence of proven loss on the part of Isaya Lemerketo, the Data Commissioner decided against granting the requested compensation of Kshs. 5,000,000

Furthermore, the Data Commissioner concluded that The Kenya School of Law's actions did not comply with the Data Protection Act and related regulations, as they used Isaya Lemerketo's image without proper consent, thereby violating data protection laws. Despite this non-compliance, the Commissioner deemed the complaint resolved due to the Respondent's actions and the lack of substantial loss suffered by Isaya Lemerketo, closing the case without compensation.

Analysis 

The case between Isaya Lemerketo and The Kenya School of Law involved a breach of privacy rights and raised several key data protection issues under the Data Protection Act. Here is a detailed analysis highlighting relevant sections of the Act and critical data protection issues observed in this case:

●       Breach of Privacy Rights: The primary issue in this case was the unauthorised use of Isaya Lemerketo's image by The Kenya School of Law on promotional materials without his consent. This action violated Isaya Lemerketo's right to privacy as outlined in Article 31 of the Constitution of Kenya and further protected under the Data Protection Act, 2019.

●       Data Subject Rights (Sections 26 and 29): Sections 26 and 29 of the Data Protection Act are crucial. Section 26 grants data subjects the right to be informed of the use of their personal data, while Section 29 requires data controllers to inform data subjects of their rights before collecting personal data. The failure of The Kenya School of Law to inform Isaya Lemerketo of the use of his image infringed upon these rights.

●       Data Controller Obligations: The Kenya School of Law, as the data controller in this case, was responsible for ensuring compliance with data protection laws. By using Isaya Lemerketo's image without proper consent and failing to adhere to the provisions of the Data Protection Act, the school breached its obligations as a data controller. 

●       Swift Action and Remedial Measures: The Data Commissioner noted the swift action taken by The Kenya School of Law to address the privacy breach once notified. This highlights the importance of data controllers responding promptly to data protection complaints and taking remedial measures to rectify violations.

●       Compensation and Loss: Isaya Lemerketo sought compensation for violating his privacy rights. However, the Data Commissioner considered the lack of demonstrated loss suffered by Isaya Lemerketo and the swift action taken by the Respondent in deciding against awarding compensation. This underscores the importance of assessing actual harm or loss when determining compensation in data protection cases.

●       Enforcement and Compliance: The case highlights the role of the Data Commissioner in enforcing data protection laws and ensuring compliance by data controllers. By investigating the complaint, analysing evidence, and deciding, the Commissioner demonstrated the importance of upholding data protection regulations powers which are given under section 56 of the Data Protection Act 

In conclusion, the case of Isaya Lemerketo vs. The Kenya School of Law underscores the significance of protecting individuals' privacy rights, data subject rights, data controller obligations, swift action in response to breaches, and harm assessment in data protection cases. It serves as a valuable example of applying the provisions of the Data Protection Act to address privacy violations and ensure compliance with data protection laws.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.