Jeremy Obano vs Kenya Airways

Cases Detail

Cases

Jeremy Obano vs Kenya Airways

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: right to privacy,data protection,personal data,data subject rights

Case Summary

A complaint was filed by Jeremy Obano (the Complainant) against Kenya Airways (KQ) (the Respondent), alleging that the Respondent had denied him access to a voice recording of a telephone call he had made to the Respondent’s customer service. The Complainant contended that the recorded conversation contained his personal data and that he had a right under the Data Protection Act, 2019, to access it upon request. Despite his repeated demands, the Respondent refused to furnish him with the said recording.

The Respondent argued that the Complainant’s request did not fall within the ambit of the Data Protection Act as the recording allegedly did not contain personal data. It further contended that providing the recording would infringe upon the privacy rights of its customer service agent who participated in the call. The Respondent also pointed out that internal mechanisms for resolving the complaint were ongoing when the Complainant escalated the matter to the Office of the Data Protection Commissioner (ODPC).

Following investigations, the ODPC established that the recording indeed constituted personal data as defined under the Act and that the Respondent had violated the Complainant’s right to access his personal data. The Respondent was consequently directed to compensate the Complainant and facilitate his data access request.

Issues for Determination

  1. Whether the Complainant’s rights under the Data Protection Act were infringed.
  2. Whether the Complainant is entitled to any remedies under the Act and attendant Regulations.

Determination

The ODPC ruled in favor of the Complainant, holding that the Respondent’s refusal to provide the requested voice recording was a violation of his right to access his personal data under Section 26(b) of the Data Protection Act. The determination further held that the voice recording was personal data as defined under Section 2 of the Act, given that it contained identifiable information belonging to the Complainant. 

As a result, the Complainant had a right to access this data under Regulation 9 of the Data Protection (General) Regulations, 2021, which mandates data controllers to provide access to personal data upon request within seven (7) days. The ODPC further held that the Respondent’s argument that sharing the recording would violate its customer service agent’s privacy was invalid. Instead, the ODPC found that the Respondent had an obligation to implement appropriate technical and organizational safeguards, such as anonymization, to ensure compliance with data access rights while protecting third-party data.

The failure of the Respondent to fulfill its obligations constituted a breach of the Act, warranting enforcement action.

Accordingly, the ODPC ordered that the Respondent to provide the Complainant with the requested recording within 7 days from the date of service of the determination; and that the Respondent to compensate the Complainant Kshs. 250,000 for the violation of his rights.

Analysis

An analysis of this case illuminates many interesting elements within the data governance sphere. First, this case solidified the sanctity of the right to access personal data as a fundamental tenet of data protection, ensuring transparency and accountability in data processing. Under Section 26(b) of the Act, data subjects have the right to access their personal data held by data controllers and processors. The Complainant in this case exercised this right by requesting access to a recorded telephone conversation, which contained his voice and possibly other identifiable information.

But this leads to another question of whether voice constitutes personal personal data. Section 2 of the Act defines personal data as any information relating to an identified or identifiable natural person. The Act further classifies biometric data, including voice recognition, as a type of sensitive personal data that warrants heightened protection. The Respondent attempted to argue that the voice recording did not contain personal data. However, the ODPC correctly determined that a voice recording inherently constitutes personal data since it can be used to identify a data subject either directly or indirectly. Furthermore, the Respondent’s own CEO admitted to listening to the recording, reinforcing the fact that it was processed and retained by the Respondent.

Another critical question one may pose is regarding the right of the customer service agent; would not the disclosure of the recording violate their rights? While Section 41(1) of the Act requires data controllers to implement measures to protect personal data, it does not grant them unlimited discretion to deny access requests. The ODPC clarified that data controllers must adopt safeguards such as anonymization or redaction to protect third-party data while ensuring compliance with data subject rights. This ruling establishes a precedent that data controllers cannot use third-party privacy as an excuse to deny legitimate access requests.

The case further underscored the role of handling data with various precautions in place. Among other things, adoption of clear policies for handling data access requests and ensure compliance within statutory timelines; implement safeguards such as redaction to facilitate data access requests without compromising third-party privacy; training employees on data protection obligations to prevent similar violations; and maintaining transparency in data processing to foster trust with data subjects all remain crucial.

As Kenya’s data protection regime continues to evolve, organizations must prioritize compliance to avoid financial and reputational risks.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.