Joanna Block & Gabriel Oser (Legal Guardians to V.O Minor) vs. Karim Anjarwalla

Cases Detail

Cases

Joanna Block & Gabriel Oser (Legal Guardians to V.O Minor) vs. Karim Anjarwalla

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: data protection,privacy breaches,minor's personal data

Case Summary

This case involves a complaint brought by Joanna Block and Gabriel Oser, the legal guardians of a minor, against Karim Anjarwalla. The complaint concerns the alleged unlawful disclosure of the minor's personal data by Anjarwalla on LinkedIn. The Office of the Data Protection Commissioner (ODPC) was tasked with investigating the complaint, which included examining whether there was a breach of the Data Protection Act, 2019, and whether the minor’s personal data was improperly disclosed without consent.

Issues for Determination

  1. Whether the ODPC has jurisdiction to determine the complaint.
  2. Whether there was an infringement of the minor's personal data under the Data Protection Act, 2019.
  3. Whether the complaint was sufficiently addressed by the Respondent.
  4. Whether the Complainants are entitled to the remedies sought for the alleged breach.

Determination

The Office of the Data Protection Commissioner (ODPC) has determined that the complaint filed by Joanna Block and Gabriel Oser against Karim Anjarwalla, alleging the unlawful disclosure of their minor's personal data on LinkedIn, is within its jurisdiction to investigate. Despite the Respondent's assertion that the information disclosed was part of public judicial records, the ODPC finds that the minor’s data, specifically the name and residential address, was not anonymized, which is a breach of the Data Protection Act, 2019. The ODPC acknowledges the Respondent's immediate action to delete the LinkedIn post upon realising the breach but concludes that the failure to anonymize the minor's data initially constitutes an infringement of the minor's rights under the Act. Therefore, the ODPC holds that the Respondent did violate the Data Protection Act by disclosing the minor's personal data without consent and without anonymization.

Analysis

On whether the ODPC has jurisdiction to handle the complaint

The ODPC examined its mandate under the Data Protection Act, 2019, and determined that it has the authority to investigate complaints related to the unlawful processing of personal data. The Complainants alleged that their minor’s personal data was disclosed without consent, a clear concern under the Act. Although the Respondent argued that the information disclosed was part of public judicial records, the ODPC maintained that the jurisdiction to investigate potential breaches of the Act remains within its purview. Therefore, the ODPC confirmed its jurisdiction to handle this complaint, emphasising its responsibility to protect personal data irrespective of the source of the data.

On whether the personal data was unlawfully disclosed by the Respondent

The ODPC reviewed the LinkedIn post made by the Respondent, which included the minor's name and residential address. According to Section 33 of the Data Protection Act, 2019, personal data relating to a child should not be processed without the consent of the parent or guardian. The Respondent did not anonymize the minor’s data in the LinkedIn post and did not obtain consent from the Complainants. Although the Respondent deleted the post upon being notified, the initial disclosure constituted an unlawful processing of the minor’s personal data. The ODPC determined that the failure to anonymize sensitive information and the lack of necessary consent amounted to a breach of the Data Protection Act.

On whether the disclosed data falls under public records as per the Evidence Act and the Public Archives and Documentation Service Act

The Respondent argued that the Plaint containing the minor's personal data is a public record and its publication does not breach data protection laws. While acknowledging that court documents are public records, the ODPC emphasised that the Data Protection Act still requires compliance with data protection principles when processing such records, especially those involving minors. The Act stipulates that data relating to children must be handled with extra protection, including anonymization to safeguard their identity. Therefore, even though the Plaint is a public document, the Respondent’s failure to anonymize the minor’s data was inconsistent with the requirements of the Data Protection Act.

On whether the ongoing High Court proceedings affect the ODPC’s determination

The ODPC considered the parallel proceedings in the High Court, where the Complainants sought similar relief. While recognizing the High Court's jurisdiction over certain aspects of the case, the ODPC focused on its statutory mandate to investigate breaches of the Data Protection Act. The existence of High Court proceedings did not preclude the ODPC from fulfilling its role in protecting personal data. The ODPC ensured that its determination was based strictly on issues of data protection, thereby avoiding potential conflicts with the High Court’s jurisdiction. Consequently, the ODPC concluded that its investigation and determination were justified and necessary to uphold the principles of data protection as outlined in the Act.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.