Perpetual Wanjiku -vs-Casa Vera Lounge

Cases Detail

Cases

Perpetual Wanjiku -vs-Casa Vera Lounge

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: unauthorised use of personal data,privacy breaches,image rights

Case Summary

The case involves a complaint filed by Perpetual Wanjiku on April 14, 2023, against Casa Vera Lounge, an entertainment joint in Nairobi. Perpetual Wanjiku, a customer at Casa Vera Lounge, alleged that her image was captured and featured on the lounge's social media pages, i.e., Instagram, Facebook, and WhatsApp, without her consent. She expressed concerns about the commercial use of her photo for advertising purposes and felt that her privacy had been breached. Perpetual submitted a demand letter to Casa on 16th October 2022 seeking a written apology from the respondent for the privacy breach. Perpetual Wanjiku identified the image on Casa Vera Lounge's Instagram page as the one in question. She claimed that her privacy was violated and sought compensation for the unauthorized use of her image.

Issues for determination

  1. Whether Casa Vera Lounge obtained valid consent from Perpetual Wanjiku before capturing and publishing her image on their social media platforms.
  2. Whether the consent obtained was sufficient and in compliance with the Data Protection Act and Regulations was crucial.
  3. Whether Casa Vera Lounge's actions infringed Perpetual Wanjiku's right to control her image and likeness, as protected under the law.
  4. Whether Casa Vera Lounge fulfilled its duty to notify individuals about the processing of their personal data, as required by the Data Protection Act.
  5. Whether Casa Vera Lounge's actions warranted the issuance of an enforcement notice by the Data Protection Commissioner 

Determination

Casa Vera Lounge was found to have violated Perpetual Wanjiku's rights under sections 26(a) and (c) of the Data Protection Act. The respondent failed to demonstrate compliance with the duty to notify under Section 29 of the Act. Casa Vera Lounge did not satisfy the consent conditions under Section 32 of the Data Protection Act, as read with Regulation 4 of the Data Protection (General) Regulations, 2021. The consent obtained was deemed insufficient and unsatisfactory according to the legal requirements.

An Enforcement Notice was issued to Casa Vera Lounge as a result of the findings of the investigation. Despite the complainant seeking compensation of Kshs. 5,000,000, the Data Protection Commissioner declined to grant this remedy. The decision not to award compensation was based on the respondent's mitigation measures, particularly the removal of the complainant's image from their social media platforms upon objection.

 Analysis. 

The case of Perpetual Wanjiku vs. Casa Vera Lounge highlights several crucial aspects in the realm of data protection rights and privacy concerns. Here is an explanation of the key points and insights from the case:

●       Consent and Data Protection:

Consent arises as a key highlight in this case, particularly when considering one's image as personal data. The significance of obtaining explicit and informed consent before processing individuals' personal data, particularly in scenarios involving capturing and disseminating images for commercial purposes, is noted as essential. Casa Vera Lounge's failure to meet the conditions of consent emphasizes the legal obligation for organizations to ensure that individuals provide valid consent for processing their personal data, including images. The Data Protection Act describes consent as ‘any manifestation of express, unequivocal, free, specific and informed indication of the data subject's wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.’ This criterion was not met in this case. Additionally, section 32 states that consent may be withdrawn at any given time and that the data controller or processor, in this case, Casa Vera, holds the burden of proving that the data subject - Perpetual Wanjiku, did, in fact, give consent as described which she did not.  

●       Privacy Rights and Control:

The case underscores the fundamental right of individuals to have control over their image and likeness, as enshrined in data protection regulations and constitutional provisions. The rights are given validity through Article 31 of the Constitution on the right to privacy. Additionally, photographs are classified as personal data, which falls within the definition of an identified or identifiable person. More specifically, the issue of privacy rights underscores the broader issue of safeguarding individuals' privacy in the digital age, especially concerning the unauthorised use of their images on social media platforms. This also falls under the classifications in the exercise of image rights where one's image or likeness cannot be used, especially for commercial purposes, without the data subject's consent. 

●       Notification Obligations

The Data Protection Commissioner's determination that Casa Vera Lounge failed to inform individuals about data processing activities adequately highlights the crucial role of transparency and accountability in data handling practices. Proper notification is essential to ensure that individuals know how their data is being utilized and empower them to exercise their data protection rights effectively.  This is an obligation also underscored under the Data Protection Act section 29, which provides for the duty to notify the data subject of their rights, the fact that personal data is being collected, and the purpose for the collection. Casa Vera failed to consider this and, in so doing, was in breach of the data subjects' rights. 

●       Enforcement and Remedies:

The issuance of an Enforcement Notice to Casa Vera Lounge demonstrates the authority of regulatory bodies to enforce data protection laws and ensure compliance with legal requirements. The authority is prescribed under 58 conditions, which must be executed to mitigate further harm.  This action underscores the importance of regulatory oversight in upholding data protection standards and addressing non-compliance. Despite the complainant's request, the decision not to grant compensation showcases the careful consideration of mitigating actions taken by the respondent in response to the privacy breach. It highlights the balancing act between addressing privacy violations and recognising remedial measures. The Data Commissioner's discretion on enforcement remedies is granted under section 58. 

This case underscores the importance of organisations adhering to data protection regulations, obtaining valid consent, and respecting individuals' privacy rights to avoid legal repercussions. It emphasises the role of regulatory bodies, such as the Data Protection Commissioner, in upholding data protection standards, investigating complaints, and enforcing compliance measures when necessary. 

 

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.