Chepkoech Lorna & 22 others vs Firch International Company Limited T/A Pesa Pay/ODPC

Cases Detail

Cases

Chepkoech Lorna & 22 others vs Firch International Company Limited T/A Pesa Pay/ODPC

Country: kenya
Court:
Status: Determination
Tags: data protection,privacy breaches

Attachments:

Complaint No. 436 of 2023 - link  

     The complaint involved multiple complaints filed against Firch International Company Limited, operating as Pesa Pay, by 23 complainants regarding various privacy breaches. The complaints were in relation to unauthorised access to mobile phone books, sending unwarranted text messages, requesting payments for unauthorised loans, sharing personal data with third parties, and displaying an employee's personal mobile number without consent.

In response to the complaints, the Respondent took steps to rectify the issues and decided to terminate its business in Kenya to address data acquisition and collection processes. The Respondent attributed some of the issues to external partners and implemented measures to prevent further breaches. The Data Protection Commissioner conducted investigations based on the complaints and the Respondent's responses.

After thorough investigations, the Data Commissioner made a final determination holding the Respondent liable for the privacy breaches. An Enforcement Notice was issued to the Respondent, and parties were given the right to appeal the determination to the High Court of Kenya. The case underscores the importance of data protection and the enforcement of privacy rights in accordance with the Data Protection Act, 2019.

Issues for Determination

1.    Unauthorised Access to Personal Data: Allegations of irregular or unlawful access to complainants' mobile phone books without proper consent.

2.    Sending Unwarranted Text Messages: Complaints regarding the receipt of unsolicited text messages from the respondent.

3.    Requesting Payments for Unauthorised Loans: Accusations of requesting payments for loans that were not borrowed or already settled.

4.    Sharing Personal Data with Third Parties: Concerns about the sharing of personal data, such as names and phone numbers, with third parties without proper authorization.

5.    Displaying Personal Information Without Consent: Placing an employee's personal mobile number on the Pesa Pay application without obtaining consent.

6.    Compliance with Data Protection Regulations: Examination of the respondent's compliance with the Data Protection Act, 2019, and the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

7.    Consent Mechanisms: Evaluation of the methods used by the respondent to obtain consent from users and third parties for accessing and using their personal data.

8.    Data Subject Rights: Assessment of how the respondent fulfils data subjects' rights, including rectification and erasure, as outlined in the Data Protection Act.

9.    Mitigation Measures: Review of the measures taken by the respondent to address the complaints and prevent future privacy breaches.

10. Legal Basis for Data Processing: Clarification on the legal basis under which the respondent contacts third parties and discloses personal information obtained from phone book contacts.

Applicable Laws

The Data Protection Act, 2019, serves as the foundational legislation, outlining the rights of data subjects, obligations of data controllers and processors, and procedures for handling complaints. Specific sections within this act, such as Section 8(f), Section 56(1), Section 25, Section 28(1), Section 40, and Section 61(a), delineate various aspects of data protection, encompassing complaint handling procedures, data processing principles, rights of data subjects, and obligations of data controllers and processors. Additionally, Regulation 14 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021, supplements the Act by providing detailed procedures for handling complaints and enforcement mechanisms. Furthermore, Article 31 of the Constitution of Kenya 2010 forms the constitutional underpinning, recognizing the right to privacy and providing a broader framework for data protection laws.

Court's Analysis and Determination:

1.    Unauthorised Access to Personal Data: 

The Commissioner found that the Respondent violated the Complainants' rights by accessing their mobile phone books without proper consent, contravening the Data Protection Act, 2019.

2.    Sending Unwarranted Text Messages: 

It was determined that the Respondent's actions of sending unsolicited text messages to the Complainants were in violation of their privacy rights and constituted a breach of data protection regulations.

3.    Requesting Payments for Unauthorised Loans:

The Commissioner concluded that requesting payments for loans that were not borrowed or already settled was a clear infringement of the complainants' rights and a breach of data protection laws.

4.    Sharing Personal Data with Third Parties:

The Commissioner found that sharing personal data, such as names and phone numbers, with third parties without proper authorization was a serious violation of data protection regulations and the rights of the data subjects.

5.    Displaying Personal Information Without Consent: 

The Commissioner determined that placing an employee's personal mobile number on the Pesa Pay application without obtaining consent was a direct violation of the employee's privacy rights and the Data Protection Act.

6.    Compliance with Data Protection Regulations: 

The Commissioner assessed the Respondent's compliance with the Data Protection Act, 2019, and the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021, and found instances of non-compliance leading to privacy breaches.

7.    Consent Mechanisms:

The Commissioner scrutinised the methods used by the Respondent to obtain consent from users and third parties for accessing and using their personal data, highlighting deficiencies in the consent mechanisms employed.

8.    Data Subject Rights: 

The Commissioner evaluated how the Respondent fulfilled data subjects' rights, including rectification and erasure, as outlined in the Data Protection Act, and found shortcomings in meeting these obligations.

9.    Mitigation Measures: 

The  Commissioner reviewed the measures taken by the Respondent to address the complaints and prevent future privacy breaches, noting the Respondent's decision to terminate its business in Kenya as a corrective action.

10. Legal Basis for Data Processing: 

The Commissioner  sought clarification on the legal basis under which the Respondent contacted third parties and disclosed personal information obtained from phone book contacts, emphasising the importance of lawful data processing practices.

Final Determination:

The Commissioner found the Respondent liable for the privacy breaches and issued an Enforcement Notice. Parties were granted the right to appeal the determination to the High Court of Kenya, underscoring the significance of upholding data protection laws and safeguarding individuals' privacy rights.

 

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.