Gichuhi & 2 others v Data Protection Commissioner; Mathenge & another (Interested Parties) May 2023)

Cases Detail

Cases

Gichuhi & 2 others v Data Protection Commissioner; Mathenge & another (Interested Parties) May 2023)

Country: Kenya
Court: High Court, Nairobi
Status: Judgment
Tags: Data protection,Breach,Privacy

Attachments:

Summary

Following the ODPC’s issuance of determination on complaint No 677 of 2022 on the complaint of Allen Waiyaki Gichuhi and Charles Wambugu Wamae vs Florence Wamuyu Mathenge and Ambrose Ndungu Waigwa, and the applicants Allen Waiyaki Gichui and Charles Wambugu Wamae of Wamae & Allen Advocates dissatisfied with the determination, exercised their right of appeal by filing a judicial review with the High Court on the grounds that:-

  • The Data Commissioner in her determination violated their right to a fair hearing and the principles of fair administrative action as per Article 50 and 47 of the Constitution of Kenya by failing to fully consider evidence submitted.
  • The ODPC lacked jurisdiction to make the final determination as time had lapsed i.e. the 90-day period within which a complaint brought before the commissioner ought to be determined. The ODPC took 6 months to investigate and conclude the matter which was outside the statutory timelines.
  • The ODPC acted in violation of the principles of procedural fairness

The applicants sought readmission of the complaint before the Commissioner for investigation and consideration of all evidence submitted before it. The court considered submissions and ruled in favour of the Applicants by quashing the determination of the ODPC and requiring readmission of the complaint before the ODPC for fresh investigations. The court also granted the applicants prayers on the lack of jurisdiction of the ODPC in making a determination on the matter, since the statutory limit on determination on the matter had lapsed (effluxion of time) and that the ODPC’s determination was a violation of the principles of procedural fairness. The ODPC was required to make a determination on the matter within 30 days of readmission of the complaint.

Analysis

The High Court in Nairobi delivered a significant judgement in the case of Allen Waiyaki Gichuhi S.C and another v Data Commissioner and Florence Wamuyu Mathenge and another, Judicial Review No. E028 of 2023.

The Complaint before the ODPC

The first and second applicants, Allen Waiyaki Gichuhi and Charles Wambugu Wamae, who operated a law firm under the third applicant,Wamae & Allen Advocates, filed a complaint with the Office of the Data Protection Commissioner (ODPC). They alleged that the first interested party unlawfully shared confidential information. However, the ODPC dismissed the complaint, stating that the provided documents were part of the public record and that the applicants failed to demonstrate any infringement of their personal data. The ODPC could not sufficiently identify any breach of data protection according to the claims established in the complaint because the complainants failed to produce shared documents to enable the Data commissioner to ascertain whether the documents contained personal and sensitive data.

The Matter before the High Court

Legal Issues:

Jurisdiction and Timelines: Whether the Data Protection Commission (Respondent) exceeded its jurisdiction and acted ultra vires by rendering its decision outside the statutory timeline of 90 days as provided under Section 56(5) of the Data Protection Act.

Locus Standi: Whether the Applicants had the necessary locus standi (legal standing) to bring the application for judicial review and seek the orders they requested.

Fair Hearing and Administrative Action: Whether the Respondent's decision violated the Applicants' right to a fair hearing and the principles of Fair Administrative Action as provided under Articles 47 and 50 of the Constitution of Kenya.

Key Legal Provisions/Sections:

Section 56(5) of the Data Protection Act: Provides that a complaint made to the Data Commissioner shall be investigated and concluded within ninety days.

Article 31(c) & (d) of the Constitution: Guarantees the right to privacy, including the right not to have personal information revealed and the privacy of communications infringed.

Article 260 of the Constitution: Defines "person" to include a company, association, or other body of persons, whether incorporated or unincorporated.

Fair Administrative Action Act: Provides for judicial review of administrative actions and empowers the court to grant orders that are just and equitable.

What is Locus Standi?

Locus standi refers to the legal right of a party to bring a cause of action or challenge before the court. Several factors are considered when determining locus standi, including whether the applicant's rights were violated, the causal link between the alleged injury and the actions of the respondent, and the appropriate representative.

Who are the Parties in a Data Protection Complaint?

To ascertain legal standing in a data protection complaint, it is essential to determine the likely parties involved and the purpose of the Data Protection Act. In this case, the applicants' clients were natural persons, and the applicants themselves were partners in the law firm that processed the clients' personal data.

Who can Lodge a Complaint under the Data Protection Act?

The Data Protection Act in section 56 allows data subjects to lodge complaints with the Data Commissioner. The court acknowledged that the applicants had legal standing due to the client-advocate relationship, as they were responsible for processing their clients' personal data. However, the court noted that their role as lawyers must be distinct from their role as data controllers.

What Happens in the Event of a Personal Data Breach?

The applicants alleged a personal data breach, wherein the first interested party shared their confidential information with the second interested party. In such cases, the data controller must assess if there is a real risk of harm to the data subject according to sections 43 and 72 of the Data Protection Act. If a breach is confirmed, the data controller must notify the Data Commissioner and the affected data subjects promptly.

Distinction between Sections 56 (1) and 56 (2) of the Data Protection Act

The applicants sought a declaration that Section 56 (2) should include organisations and companies as complainants. However, the court clarified that Section 56 (1) applies to all persons, whether incorporated or unincorporated, who process personal data.

Conflict of Interest

The court initially acknowledged the applicants' locus standi due to the client advocate relationship, but later rejected this assertion, stating that legal representation must be separate from acting as a data controller.

Court's Analysis and Determination:

Jurisdiction and Timelines: The court found that the Respondent's decision was rendered outside the 90-day timeline prescribed by Section 56(5) of the Data Protection Act. It emphasised that jurisdiction is tied to time and that any decision made outside the prescribed timeline lacks jurisdiction and is a nullity. The court rejected the Respondent's argument that compelling circumstances justified the delay, emphasising that strict adherence to timelines is necessary for a fair and just process.

Locus Standi: The court addressed the issue of locus standi, stating that the Applicants had the necessary locus to bring the application given their relationship as partners in a law firm and their fiduciary duty towards one another in relation to data privacy.

Fair Hearing and Administrative Action: The court acknowledged that the right to a fair hearing and fair administrative action are guaranteed under the Constitution. It noted that a proper evaluation of the Applicants' claims regarding violation of these rights would require a comprehensive analysis of the merits of the case. Therefore, the court refrained from delving into these issues at this stage.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.