Mwangi & another v Naivasha County Hotel t/a Sawela Lodges (Petition E003 of 2021)

Cases Detail

Cases

Mwangi & another v Naivasha County Hotel t/a Sawela Lodges (Petition E003 of 2021)

Country: Kenya
Court: High Court, Naivasha
Status: Ruling
Tags: Right to privacy,Data protection

Attachments:

Summary

The petitioners raised allegations of violation of their privacy rights under Article 31 of the Constitution in a petition dated July 5, 2021. The petitioners allege that the respondent photographed them during a team-building activity at the respondent's premises and then used the photographs to make posts on various social media platforms to market the respondent's products. The petitioners claimed that the respondent's actions violated their right to privacy because they did not consent to have their photos taken and used. The petitioners in particular claimed that the respondent violated their constitutional rights under the Bill of Rights, moreso Article 31 on the right to privacy.

Through a preliminary objection the respondent challenged the jurisdiction of the court to hear and determine the raised issues noting that, the petition did not fall under the jurisdiction of the court but instead fell under the jurisdiction of the Data Protection Commissioner as established under the Data Protection Act (Sec 65) thereby urging the court to dismiss the petition. In determining the petition the court highlighted three issues of determination,

  • Whether the objection by the respondent was sustainable in court
  • Whether the court is barred from hearing the dispute
  • Whether there are any constitutional issues raised in the petition.

In making its determination the court upheld the preliminary objection giving rise to questions on jurisdiction and whether the petitioners had exhausted all available remedies before bringing its petition before the court. Issues in focus related to the jurisdiction of the office of the data protection commissioner in handling the matter in the first instance and the jurisdiction of the court in hearing the petition. The court acknowledged the need to exhaust administrative remedies as provided in law and encouraged under the Constitution of Kenya through alternative dispute resolution mechanisms (Article 159). In this acknowledgment, the court further noted that administrative remedies do not preclude the court from making decisions as there are exceptions. The first is where exhaustion of existing administrative remedies would not serve the values enshrined in the constitution or law. The second is where the parties lack adequate audience before a forum created by a statute, or may not have the quality of audience before the forum which is proportionate to the interests of the party.

The Court noted that the questions raised by the petitioners related to the infringement of fundamental rights and freedoms i.e. the right to privacy, an issue that can only be determined by the high court. However, the court also noted that the petition was grounded on the use of personal data without consent, an issue that is extensively covered under the Data Protection Act where remedies are provided for, for anyone who suffers damage as a result of non-compliance with the Act and the right of appeal where a party aggrieved files a complaint with the office of the Data protection commissioners but is dissatisfied with the decision. Consequently, the court found that the petitioners had not first exhausted available administrative remedies before filing the petition in court. Further, the petition did not meet the exemptions to be heard before the court before exhausting other remedies provided under the statute.

The Court also held that there were no constitutional issues raised. However, the issue of taking pictures without consent was more of a dispute between private individuals and the proper course was to raise the issue under provided statutes as opposed to the constitution. The respondent's preliminary objection to the petition was upheld and the petition was struck out i.e. the petition was dismissed.

Analysis

The court's decision and reasoning, in this case, upheld the jurisdiction of the Office of the Data Protection Commissioner, to hear matters that arise as a result of claims of breach of the right to privacy as enshrined under Article 31 of the Constitution. This is in further recognition of the fact that the Data Protection Act operationalizes Article 31 in upholding the right to privacy.

The facts in this case suggest that the petitioners would have had a better chance of success if they instead brought a claim against the respondent for the infringement of their image rights. This derives from the fact that the key issue raised by the petitioners was the use of their pictures for commercial purposes without their consent. This was linked to the infringement of the right to privacy under the Constitution. Image rights are categorised into two, the right to privacy and the right to publicity, the right to privacy derives from the right to be left alone and not have one personality presented publicly without consent whereas the right to publicity refers to preventing one's image and likeness from being commercially exploited without permission or contractual compensation.1 Kenyan courts have extensively decided on image rights matters establishing constitutional protections from the right to privacy, dignity, and property. The case of Ann Njoki Kumena v KTDA Agency Limited [2019]eKLR, is one of many cases where the court established infringement on the right to privacy where an image/photograph is used for commercial purposes without consent as established by the petitioners in this case. In the case of Jessicar Clarise Wanjiru v. Davinci Aesthetics & Reconstruction Centre & 2 Others[2017] eKLR, three prerequisites are established for a successful claim of image rights.

  1. Use of a Protected Attribute: this is the use of an aspect of a person’s identity that is protected by the law. This ordinarily means a person’s name or likeness. Notably, the law protects certain other personal attributes as well (data protection laws include personal data).
  2. For an Exploitative Purpose: the use of the name, likeness, or other personal attributes for commercial or other exploitative purposes. The use of someone’s name or likeness for news reporting and other expressive purposes is not exploitative, so long as there is a reasonable relationship between the use of the identity and a matter of legitimate public interest.’
  3. No Consent: establish that a person did not give permission for the offending use.

Core issues raised in the case with Salewa note similar issues as those adjudicated by the courts, in both cases on image rights. Further, a key issue to consider in establishing the jurisdiction of the ODPC in such a matter would be whether photographs/images taken within the context presented in the case amount to personal data and whether the use of the photograph in the circumstances is a breach under the Data Protection Act.

Images can lead to the identification of a person and may amount to personal data, however, a clear position on the same has not been established under Kenyan law. Under the General Data Protection Regulations (GDPR) however, direction is offered where it is noted that photographs and films may contain personal data. The facial image is considered personal data, additional information that may be captured in the image metadata may also offer information that could be considered personal data i.e. the location where the image was taken, time, and other GPS information. “High-resolution recordings in HD quality often also enable biometric recognition of the persons depicted. These cases are even considered particularly protected sensitive personal data.”2

Clarity on the instances where images can amount to data protection branches as provided under the Data Protection Act will be required to provide direction on the instances where such matters can be addressed by the ODPC under the complaints mechanism established in the Act or whether they can solely be addressed within the context of image rights.


1. ‘Controlling the Use of Your Image or Likeness.’ (Legal Match ) https://www.legalmatch.com/law-library/article/controlling-the-use-of-your-image-or-likeness.html

2. Yvonne Schäfer, ‘Does The GDPR Also Apply To Photographs And Films?’ (Mondaque, July 2018)<https://www.mondaq.com/germany/data-protection/714306/does-the-gdpr-also-apply-to-photographs-and-films>

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.