DATA PROTECTION LITIGATION TRENDS IN AFRICA PART 2
We continue exploring Data Protection litigation trends in Africa. Once again we look to a ruling by the Kenyan Office of the Data Protection Commissioner (ODPC) in the case of Victor Munyua and Liquid Intelligent Technologies.
In this case, the Applicant brought a claim before the ODPC alleging that the Respondent, without proper or justifiable cause, processed his image without his consent for marketing and commercial purposes on their website.
Factual Matrix
The complainant was an executive at leading global companies and he claimed that the Respondent had used his image for commercial gain on its website.
In its defence, the Respondent argued that the Complainant had consented to the use of his image. It stated that the Complainant, among others, had participated in a photoshoot facilitated by the Respondent sometime in 2018 and all participants had been issued with a model release form which they had signed as consent for the use of their images. The Respondent however had failed to capture the names of the participants alongside their signatures. However, it argued that by subjecting himself to a photoshoot facilitated by the Respondent, as well as the mere execution of the document, the Complainant had given consent to his photograph being used.
The Respondent further contended that upon receipt of the Complainant’s demand letter, the image was immediately????? pulled down. Nevertheless, removal of the image did not constitute liability on its end since the Complainant had consented to the collection, processing and use of his image.
Decision of the Office of the Office of the Data Protection Commissioner
The ODPC held that the model release form could not be relied on to demonstrate consent as none of the signatures appearing on the form could be attributed to the Complainant. The Office took cognizance of the fact that the violation had occurred years before the enactment of the Data Protection Act. However, upon enactment, it was incumbent upon the Respondent to ensure that the processing of personal data and the basis of consent complied with the Act insofar as the requirements for valid consent were concerned.
领英推荐
Further, the Respondent, as the data controller bore the burden of proving that the data subject had consented to the processing of his personal data for a specified purpose.
The Respondent having failed to furnish the Office with compelling evidence showing that the Complainant had expressly consented to the use of his image for commercial purposes, it had not obtained the requisite consent to use the Complainant’s image as required by the Act.
In the premises, the office awarded the Complainant compensation in the sum of 500 000 Kenyan Shillings.
Key Takeaways
This case highlights the importance of obtaining valid and verifiable consent when processing personal data. Data controllers bear the burden of proving consent and vague or undocumented agreements, are insufficient. Organizations must also note that even if data processing occurred before the enactment of data protection laws, they must ensure compliance retroactively to align with current legislation to avoid the dire consequences of non-compliance.
Article by Princess Musa Dube?
If you have interest in an in-depth discussion on this subject matter or any Data Protection issues, feel free to contact us at [email protected] Tel: 3116371
Disclaimer: This article is for information purposes only and should not be taken as legal advice.