Embracing Consent: A Pillar of Data Law Compliance

By Elius Katheru

The place of data in today’s world cannot be underrated. Often, data has been likened to being the new age gold owing to its value and its potency for value for entities engaged in the business of data mining from individuals or entities to upscale their competitiveness and profitability. Kenya has since 2019 when it enacted the Data Protection Act (DPA) joined the rest of the world in regulating how businesses or entities engaged in mining the new age gold in bid to protect her citizens from entities, engaged in controlling and processing of data who until 2019 operated unbothered by any penal law. ?

Central to the regulation of data mining activities is the principle of consent, rooted in Article 31 of the Constitution, which guarantees every individual the right to privacy. Defined under Section 2 of the DPA, consent requires a clear, voluntary, and informed agreement from data subjects regarding the processing of their personal information. Failure to adhere to this requirement exposes data controllers and processors—comprising businesses engaged in data mining—to adverse consequences.

In essence, consent mirrors the paramount importance of love in biblical teachings—it stands as the foremost commandment for entities involved in the data business to uphold. To mitigate risks associated with data collection, storage, and processing, businesses must diligently seek unequivocal permission from data subjects.

Consequences of Non-compliance

The absence of consent constitutes a serious breach which can attract significant penalties from data regulatory authority Office of Data Commissioner (ODPC). Recent precedents demonstrate the severity of penalties imposed for violations of data protection laws. For example, the ODPC in Hellen Muthoni vs Solpia Kenya Limited t/a Sistar Kenya (Complaint No. 1963 of 2023) found the respondent liable for violating complainant’s right to privacy for publishing her image on its website without her consent and ordered the Respondents to each pay the Complainant a sum of KES 500,000 for unlawful processing of the complainant’s data.

Conclusion

Consent stands as a foundational principle in the realm of data, one that data subjects, controllers, and processors must prioritize. Businesses handling customer information must adhere to data protection regulations to ensure trust and avoid adverse penalties arising from failure to comply.

About the Author:

The author is a Trainee Advocate undergoing pupilage at Alex & Amersi LLP, Advocates, with a keen interest in Litigation, Commercial, and Technology Law. For inquiries, please contact [email protected]