The Office of the Data Protection Commissioner (ODPC) is cracking the whip on companies that are breaching the privacy of their users’ personal data as it tightens the noose on misuse of such information.
The ODPC reiterated its commitment to smoke out institutions such as banks, betting firms, digital lenders and online retail shops that violate provisions of the Data Protection Act adding that it has stepped up the war on online private and private data breaches even as the digital economy booms exposing vast quantities of sensitive user data to misuse.
Data Protection Officer Yusuf Momanyi disclosed that ODPC has received over 2,000 complaints between February 2022, when the Data Protection Regulations took effect, and last month. The bulk of the complaints were on digital lenders.
In exercising its mandate, Momanyi said the office had in this April penalised one online lender and a city working space provider Sh5, 000,000 each over allegations of intruding and sharing Kenyans’ personal data.
Digital Lender Whitepath Limited were penalised for noncompliance and noncooperation with ODPC following complaints lodged against them by users of their services over breach of personal data.
Speaking during a sensitisation workshop on data protection organised for Nakuru County Government employees, Momanyi further cited a case where the Data Commissioner slapped Oppo Kenya with a Sh5 million fine over privacy infringement after using the photo of an unnamed complainant on its Instagram page without consent.
“We have carried out an audit on 10 digital lenders over misuse of customers data following complaints from the public. The issue is not to stop the data collection, but to have parameters within which those sensitive personal data sets can be collected, stored, accessed and shared. Don’t over collect information about people, without justifications,” stated the Data Protection Officer.
He observed that illegal access to pools of personal data gleaned by individuals, companies and even government agencies are often used for blackmail, identity theft, intimidation, targeted advertising and extortion.
Mr Momanyi indicated that insurance and providers of health care also face stringent fines in case they breach the privacy of patients by sharing such data with third parties
He warned firms that getting their processes flagged by ODPC not only results in enforcement notices and administrative fines but also a steep public relations cost due to the ensuing bad publicity.
Momanyi said the data protection (General) regulations, 2021 and the complaints handling regulations took effect from March 14, 2022 while the registration of data controllers and processors took effect on July 14, 2022.
He noted that the Data Protection (General) Regulations, 2021 provide for rights of a data subject and limitations to commercial use of such information. It also explains the roles of data controllers and processors, the communication of data breaches and the transfer of data outside Kenya.
The officer said in the event of commercialization of data, a data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence.
He said that he or she is liable, upon conviction, to a fine not exceeding Sh20, 000 or to a term of imprisonment not exceeding six months, or to both fine and imprisonment according to the Data Protection Act.
Momanyi said sharing or offering for sale personal information could land those responsible for their safe storage jail terms of up to six months or fines of up to Sh5 million. A data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence.
He added that such a person is liable, upon conviction, to a fine not exceeding Sh20, 000 or to a term of imprisonment not exceeding six months, or to both fine and imprisonment according to the Data Protection Act.
The officer said in relation to an infringement of a provision of this Act, the maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to Sh5 million, or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, whichever is lower.
Deputy Governor David Kones observed that enactment of Kenya’s Data Protection Act of 2019 follows the path taken by the European Union in enacting the General Data Protection Regulations (GDPR) in May 2018.
“In this digital age, organisations have come up with different technological solutions, including digital services, online advertising, e-communication and virtual sharing of information. There is thus a paradigm shift towards the digital space, with many organizations processing more and more data in order to drive strategic growth and improve their bottom-line,” Kones added.
The Deputy Governor observed that owing to the rising amount of data created and processed by organisations, there is a great possibility of violation of data security and privacy, thus the rising need for data protection.
He noted that virtually all private firms, government agencies and departments in county governments collect data from either customers, employees, suppliers or service providers.
“Data collected by organisations ranges from IP addresses, search histories, location, credit card numbers, purchase histories, among others. Inevitably, every organisation is likely to touch on private data of thousands or millions of individuals at some point,” explained Kones.
The Deputy Governor underscored the importance of organizations complying with the provisions of the Data Protection Act at the initial stages of a product life cycle, especially when collecting and storing such data, including when onboarding new employees.
He cautioned that collecting data without the right privacy protections in place will have adverse and long-term effects on organisations and the penalties for breach are high enough to make organizations pay attention to data privacy.
“For instance, the fine for breach of the Data Protection Act could be as high as three per cent of the annual turnover of an institution. Organizations need to commit to high standards of data privacy while ensuring that their employees understand their commitment to the same,” said Kones.
Kones said employees are the predominant custodians of data in an organisation and are at the highest risk of breach of privacy, hence the need to create awareness among them on the legal requirements relating to data privacy.
“This should entail making employees understand their roles in upholding high standards of data privacy during the collection, processing and storage of data, considering the significant impacts any form of data breaches will have on the business, especially the financial and reputational risks associated with breach,” the Deputy Governor added.
Kones pointed out that in the long term data privacy will be a great brand differentiator, as it will build customer loyalty while lack of it will impede organisational growth. He said the image and reputation of a company with strong privacy mechanisms will create trust, which is the basis for establishing a loyal customer base.
By Jane Ngugi