Kenya’s data regulator has once again demonstrated its resolve to uphold citizens’ privacy rights after ordering Liquid Telecom to compensate a complainant Ksh 700,000 for mishandling personal information.
The ruling by the Office of the Data Protection Commissioner (ODPC) reinforces the country’s strict stance on unlawful data processing under the Data Protection Act, 2019.
The case stemmed from a complaint by Andrew Alston, who accused Liquid Telecom of recording and using his personal data without consent.
Despite his formal request to have the data deleted, the company allegedly continued to process it for over a year. The ODPC concluded that this conduct violated the principles of lawful and fair processing outlined in Kenya’s data protection laws.
“The Respondent violated the complainant’s right to be informed of the use to which his personal data is to be put under Section 26(a) of the Act and his right to erasure under Section 40(1)(b), ” Data Commissioner Immaculate Kassait, while delivering her determination, said.
The regulator ruled that Liquid Telecom failed to provide a lawful justification for processing the complainant’s data and ignored his right to erasure.
As a result, the company was ordered to pay Sh700,000 in compensation and comply with an Enforcement Notice directing it to align its operations with the data protection framework.
“Having found that the Respondent processed the Complainant’s personal data without a lawful basis, the Office hereby orders compensation and issues an Enforcement Notice to ensure compliance,” Kassait added.
Enacted in 2019, Kenya’s Data Protection Act aims to safeguard personal information and promote accountability among data controllers and processors.
It gives individuals the right to know how their personal data is used, to access it upon request, and to demand its deletion if it is collected unlawfully or no longer necessary. The law also requires organisations to process personal data transparently, fairly, and only for specific purposes.
Since its establishment, the ODPC has actively pursued enforcement against companies that flout these requirements. The regulator has issued fines to digital lenders for misuse of customer information, reprimanded schools for sharing student data without consent, and penalised healthcare providers for privacy breaches.
These actions highlight Kenya’s growing emphasis on digital rights and the protection of personal information in an increasingly connected economy.
For organisations operating in Kenya, the Liquid Telecom ruling sends a clear message that compliance with the Data Protection Act is mandatory.
Companies are advised to strengthen their internal data protection policies, conduct regular audits, and ensure that staff understand their obligations when handling personal information. Ignoring data subjects’ rights, especially consent and erasure, can lead to heavy financial penalties and lasting reputational damage.
Leave a comment