THE MBWA KALI (FEROCIOUS DOGS) DECLARATIONS BY LOUNGES, BARS & RESTAURANTS-IMAGE RIGHTS IN KENYA

A DISCUSSION ON THE BULLISH, ILLEGAL & UNINFORMED REACTIONS BY OWNERS OF ESTABLISHMENTS TO THE OFFICE OF THE DATA PROTECTION PENALTIES

WKA Advocates Newsletter-Edition #12

It is our considered opinion that by publishing some of the uninformed notices highlighted in our WKA newsletter, owners of entertainment joints and restaurants such as #theloftlounge and #thequiverlounge, have informed their patrons that they have ferocious dogs (mbwa kali) inside their establishments, read ‘photographers’. If the patrons are bitten (photographed), the establishment owners have declared that they shall not bear any responsibility since the patrons have already given implied consent, to the trespass and/or assault of their image rights and rights to privacy. The question begs, who brought the ‘mbwa kali’ (read photographers) into the restaurants and entertainment joints?

The panic by business owners has exposed the general and widespread ignorance of #DataProtectionLaws in Kenya. Lo and behold, that era is about to end! The #OfficeoftheDataProtectionCommissioner (“ODPC”) has come out with guns blazing and it’s high time that all persons familiarized themselves with the Data Protection Laws.

This is rather critical especially because we live in times where massive amounts of data are being collected, stored and used by third parties. The pertinent questions are, do #DataSubjects know their rights? Do #DataControllers know their obligations under the #DataProtectionAct,2019 (”DPA, 2019”)?

It is a fundamental legal principle in Kenya that ignorance of the law is no defence. This was evident in the 3 Penalty Notices issued to 3 Data Controllers by the #ODPC, on 26th September 2023 for failing to observe #DataPrivacyRights of Data Subjects and also not complying with the #DataProtectionAct.

According to the press statement from the ODPC, Mulla Pride Ltd, a Digital Credit Provider (DCP) which operates KeCredit and Falcrash mobile lending Apps received a penalty of Ksh.2, 975, 000 after it was found culpable of using the names and contact information of the complainants which were obtained from third parties, and subsequently used to send threatening messages and phone calls. The second Data Controller #CasaVera Lounge, a restaurant based along Ngong Road in Nairobi, was fined Ksh.1, 850, 000 for posting a reveler’s image on their social media platform without the data subject’s consent. Lastly, Roma School, an educational institution based in Uthiru was fined Ksh.4, 550, 000 for posting minors’ pictures without parental consent.

In reaction to the Penalty Notices, various bars and restaurants have responded by making it clear that patrons choosing to unwind at their establishments may be subject to photography and video recording. Establishments such as Evo Lounge, The Loft, Texas Barbeque, Platinum 7D and Quiver Lounge Kilimani have issued warnings of implied consent to revelers entering their premises.

Below are excerpts of the Mbwa Kali “warnings of implied consent”:

To echo the statement from #Evo Lounge in part: “Your entry and presence on the premises constitute your consent to be photographed, filmed, and/or otherwise recorded and to the release, publication, and reproduction of any and all recorded media of your appearance, voice, and name for any purpose whatsoever in perpetuity in connection with Evo Lounge…

By entering the premises, you waive and release any claims you may have related to the use of recorded media of you at the event, including, without limitation, any right to inspect or approve the photo, video or audio recording of you, any claims for invasion of privacy…”

These are what we deem as MBWA-KALI DECLARATIONS. It is quite unfortunate that many business establishments missed the point of the 3 penalties recently issued by the #ODPC. Instead of appreciating the #DataPrivacyLaws, these establishments have rushed to hide behind invalid and bullish warning notices of implied consent. That is NOT how the law operates!

Restaurants and bars (Data Controllers) that employ professional photographers (Data Processors) to capture images (Personal Data) of revelers (Data Subjects) to enhance the club’s online visibility, promote its activities, and attract clientele have obligations under the Constitution of Kenya, 2010 and the Data Protection Act, 2019.

All Data Controllers and Data Processors have an obligation under the DPA, 2019 to register as such, before collecting any data. The ODPC issues a certificate to the qualified persons/entities and keeps a register of the same. Therefore, the question is, as a business owner, are you registered and licensed to collect personal data?

Under the DPA, 2019, where a Data Controller or Data Processor collects personal data, they must ensure that such data is processed within the requirements of the law and with due regard to the rights of the Data Subjects from whom they collect such information. A key component of this obligation is to obtain the free, express, informed, and unequivocal consent of a data subject (or their parent/guardian, if they are a minor). Therefore, consent cannot be implied. It is either Yes or No.

The DPA Act,2019 espouses 8 #DataProtectionPrinciples namely:

  1. Right to privacy- Every Data Controller or Data Processor shall ensure that personal data is processed according to the data subject’s right to privacy, noting that Article 31 of the Constitution protects the right not to have information relating to family or private affairs unnecessarily required or revealed.
  2. Lawfulness, fairness, and transparency: Any processing of personal data should be lawful and fair. An entity is responsible for informing Data Subjects that they intend to collect data, how the data will be used, whether the data is to be passed on or disclosed to a third party and who the said third party is.
  3. Purpose Limitation: Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for processing personal data should be explicit and legitimate and determined at the time of the collection of the personal data.
  4. Data Minimisation: Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  5. Accuracy: Data Controllers must ensure that personal data are accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In particular, Data Controllers should accurately record the information they collect or receive and the source of that information.
  6. Storage Limitation: Personal data should only be kept in a form that permits identification of Data Subjects for as long as is necessary for the purposes for which the personal data are processed. The personal data must be deleted or anonymized once it has served its purpose, subject to an entity having other grounds for retaining the information.
  7. Integrity and Confidentiality: Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorized or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
  8. Accountability: Finally, the Data Controller is responsible for, and must be able to demonstrate, their compliance with all of the above-named Principles of Data Protection. Data Controllers must take responsibility for their processing of personal data and how they comply with the DPA Act and be able to demonstrate (through appropriate records and measures) their compliance, in particular to the ODPC.

In addition, Section 37(1) of the DPA, 2019 provides that commercial use of personal data is forbidden UNLESS:

  • Consent has been obtained from the Data Subject; or
  • The use is authorized under a written law and the Data Subject has been informed of such use when collecting the data from the Data Subject.

Section 37 (2) further requires that when using personal data for commercial purposes, the personal data should be anonymized in such a manner as to ensure that the Data Subject is no longer identifiable.

The DPA, 2019 also guarantees data subjects the following rights under section 26:

  1. Right to be informed of the use to which their personal data is to be put;
  2. Right to access their personal data in custody of data controller or data processor;
  3. Right to object to the processing of all or part of their personal data;
  4. Right to correction of false or misleading data; and
  5. Right to deletion of false or misleading data about them.

This means that Data Subjects can institute a complaint against any person or entity for violation of the above rights and for breach of personal data. Section 2 of the DPA, 2019 defines #PersonalDataBreach as a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

Further, the ODPC has the power to investigate any complaint and can issue a verdict of:

  • Penalty Notices and Administrative fines of up to 5 million shillings or 1% of entity’s the annual turnover;
  • Enforcement Notices and Administrative Action; or
  • Compensation to the Data Subject.

Therefore, business establishments such as Restaurants, Bars, Hair salons, Barber Shops, Gyms, and car dealers CANNOT purport to:

  • Obtain personal data without a certificate of registration as a data controller or data processor;
  • Obtain implied consent from data subjects;
  • Use personal data for any purpose whatsoever in perpetuity; or
  • Restrict data subjects from inspecting the personal data collected from them.

The warning Notices of Implied Consent issued by the likes of #Evo Lounge, #Quiver Lounge, and #Platinum 7D among others are null and void by virtue of illegality and will hold no water in case of a complaint in relation to violation of Data Privacy Laws. #DataProtectionOfficers (Advocates) are vital in ensuring establishments comply with the Data Protection Laws to avoid penalties amounting to millions of shillings.

We at WKA Advocates offer the services of Data Protection Officers and are dedicated to ensuring our clients strictly oblige and conform to all requirements of Data Protection Laws.

We hope this information is helpful in understanding the key provisions of the Data Protection Act, 2019. Please note that the contents of this newsletter are intended to provide a general guide to the subject matter. It should not be relied upon without legal advice on its contents.

Should you require further information or legal assistance on Compliance or any other legal issue, kindly feel free to contact us at info@wka.co.ke, www.wka.co.ke, +254 798 03 580, Nairobi Hub: Parklands, Valley View Business Park, 6th Floor, City Park Drive, Off Limuru Road.

KENYA: HOW TO AVOID PROBATE-WKA ADVOCATES
KENYA: WHAT IS THE LAWFUL PROCEDURE FOR A LENDER TO SELL YOUR PROPERTY IN CASE YOU DEFAULT IN LOAN PAYMENTS?

Leave a Comment

Your email address will not be published. Required fields are marked *