The Office of the Data Protection Commissioner (ODPC) in Kenya has recently issued a fine of 5 million Kenyan shillings (about $47,000) to Oppo Kenya for violating the privacy of an unnamed individual. According to the ODPC, Oppo Kenya used a photo of the complainant on its Instagram account without obtaining the individual’s consent, which is a violation of the Data Protection Act, 2019.
The fine was issued as a result of Oppo Kenya’s “neglect and/or default to comply with an enforcement notice” issued by the ODPC. The notice was issued under Section 62 and 63 of the Data Protection Act, as well as Regulation 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.
In addition to using the individual’s photo without consent, the ODPC also accused Oppo Kenya of failing to develop a policy for compliance with the Data Protection Act, as well as failing to establish an internal mechanism for addressing data subjects’ complaints. These failures to comply with the Act led to the issuance of the fine, which will be paid to the ODPC, an agency responsible for enforcing actions against individuals and companies found to be in violation of privacy laws.
The Data Commissioner, Immaculate Kassait, has urged all entities to comply with the Data Protection Act and to implement proper data protection principles and safeguards for all processing activities related to the collection, storage, and other processing of personal data as well as sensitive personal data. Those who fail to comply with the Act may face enforcement procedures.
This news comes on the heels of an audit conducted by the ODPC in October of 40 digital lenders, including Branch and Tala, over concerns about the misuse of customers’ data. The ODPC received 299 complaints from the public regarding the handling of their data by these lenders. Of the 40 companies that received a notice, 22 failed to provide a response and notifications were issued against them. As of the deadline for submission of documents for the compliance audit, 18 out of the 40 entities had responded to the ODPC’s request for information. A comprehensive review of the documents submitted by the lenders is currently underway before further action is taken.
It is clear that the protection of personal data and privacy is a serious issue in Kenya, and companies must be diligent in their efforts to comply with relevant laws and regulations. The fine issued to Oppo Kenya serves as a reminder that failure to do so can have serious consequences. It is important for all businesses to prioritize the protection of personal data and to establish clear policies and procedures for ensuring compliance with relevant laws and regulations.