Blog By

Ms. Clare Purity, Data Protection Officer

South-End Tech Limited

Date: November 21, 2024

The Data Protection Act 2019 (DPA 2019) came into force to regulate the processing of personal data. The DPA 2019 seeks to realize the right to privacy as enshrined under Article 31 of the Constitution of Kenya, 2010. Section 2 of the Data Protection Act 2019 defines personal data as any information relating to an identified or identifiable person.

The Office of the Data Protection Commissioner (ODPC) has been at the forefront in ensuring privacy rights are upheld as evidenced by the case of Kennedy Wainaina Mbugua v Bolt Operations. Privacy and data protection have become crucial issues in this age of technology and digital services. The outcome of this case has the potential to redefine how Data Controllers and Processors handle personal data entrusted to them.

Background

In the case, the Complainant, Kennedy Wainaina, sued Bolt Operations for the breach of his privacy rights by allowing the access and use of his personal data. Bolt Operations had collected the Complainant’s personal data for onboarding onto their system as a cab driver. In a well-orchestrated plan, some third parties called the Complainant and informed him that someone was using his Bolt account to carry out unauthorized rides and to regain access to it, he was to send a selfie of himself as well as his identity card. The Complainant went ahead and sent the requested photo of himself and his identity card to the third parties. The third party then carried out some substantial changes to his Bolt account including the description of his car as well as area of operation. The Complainant was locked out from accessing his account and only then realized that the communication had not come from the official Bolt communication channels.

The third parties went ahead to conduct fraudulent rides in the name of the Complainant and got paid by using the details acquired from the Complainant as well as Bolt.  Calls and messages by the Complainant to Bolt requesting a change in the account details did not bear any fruits as Bolt staff officers did not accord it the required action as provided for in their policies. They even went ahead to block out the Complainant from accessing his account for a while.

The Respondent admitted to their customer support having failed to adhere to some verification procedures put in place before an account holder changes their account details. They also admitted to having not reported the breach of personal data to the ODPC as required under section 43 (1) and (2) of the Data Protection Act. They also failed to conduct a Data Impact Assessment even though they collect lots of personal data belonging to employees and passengers who use their bolt services. They intimated to the ODPC that other than the Complainant, they also received a complaint on breach of personal data from one of the passengers who had been carried by the third party.

Issues

The ODPC was therefore tasked with rendering a finding on a couple of issues which include: –

1. Whether there was a data breach?
2. Whether there was an infringement of the Complainant’s rights under the DPA 2019?
3. Whether the Respondent fulfil its obligations under the DPA 2019?
4. Whether the Complainant is entitled to any remedies under the DPA 2019 and Regulations?

Determination

On the first issue, the ODPC acknowledged the role played by the Complainant in sharing his personal data with an unverified person. The ODPC, however, noted that there had been access of the Complainant’s driver account kept by the Respondent and as such there was a breach of personal data.

The ODPC relied on section 2 of the Data Protection Act which defines personal data breach to mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

On the second issue, the ODPC held that the Respondent violated Section 26(1)(b) which recognizes the right of a Data Subject to access personal data held by the Data Controller or processor. This right was infringed upon when the Respondent locked out the Complainant from accessing his Bolt Driver Account.

The ODPC also held that the Respondent violated section 26(d) of the Data Protection Act which provides for the right of the Data Subject to have false or misleading data corrected. Bolt violated the right of the Complainant when they failed to heed his request to have the account details corrected to reflect the true data about him.

On the third issue, the ODPC noted that the Respondent had not reported the personal data breach to the ODPC within 72 hours, or at all, as required of them under section 43 (1) and (2) of the Data Protection Act. They were therefore in violation of the DPA 2019.

The ODPC also found the Respondent to be in violation of section 31 of the Data Protection Act which requires that Data Controllers and Processors carry out a Data Protection Impact Assessment. The Respondents failed to carry out the DPIA even after the data breach terming it unnecessary.

Lastly, on this issue, the ODPC highlighted the provisions of section 41 of the Data Protection Act and held that the Respondents violated it for failing to put in place technical and organizational measures to implement the data protection principles as enshrined in the DPA 2019.

On the fourth and last issue, the ODPC held that the Complainant was qualified to be compensated for the personal data breach. The ODPC awarded the Complainant five hundred thousand shillings (Kshs. 500,000) for a violation of his rights under the DPA 2019.

Implications of the case

Following the decision of the ODPC in the case of Kennedy Wainaina Mbugua v Bolt Operations, most organizations will strive to comply with the provisions of the Data Protection Act, 2019.

Most organisations will have to strengthen their privacy protections to ensure that the personal data in their custody is well protected against unauthorised access and breach.

Data controllers and processors will also be more aware and accountable, including reporting any breach of personal data to the ODPC within 72 hours as provided for in the DPA 2019.

CONCLUSION

The case of Kennedy Wainaina Mbugua v Bolt Operations shines a ray of light on the future of data protection in Kenya. This case will set a precedent on the enforcement of data protection laws as well as the role to be played by Data Controllers and Processors in ensuring the privacy of personal data within their custody.

From the above decision by the Office of the Data Protection Commissioner, all Data Controllers and Processors should put in place measures to combat data breaches. Those Data Controllers and Processors who collect lots of personal data should carry our Data Protection Impact Assessments in instances where the processing would result in a high risk to the rights of the Data Subjects.

It is also important that organizations train their staff on how to handle personal data and how to respond in instances of data breach so as to ensure that personal data is highly protected.

Please do not hesitate to contact us for your Cybersecurity and Data Protection Solutions and Service needs on the telephone at +254115867309 +254721864169; +254740196519 or Email. clare@southendtech.co.ke; dataprotection@southendtech.co.ke or

info@southendtech.co.ke