In a landmark Judgment delivered on 14th October 2021, the High Court of Kenya (Ngaah J) has found that the Data Protection Act, 2019 is of retrospective effect and proceeded to issue an order of certiorari to quash the Government’s decision to roll out Huduma Cards and an order mandamus to compel the Government to conduct a data protection impact assessment (“DPIA”) as mandated by section 31 of the Data Protection Act, 2019 (the “DPA”) before further processing and rolling out of Huduma Cards.
In arriving at this decision, the High Court found that the DPA was intended to apply retrospectively so as to cover any action that may be deemed to affect the right to privacy as protected under Article 31 (c) and (d) of the Constitution of Kenya, 2010. The Court’s finding, though of doubtful grounds, was based on the reasoning that the DPA was a statute that caters for procedural, rather than substantive rights, as it provides for the means of implementation of the right to privacy as conferred by Article 31 of the Constitution.
Our take is that the DPA, quite contrary to the Court’s analysis, provides for substantive, rather than procedural rights, with the latter provided for under the various regulations promulgated and to be promulgated under the DPA. In this regard, it is noteworthy that the preamble of the DPA provides that the Act is created not only to give effect to the provisions of Article 31 (c) and (d) of the Constitution but also to provide for the rights of data subjects, which the DPA proceeds to provide for under various sections of the DPA, including the cornerstone section 26 of the Act.
Indeed, it is from the said substantive rights that the duties and obligations of data controllers and data processors arise, including the need to undertake a DPIA where the processing of personal data is likely to pose a risk to the data subject. We further note that there is no express provision under the DPA as to its retrospectivity, and so the Court ought to have been slow to impute such an intention by the lawmakers i.e., Parliament, in the absence of an express provision to that effect.
It is also not clear why the Court failed to find or consider whether there was a public interest element in the processing and rolling out of Huduma Cards, that would warrant the exemption of the DPA thereto, pursuant to the provisions of section 51 (2) (b) of the Act.
Whilst we harbour doubt that the Court’s decision will withstand appellate scrutiny, (we note that the Attorney General has already filed a Notice of Appeal against the Court’s decision), the decision currently stands as a lawful and binding decision passed by a Court of competent jurisdiction. In the circumstances, until such time that the decision is either stayed, varied or set aside all persons and entities that collect personal data and/or have collected data from the period running from 27th of August 2010, when the Constitution was promulgated onwards, will be required to consider whether the data processing was compliant with the provisions of the DPA, or stand to suffer the risk of retrospective liability.
Practically, this means that data processors and data controllers are advised to carry out comprehensive audits of their data collection and processing mechanisms so as to ensure compliance with the provisions of the DPA, which include but are not limited to the carrying out of a DPIA where the data processing activity carries with it potential risk to data subjects.
Please click here to download the alert.
This alert is for informational purposes only and should not be taken or be construed as a legal opinion. If you have any queries or need any clarifications as to how this decision or any other aspect of the Data Protection Act, 2019 might affect you, please do not hesitate to contact John Mbaluto, FCIArb (firstname.lastname@example.org), Jacob Ochieng (email@example.com), Daniel Okoth (firstname.lastname@example.org), Milly Mbedi (email@example.com), Nancy Kisangau (firstname.lastname@example.org) or your usual contact at our firm.