Introduction
That the digital age has ushered in unprecedented concerns over the right to privacy and the use of personal data is now old news. Virtually all states have set up legal frameworks to safeguard the right to privacy and to govern the use of personal data, including putting into place appropriate compliance and enforcement mechanisms. In Kenya, the right to privacy is entrenched under Article 31 of the Constitution. The Data Protection Act of 2019 (the DPA) establishes the Office of the Data Protection Commissioner (the ODPC) as the institutional mechanism to protect personal data from misuse, as well as to oversee the implementation of and be responsible for the enforcement of the DPA. The ODPC is empowered to investigate any complaints relating to the misuse of personal data and to undertake the necessary enforcement measures through the various regulations made under the DPA, such as the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 (the Complaints and Enforcement Regulations).
Notwithstanding the ODPC’s clear mandate set out in the DPA, its jurisdiction was recently challenged through a Constitutional Petition filed in the High Court in which it was contended that the ODPC had exceeded its authority by using powers reserved for the High Court. In addition, the Petition argued that the mandate of the ODPC overlapped with that of the Kenya National Human Rights and Equality Commission (the KNHREC), which is the body empowered to investigate and deal with any violations of the Bill of Rights, including the right to privacy.
In dismissing the Petition, the High Court (Mwamuye J) affirmed the authority and mandate of the ODPC in the enforcement of data protection law in Kenya.
A. Background
In the Petition, namely, Arunda v Office of the Data Protection Commissioner & another; Data Privacy and Governance Society of Kenya (Interested Party) (2025) KEHC 12262, the constitutionality of Section 56 of the DPA and Regulation 14 (5) of the Complaints and Enforcement Regulations was disputed, with the Petitioner contending that these provisions granted judicial powers to the ODPC, consequently infringing upon the exclusive jurisdiction conferred upon the High Court under Articles 23 (1) and 165 (3) (b) of the Constitution. The Petitioner further contended that the mandate of the ODPC overlapped with that of the KNHREC, resulting in confusion as to constitutional and institutional oversight.
B. Issues
The key issues considered in the Petition included the following:
i. Whether the ODPC usurps the jurisdiction of the High Court?
The Petitioner argued that the ODPC’s powers to investigate and issue binding decisions, including compensation, amounted to the usurpation of judicial authority vested in the High Court. The Court disagreed and found that the ODPC’s power to investigate and make administrative findings does not amount to a judicial function, but rather that the ODPC plays more of a complementary role within the wider legal framework relating to the right to privacy. The Court found that the ODPC played an important and constitutionally permissible function for the realisation of the right to privacy under Article 31 of the Constitution, subject to the supervisory jurisdiction of the High Court as preserved under Section 64 of the DPA.
ii. Whether Section 56 of the DPA and Regulation 14(5) of the Complaints and Enforcement Regulations are unconstitutional?
Closely related to the first issue highlighted above, the Petition also raised the issue of constitutionality of Section 56 of the DPA and Regulation 14 (5) of the Complaints and Enforcement Regulations, asserting that these provisions granted judicial powers to the ODPC. Similarly dissuaded by this argument, the Court found that these provisions do not confer judicial powers upon the ODPC but rather authorise administrative and regulatory functions which were necessary to safeguard the rights under Article 31 of the Constitution. The Court returned the finding that these provisions merely provide the necessary enforcement capacity to a specialized agency, while retaining the existing judicial oversight through the appellate mandate granted to the High Court.
iii. Whether the doctrines of exhaustion and constitutional avoidance applied to bar first instance access to the High Court?
The Court upheld that the doctrines of exhaustion and constitutional avoidance remain applicable. Consequently, the Petitioner was deemed to have improperly bypassed the ODPC’s complaint mechanism, which ought to have been followed in the first instance. The Court reaffirmed the doctrine of exhaustion, which requires persons to first utilise available statutory remedies before approaching the Courts, unless exceptional circumstances are shown to exist, which was not done in this case.
The Court also echoed the doctrine of constitutional avoidance, which discourages premature constitutional litigation when statutory remedies are adequate and available.
iv. Whether there was an overlap between the roles of the ODPC and the KNHREC?
The Petitioner argued that the mandate of the ODPC overlapped with that of the KNHREC, which the Petitioner contended was the body empowered to investigate and deal with any human right violations, including the right to privacy. The Court however took the view that the mandate of the ODPC does not conflict or overlap with that of the KNHREC, but rather the two institutions are designed to complement each other within Kenya’s constitutional and statutory human rights’ enforcement architecture.
C. Conclusion
Overall, the High Court’s decision affirms the power and jurisdiction of the ODPC in the enforcement of data protection and safeguarding of the right to privacy. The decision upholds that the legal architecture provided by the DPA is functional, constitutional and necessary for the effective enforcement of the law relating to data protection.
This case highlights and emphasises the significance of establishing a framework that includes specialised oversight over the increasingly complex issues surrounding data governance, including the collection, storage and use of personal information for addressing privacy-related concerns within a rapidly evolving digital world.
Download the Alert here.
