COVID-19: A Data Protection Perspective and A Key Decision by The UK Supreme Court

Posted on April 21st, 2020

The COVID-19 pandemic raises data protection issues as most organizations begin to grapple with the data protection ramifications with regard to personal data that might relate to the pandemic e.g. travel history, proximity or contact with infected individuals, underlying health conditions or vulnerability, etc. Indeed, one of the proposed ways to check the spread of the disease is through the use of a mobile phone app that would alert one of close proximity or contact with an infected person. For such an app to work, it would undoubtedly require the availability and use of people’s personal health data which falls within the definition of “sensitive personal data” under the Data Protection Act, 2019 (DPA) and care ought to be taken before processing such data and risk running afoul of the DPA, with potential penal consequence.

Section 44 of the DPA prohibits the processing of sensitive personal data unless the same is processed in line with the data protection principles set out under section 25 of the DPA which include data collection for legitimate purposes and limited to the extent necessary. Under section 46 (1) of the DPA, processing of personal data relating to the health of an individual is restricted to healthcare providers or persons under obligation of professional secrecy under law. However, section 46 (2) (a) of the DPA, then provides that the condition under section 46 (1) is met if the processing “is necessary for reasons of public interest in the area of public health”. It is therefore arguable that organizations that possess or collect personal data may be allowed to process such data if it is deemed necessary “for reasons of public interest in the area of public health” relating to COVID-19.

That notwithstanding, organizations ought to take necessary precautions so as to abide by the data processing principles set out under section 25 of the DPA, and where in doubt, appropriate guidance may be sought from the Data Commissioner, given that the DPA is fairly new legislation in Kenya (having come into force on 25th November 2019) while the COVID-19 pandemic is itself a public health crisis of unprecedented proportions.

Speaking of compliance with data protection laws, a key decision was recently handed down by the United Kingdom’s Supreme Court regarding an employer’s vicarious liability in respect of breaches of the United Kingdom’s Data Protection Act, 2018 (the UK DPA) in the case of  WM Morrison Supermarkets plc vs Various Claimants (2020) UKSC 12. The decision was in respect of a challenge by Morrisons on the Court of Appeal’s decision by which the supermarket chain was found vicariously liable for data breaches committed by its former employee which had satisfied the “close connection test” The Court of Appeal also rejected the argument advanced by Morrisons that since vicarious liability in respect of data breaches by an employee was not expressly included in the UK DPA, an employer should not be vicariously liable for such breaches.

The UK Supreme Court considered the two issues afresh and applied the close connection test with reference to a long line of established precedent on vicarious liability. The Court considered the fact that the actions of Morrisons’ former employee had not been pursued in furtherance of his employer’s business and that he was on a “a frolic of his own”. The Court of Appeal’s application of the close connection test was found to have been faulty, as what ought to have been considered was the entire sequence of events and whether an individual was acting in his capacity as an employee and in furtherance of his employer’s objectives before arriving at a positive finding of vicarious liability.

On the issue as to whether vicarious liability is excluded under the UK DPA, the Court held that the statutory liability of a data controller under the UK DPA, including the liability for the conduct of its employee, is based on lack of reasonable care, whereas vicarious liability is not based on fault. The Court went on to state that there is nothing anomalous about the contrast between the fault-based liability of the primary wrongdoer under the UK DPA and the strict vicarious liability of his employer. In reaching this conclusion, the Court drew an analogy between the fault-based liability of an employee for negligence and the resultant strict vicarious liability of his employer with the resulting determination that the UKDPA does not exclude vicarious liability for data breaches by an employee.

While the decision was ultimately in Morrisons’ favour, the case turned largely on the application of the close connection test which was both fact dependent and context specific with regard to that particular case.

This alert is for informational purposes only and should not be taken as or construed to be legal advice. If you have any queries or need clarifications, please do not hesitate to contact John Mbaluto (, Gibran Darr ( or your usual contact at our firm, for legal advice relating to the COVID-19 pandemic and how the same might affect you.

Islamic Banking: The Regulatory Imperative

Posted on June 27th, 2018

Share this article

In recent years, the rapid growth of Islamic banking products, not only in Kenya but globally, has been significant enough that the International Monetary Fund (IMF) commissioned a working paper in 2014 on the need for legal and prudential regulation of the sector. The working paper relied on a survey of a wide spread of areas including the Middle East, Indonesia, the United Kingdom, North Africa and Sub-Saharan Africa. More recently, in January 2017 the IMF published a Multi-Country Report (the Report) in which it recognised that the legal framework in Kenya has not adapted to the specificities of Islamic banking and that there are remaining gaps in the shari’ah governance framework in Kenya. While the Report made reference to the 2014 working paper and noted that a significant number of banks and financial institutions were offering Islamic banking products, with Kenyan banks being the key players in the market, there was a growing need for regulation of the sector to ensure that Islamic banking was being practised within the accepted parameters of shari’ah compliance.

Regulatory Challenges

The concept of Islamic banking is rooted in certain elements that are prohibited since they are innately haram (or forbidden) in Islam and for this reason the said elements must be excluded from any contract between contracting parties, as such a contract would be rendered non shari’ah compliant if it incorporates these elements. The said elements include riba (interest), gharar (uncertainty), maysir (gambling) and qimar (speculation). From a financing perspective, a bank offering Islamic banking products to its customers would thus need to ensure that the said elements do not form part of any financing transaction for a contract to be considered shari’ah compliant.

In essence, the unique nature of shari’ah compliance from a financial perspective immediately poses challenges that current regulatory legislation such as the Banking Act (Cap. 488) and the Central Bank of Kenya Act (Cap. 491) (the CBK Act) do not sufficiently deal with. The Kenya Deposit Insurance Corporation Act, 2012 which aims to protect depositors of troubled banks, is equally not well suited to cater for depositors of banks that provide Islamic banking products, as well as conventional banking as deposit premiums from account holders of purely Islamic financial products are not segregated from premiums of regular deposit holders. The premiums from Islamic banking products would need to be aligned to the takaful insurance model which is an Islamic alternative to commercial insurance and also emphasises avoidance of riba, maysir and qimar.

The need for a regulatory framework has become even more pressing, based on the fact that international banks offering Islamic products are keen on breaking into the Kenyan financial market in order to exploit the full potential of Islamic banking, the most recent entry being that of Dubai Islamic Bank, which is one of the largest banks in the United Arab Emirates. It has recently been granted a licence to operate in Kenya.

The Malaysian Model

The regulation of the shari’ah model in the Kenyan context should draw significant inspiration from the Malaysian model of regulation which started with a primer for the Islamic banking business with the enactment of the Islamic Banking Act, 1983 and later made strides toward incorporation of regulation of shari’ah based financial activity by amendments to the Central Bank of Malaysia Act, 1958 in the year 2003 to incorporate provisions for regulation of the Islamic banking industry by amongst other things, establishing a Shari’ah Advisory Council (SAC) as the authority for ascertainment of Islamic laws that would be applicable to shari’ah financial products. On 1st July 2013 the Islamic Financial Services Act (IFSA) was enacted and it repealed the IBA to give way for a consolidated and contract based framework for Islamic finance.

The SAC in Malaysia initially played the role of a referee for court or arbitration proceedings and while the rulings of the SAC were binding on arbitration proceedings, they were only of persuasive value to the courts. The repeal and replacement of the Central Bank of Malaysia Act , 1958 with the Central Bank of Malaysia Act , 2009 changed this position and made it mandatory for courts to take into consideration the rulings of the SAC.

The challenges that a SAC would face in the Kenyan context would be in having the commercial division of the High Court consider rulings by the SAC which would be decided on Islamic finance principles as opposed to other sources of law such as English contract law, and common law as it does now. However, the obstacle is surmountable on the basis that Malaysia, like Kenya, has a system where only matters related to Muslim marriage and divorce matters are adjudicated upon by Kadhis, while all commercial matters are adjudicated upon by secular courts. In so far as an interpretation of Islamic law is not at odds with the English contract law position, the commercial courts in Kenya would be able to apply the principles espoused by a SAC to an adjudication before it.

The need for a SAC is underpinned by fact that shari’ah law has its primary sources being the Quran (the Holy Scripture) and Sunnah (the way of the prophet Mohamed). The model is much like English law which has its primary foundations in statute and subsidiary legislation, the application of which, over time, has developed common law as a secondary source. In Islamic law, the branch of religious knowledge known as fiqh (understanding) informs the theoretical basis and jurisprudence of shari’ah law which in turn is developed by itjihad (interpretation) of the primary sources. The different schools of fiqh inform the interpretation of the principles of Islamic law and the application of these principles through a SAC would be vital in codification and regulation of the sector as it will result in a blue print of the dos and don’ts for the drafting and structuring of Islamic finance contracts by banks. With a SAC in place, law firms would also be in a better position to advise on accepted practice and viability of the structuring of Islamic finance contracts on accepted industry practice within SAC and regulator acceptable guidelines.

The Interpretation Challenge

In Islamic banking, one of the core contracting principles is that a sale is allowed as it is a real transaction and provides for a fair distribution of risk and results in real value while riba is forbidden. The application of the principle can be seen in the most basic home financing agreement, also known as the diminishing musharkah agreement in Kenya. This involves a back to back buying and selling where the customer of the bank will first sell the asset to the bank at a spot price and the bank will immediately sell the asset back to the customer at a higher price, on a deferred payment basis. The model sits squarely within the principles of Islamic banking as the parties are contracting on an ascertainable asset which will result in a profit for the bank on the deferred payment basis and the transaction will result in ascertainable value for the customer thereby knocking out the forbidden elements of riba, gharar and qimar. The bank will usually protect its interest by registering a charge over the property.

A separate form of the diminishing musharakah contract exists known as the bay al’ inah, which is a form of personal financing where the customer has nothing to sell but is in need of obtaining cash in the form of personal financing, In the bay al’ inah contract the bank, as the original owner, will sell the asset to the customer on a deferred payment basis and the customer, being the new owner, will immediately sell the asset back to the bank, at a lower spot payment price in order to obtain personal financing. In this case there is no charge over the asset as it is a mode of personal financing and the same will usually be secured by a pledge or personal guarantee. This form of Islamic finance is from the Shafi fiqh and is validated by some scholars as it conforms with the essential elements of a sale i.e. the subject matter is ascertainable and the transaction involves profit on a deferred payment basis. On the other hand, some schools of thought and some Shafi scholars have disapproved of it on the basis that it involves two sales in one and is a legal device intended to circumvent the prohibition of riba.


The Report recognises that the Central Bank of Kenya has accommodated Islamic banks by exempting them from provisions of the CBK Act that prohibit trading or investment in consideration of their business, but does not provide adequate guidance on the Islamic concepts applicable in Kenya.

The introduction of regulation and the establishment of a SAC will ensure that there is a uniform application of the principles and concepts of Islamic banking and with authoritative determinations from a panel of experts, plus, a sure footed regulatory and governance structure and law firms would also be able to authoritatively advise clients on the best practice on structuring finance agreements, without running the regulatory risk of being adjudged as having breached essential shari’ah compliant elements. This form of regulation would also ensure bank customers that the Islamic finance products that they are subscribing to, fit within established guidelines and they do not run the risk of being subjected to contracts that have been innovatively disguised as shari’ah compliant.

In conclusion, the regulation of the Islamic banking sector would not only prevent it from possible and perceived breaches but would ensure its robust development in the Kenyan market.

Benchmark: Effectiveness of Public Private Partnerships in Kenya

Posted on June 25th, 2018

By Walter Amoko | Gibran Darr

Share this article

In 2017, the World Bank published a report entitled Benchmarking Public Private Partnerships (World Bank Report) following the review of legislation and practices of eighty-two (82) countries (including Kenya). The objective of the World Bank Report was to give empirically based authoritative guidance on Public Private Partnerships (PPPs). This comparative analysis was conducted under the framework of the four (4) main areas of a PPP cycle being preparation, procurement, contract management and approach to unsolicited proposals (USPs).

World Bank Report

The World Bank Report assesses the relative performance of each country against a maximum score of a hundred (100) in each area. Kenya was assessed to have achieved above average scores of sixty seven (67) in the area of preparation of PPP’s, sixty five (65) in procurement and fifty two (52) in the area of contract management. Before popping the champagne bottle, it should be borne in mind that there is a paucity of PPP projects (according to the PPP Unit there are only seven (7) on-going PPP projects with a rather suspicious list of past projects) even though we have had the law on PPPs in our books for many years beginning with regulations under the Public Procurement and Asset Disposal Act and since 2013, a fully-fledged Act- the Public Private Partnership Act, 2013 (the Act).

Without making a fetish of the numbers (which admittedly are somewhat arbitrary), rather tellingly, by the World Bank’s ratings, South Africa significantly outperformed Kenya in each of these areas while some of our neighbours were ranked better in some aspects. For example, for procurement Tanzania was assessed at eighty (80) while for management Uganda scored sixty eight (68).

But such raw numbers teach us nothing. The real value of the World Bank Report, despite the inherent difficulties of lack of thorough analysis given such a high sample size and the inherent difficulties in comparing politically and economically diverse countries, is its provocative value. The results present an opportunity for identifying potential trouble-spots in our legislative landscape and for reflection as to whether we can do better.

One such area is USPs, also referred to as Privately Initiated Proposals (PIPs), flagged as the area of most concern and least progress earning against what the authors of the World Bank Report viewed as good practice. The principal weakness of our system of USP/PIPs, which we apparently share only with Vietnam, is the absence of a competitive
procuring procedure. A USP presents the rather unique form of PPPs as it is where the private party initiates the process.

Unlike procured PPPs for which there is a comprehensive regulatory framework under the Act – see generally sections 29 to 57 – with competition at its heart, the law on USPs/PPPs is much less extensive. The sum total of this is to be found in section 61:

“(1) A contracting authority may consider a privately initiated investment proposal for a project and procure the construction or development of a project or the performance of a service by negotiation without subjecting the proposal to a competitive procurement process where —                                                                                                          (a) there is an urgent need for continuity in the construction, development, maintenance or operation of a facility or provision of a service and engaging in the competitive procurement process would be impractical: Provided that the circumstances giving rise to the risk of disruption were not foreseeable by the contracting authority or the result of an unreasonable failure to act by the contracting authority;

(b) the costs relating to the intellectual property in relation to the proposed design of the project is substantial;

(c) there exists only one person or firm capable of undertaking the project, maintaining the facility or providing the service or such person or firm has exclusive rights over the use of the intellectual property, trade secrets or other exclusive rights necessary for the construction, operation or maintenance of the facility or provision of the service; or

(d) there exists any of the circumstance as the Cabinet Secretary may prescribe.

(2) A contracting authority shall, before commencing negotiations with a private party under this section—

(a) prescribe a criteria against which the outcome of negotiations shall be evaluated;

(b) submit the proposal to the unit for consideration and recommendation;                                                                 (c) upon obtaining the recommendations of the unit, apply for and obtain approval from the Committee to negotiate the contract; and

(d) conduct the negotiations and award the tender in accordance with the prescribed process in the regulations to this Act.

(3) A contracting authority shall not consider a project for procurement under this section unless it is satisfied that— 

(a) the project shall provide value for money;

(b) the project shall be affordable; and                                                                                                                           

(c) the appropriate risks are transferred to the private party

The Act provides for three (3) circumstances under which USPs/PIPs are possible, with seemingly unguided discretions conferred on a member of the executive to increase. As is clear, all the circumstances are situations where the legislature has decided competition is not feasible or possible. This appears to be something that the blunderbuss one-size fits all criteria adopted by the World Bank does not take into account. USPs are an exception to the norm and save for the rather anomalous discretion given to the Cabinet Secretary to expand them, they are restricted to situations in which competition is not a practical alternative. It is therefore difficult to follow the argument that our system should be faulted for the absence of competition. Of note is that according to the PPP Unit, four (4) of the seventy (70) PPP projects currently underway are USPs.

Perhaps a more valid criticism is why the availability of opportunities for PPPs should be so restricted for if the public can benefit from private sector finance in so many areas that were previously the exclusive reserve for the public. Surely, ideas and innovations on those areas should be equally welcomed. The concern should be how to ensure that this is not abused which is where competition becomes relevant and the World Bank Report is useful. Both of our neighbours, Tanzania and Uganda scored higher on USPs but that is only because of the rather arbitrary three-part criteria adopted by World Bank for assessment.

The Bangladeshi Perspective

While not as high scoring, lessons can be drawn from Bangladesh which has a broader regulation. Bangladesh’s primary legislation does not restrict the areas in which USPs are available but there is the subject of extensive subsidiary legislation, though we should add that we have not considered their enforcement.

Some of the salient guidelines are set out below:

Non-Mandatory Nature of Concept Note and/or Unsolicited Proposal

The guidelines ensure that the Government is not obligated to consider and accept a Concept Note and is not prohibited from using the asset that is the subject of the Concept Note in a conventional Government Project.

Process for Submission of a Concept Note and Sector Policy Review

The guidelines establish a framework through which the Original Proponent of a Concept Note submits the same to the Contracting Authority while keeping the PPP Authority and Applicable Line Ministry in copy. This provides for a forum for discussion to clarify the scope of the Concept Note and ensure that the project is aligned with sector development plans and is likely to deliver a positive socio-economic benefit. There is a requirement for endorsement by the Applicable Line Ministry where the Concept Note is successful as well as provision for rejection and resubmission with Applicable Line Ministry feedback.

Assessment of Eligibility of the Concept Note and the PPP Project Proposal

This process provides for detailed assessment and a screening criteria through the Applicable Line Ministry, which formally submits the endorsed Concept Note and the PPP Project Proposal to the PPP Authority for processing of the same and in principal approval and makes provision for the PPP Authority to use of its own resources or seek professional support from qualified consultants in conducting its assessment. The PPP Authority may also contact the Contracting Authority, the Applicable Line Ministry and other relevant Government agencies to get more clarity on the Project.

A cursory reading of the guidelines suggests that the Government of Bangladesh has identified some of the possible exceptions and loopholes that may be created by a non-exhaustive statutory provision on USPs, the most notable of which is the provision that ensures that notwithstanding the submission of a USP, the contracting authority is not precluded from applying a project concept on a conventional project or what may be termed a solicited proposal. In addition, the fact that the guidelines make provisions and give a leeway for the use of external consultants by the Bangladeshi PPP Authority (the equivalent of the Kenyan PPP Unit) and allows it to seek support from appropriate sector line ministry resources when making its assessment gives the USP process further legitimacy and competitive justification on procedure.

The provisions of the Bangladeshi USP guidelines therefore serve as guideposts should we go the way of USPs. One only needs to take a look at the model of USP guidelines in Bangladesh to identify that a gaping hole and possibility of USP proponent litigation against the Government of Kenya and contracting authorities is real where the waters are muddied between solicited proposal tendering and a USP proposal in a situation where a project that formed the basis of a previous USP is later subjected to the conventional tendering process for solicited proposals.

Quite apart from protection of the contracting authority, the existence of USP guidelines would also ensure that the legitimacy of the USP process is not easily called into a question once a contract is awarded to a private entity, especially where a framework exists to ensure that the USP process itself was fair, competitive and received a nod of approval from sector consultants and specialists.


If Kenya decides to open up the circumstances in which USPs should be available, there will be need for guidelines and regulation of USPs in order to protect both the private contracting entity as well as the contracting authority. While the World Bank Report has noted that in developing economies the lack of USP regulations may be a consequence of an express desire of the public sector not to use USP procurement, it suggests that the subject may not have been considered.

About Us

Oraro & Company Advocates is a full-service market-leading African law firm established in 1977 with a strong focus on dispute resolution and corporate & commercial law. With a dedicated team of 10 partners, 4 senior associates, 10 associates, 1 lawyer and 36 support staff, the Firm has been consistently ranked by leading legal directories such as Chambers Global, IFLR 1000 and Legal 500 as a top-tier firm in Kenya.

Oraro & Company Advocates is an affiliate member of AB & David Africa.

Contact Us

Oraro & Company Advocates
ACK Garden Annex, 6th Floor, 1st Ngong Avenue
P. O. Box 51236 - 00200, Nairobi, Kenya.
T: +254 709 250 000
E: | W:

Oraro & Company Advocates © 2021