By Cherie Oyier
Questions on the right to privacy and the scope of application of the Kenya Data Protection Act, 2019 (DPA) have been triggered with the emergence of videos online by the now infamous Russian national. But why these questions? For context, the videos taken on Ray-Ban Smart Meta glasses depict an individual approaching women in different scenarios, proposing a meet-up later in the day and finally showing the women back at his hotel room in a state that could be described as compromising.
From a constitutional standpoint, these actions violate Article 31 (c), which specifically provides that every person has a right not to have information relating to their private affairs unnecessarily required or revealed. Hence, by releasing videos revealing the private moments he had during his meetings with the women, he violated this provision and triggered the provisions of Articles 21 and 22 of the Constitution on implementation and enforcement of the Bill of Rights.
From a data protection perspective, the complexities of the territorial scope of the DPA, consent as a legal basis for processing, and controllership come into play.
Extra-territorial Scope of the DPA
Section 4 (b)(ii) speaks to the extra-territorial scope of the DPA and provides that the DPA applies to controllers and processors not established or ordinarily resident in Kenya but processing personal data of data subjects located in Kenya. This section is similar in principle to the General Data Protection Regulation (GDPR) provision at Article 3 (2), which confirms the applicability of the GDPR to non-EU established organisations offering goods or services or monitoring the behaviour of data subjects within the European Union.
The test for determining whether a non- EU established organisation is offering goods or services or monitoring the behaviour of data subjects within the EU, hence processing such data, was established by the European Data Protection Board (EDPB), which states that such activities must “intentionally rather than inadvertently or incidentally target individuals within the EU”. It is interesting to note that the guidelines by the EDPB did not envision instances when the non-EU established entity (controller) is an individual or natural person. In Kenya, there is no equivalent guideline on the territorial scope of the DPA as of yet. However, section 4 (b)(ii) suffices. In this case, processing intentionally targeted data subjects within Kenya, and processing activities such as collection and recording were done while the controller was within Kenyan territory.
While the Office of the Data Protection Commissioner (ODPC), the body mandated to implement the DPA enjoys extra-territorial powers by virtue of section 4 (b)(ii), implementation of the DPA here is further complicated by the fact that the offending controller is an individual who has since vacated the country. The absence of the offending controller does not limit the powers of the ODPC to begin investigations into this case suo motto (on its own motion) as was the case in the Zad Muslim School Marsabit case, or based on the complaint of one of the data subjects or third party where any such complaints are filed.
Legal Basis for Processing
Section 30 of the DPA provides for 9 legal bases for processing personal data. Of the 9 bases, perhaps only consent and pursuit of the controller’s legitimate interests can remotely be applied to the present case.
Consent
For consent to be relied on as a legal basis for processing, certain minimum requirements must be met. The ODPC’s Guidance Note on Consent provides context to section 30 (1)(a) on consent and provides that for consent to be valid, it must be given freely, meaning that it should not be obtained through threats or coercion. It must be specific, meaning that it must be obtained to meet a specific processing objective or purpose. Consent must be express and unequivocal, meaning that an active action to demonstrate affirmation by the data subject, such as ticking a box or swiping a screen, must be done, leaving no doubt about the data subject’s intention to have their personal data processed. Further, consent has to be informed. This means that the data subject must be given all information relating to the processing of their data. The Guidance Note on Consent provides more context and provides a list of information that should be provided for consent to be deemed valid, including the identity of the controller/ processor, the purpose of processing, the processing activities their personal data will be subjected to, and the right to withdraw such consent. Still, in relation to informed consent, the ODPC Guidance Note provides that the data subject should be offered an explanation of the processing activities in clear, simple language that is easy to understand.
In comparison with the EDPB’s Guidance on consent, the EDPB’s Guidance expressly provides that data subjects must be given the same information as those prescribed in the ODPC’s Consent Guidance Note as well as information relating to the type(s) of data to be processed, information relating to automated decision-making and the possible risk of data transfers to third parties in the absence of an adequacy decision and appropriate safeguards.
The ODPC has a further, more specific guideline to the circumstances of this present case in the form of the Guidance Notes- Processing of Personal Data on Publications of Recorded Media. This guidance note specifically addresses privacy and data protection issues arising from the processing of personal data for the publication of audiovisual and recorded media. The guidance note provides that visual images and audio recordings constitute identifying information subject to protection under the DPA.
The Guidance Note on Processing Personal Data on Publications for Recorded Media has emphasised the need to ensure that data subjects are well informed of processing activities. It combines the set of information under the ODPC consent guidance and the EDPB consent guidance, as discussed above, as information that should be provided to the data subject to ensure consent is valid.
From the examples given under the ODPC’s Guidance Notes-Processing for Publishing of Recorded Media, it is clear that such information should be provided at the time of collecting data to be considered as timely.
In the present case under consideration, it would seem that none of the prescribed information above was provided to data subjects. The controller used covert means to record the affected data subjects by using his Ray-Ban Smart glasses to record his interactions without informing them prior that he was recording, or that he would eventually disseminate the audiovisual personal data.
Valid consent was not sought, and therefore valid consent was not obtained to process the person data.
Legitimate Interest
Data controllers can rely on the pursuit of their own legitimate interests as a basis for processing as well. However, section 30 (1)(b)(vii) provides that for this basis to be relied on, the legitimate interest of the controller or processor must not be overridden by the rights, freedoms and legitimate interests of the data subject.
In this case, the data subjects’ rights and freedoms to privacy and dignity outweigh those of the controller, hence this basis cannot be relied on.
Controllership
Another issue that is proving complex in this case is the question on who is the controller and is there only one controller or more. If there is more than one controller, how does responsibility apportion?
Controllership is addressed under Section 2 of the DPA where a controller is defined as “a natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purpose and means of processing of personal data.”
While most data protection legislations recognise that controllers and processors can be natural persons, most of the time this definition has been used to hold legal entities accountable as opposed to natural persons. The application to natural persons is usually further made complex due to section 51 (2)(a), which exempts processing of personal data by an individual in the course of a purely personal or household activity from the application of the DPA.
The Court of Justice of the European Union (CJEU) has considered cases where processing by a natural person can shift from domestic purposes to purposes subject to the application of data protection laws. In the case of Bodil Lindqvist [2003] the CJEU held that the publication of data subjects’ data by Mrs. Lindqvist on her personal website did not qualify as processing for domestic purposes and thus not exempt from the provisions of the GDPR as provided under Article 3(2).
Similarly, by publishing the videos online, the individual in this case will be considered a controller in their own right.
It is imperative to also recognise the role played by the device and platform owner in this case. The devices used in this case are the Ray-Ban Smart glasses and the platforms used to publish the audio and visual recordings are Tiktok, X, Instagram and Facebook among other platforms. Naturally, based on the nature of the internet, the audio-visual recordings have been further shared by other internet users further complicating the issue of accountability.
The primary device and platform owners implicated in this case would be Meta if indeed it is established that the glasses were their Ray-Ban Smart glasses. In this case, the question that arises then is whether Meta is a joint-controller in this instance or a processor.
Platform owners determine the means and purpose of processing, hence fitting into the definition of a data controller. In this case, further investigations will be required to determine the specific decisions the platform owner made regarding the personal data in question. This will assist in establishing what responsibility to apportion to each joint-controller.
Conclusion
As technology evolves, privacy and data protection issues continue to get more complicated, calling for vigilance in upholding existing law as well as coming up with new mechanisms to ensure data subjects’ rights are upheld while also ensuring safe data sharing. The present case tests both the existing law and the need for more guidelines and specific decisions from the ODPC. It will hence be interesting to see how the Kenyan ODPC, as well as data protection authorities of other countries affected, navigate this case.
Cherie Oyier, Programs Officer-Women’s Digital Rights, KICTANet