Recently, the Office of the Data Protection Commissioner issued three penalty notices amounting to Kshs. 9,375,000/= to Mulla Pride Ltd, Casa Vera Lounge and Roma School. These companies were found liable for committing the following offences:
- Using the information of the data subjects beyond the scope of their consent;
- Posting an image of a data subject on their social media platform without the data subject’s consent;
- Posting minors’ pictures without parental consent.
The main issue was the failure by the companies who are data processors/controllers to obtain consent from data subjects prior to using their personal data. It is evident that the issue of consent is a hurdle that must be overcome and carefully considered before any personal data is collected and used.
This article will delve into the issue of consent including what it entails, how consent should be obtained for commercial use and how consent should be obtained where the data subjects are minors.
- What is Consent in Data Protection?
Data Protection in Kenya is governed by the Data Protection Act, 2019 (“the Act”). Section 30 of the Act prohibits a data controller or processor from collecting or processing personal data without the consent of data subjects.
So, what is consent? Consent is defined under Section 2 of the Act to mean any representation of the data subject’s express, unambiguous, free, informed declaration of their desires through a statement or by an apparent affirmative action, signaling authorization to the processing of their personal data.
Thus, for consent to be deemed to have been legally obtained from a data subject, it must meet the following essential legal requirements:
- Express – This means a clear and direct verbal or written agreement given willingly and knowingly by an individual. It is when someone explicitly communicates their agreement or permission for something without any ambiguity or misunderstanding;
- Unequivocal – This means that the consent is clear, unambiguous and leaves no room for doubt or misinterpretation as the person has given a definite and unmistakable agreement or permission. Consent cannot be assumed as was held by the High Court of Kenya in the case of Ondieki v Maeda (Petition E153 of 2022)  KEHC 18290(KLR) where the court held that the installation of CCTV cameras in a residential area that could access, monitor or spy on a neighbour without their express and unequivocal consent amounted to breach of the neighbour’s constitutional right to privacy under Article 31 of the Constitution of Kenya. The Court noted that consent cannot be assumed and that the Respondent was under and obligation to receive an express and unequivocal consent from the Petitioner in view of his right to privacy;
- Free– This means that the person willingly and without any form of coercion or undue pressure agrees to something. It implies that the individual has the autonomy to make a decision without feeling coerced, threatened or manipulated into giving consent. The Act provides that in determining whether consent was freely given, an account should be taken of whether consent was requested as a precondition for the performance of a contract even though the same was not necessary for the said performance of contract. In such a scenario, the consent will be deemed conditional hence failing the ‘free’ test specified under section 2 of the Act;
- Specific – This means that the consent provided is clear and explicit for a particular action or purpose leaving no room for misunderstanding. For example, if someone consents to their personal data being used for a specific reason, it means that they have agreed to that specific reason and not something else;and
- Informed– This means that a person has been provided with all relevant information, in a clear and understandable way about the particular action they are consenting to. This ensures that they have a full understanding of the potential risks, benefits and consequences before giving their consent.
It is important to note that the burden of proof is on the data collector/processor to demonstrate that the data subject consented to the collection and processing of their personal data for a specific purpose. We therefore recommend that entities maintain records to demonstrate that the consent of a data subject was obtained prior to the collection and processing of their personal data.
Can a data subject withdraw their consent? Yes, the data subject has the power to withdraw their consent at any time and the data processor/controller should avail this option at all times. However, this does not invalidate the collection or processing of the data subject’s personal data prior to the consent being withdrawn.
- Consent for Commercial Use of Personal Data
Section 37 of the Act provides that commercial use of personal data such as in marketing, direct marketing and/or advertisement can only be undertaken where consent has been specifically acquired for commercial use. This means that the data subject should be aware that their personal data will be used for commercial purposes.
This position was affirmed by the court in the case of Rukia Idris Barri v. Mada Hotels Ltd  where the court held that the Plaintiff’s consent had neither been sought nor obtained before Mada Hotels used her image for commercial purposes. The court held that even though the photograph in itself was not offensive, it was an unacceptable exploitation of one’s photograph or likeness for commercial purposes without their consent and that the same amounted to an invasion of her right to privacy and human dignity
- Consent for Personal Data Relating to Children
Under the Act, children do not have capacity to give consent for the processing of their personal data. This means that the consent of the parent or guardian of a child must be obtained before any personal data of a child is collected or processed. Additionally, the Act provides that the collection and processing of personal data of a child should be done in a manner that protects and advances the rights and best interests of the child.
The incapacity of children to give consent was emphasized by the court in the case of N W R & another v. Green Sports Africa Ltd & 4 others  eKLR where the court held that the data processor failed to demonstrate that the consent of the parents of the children was obtained before the photographs of the children were used. The Court stated that the children could not be said to have consented by voluntarily posing for the photographs for the simple reason that they lacked the requisite capacity to grant the consent.
The importance of obtaining valid consent before collecting or processing personal data cannot be overstated. It behooves entities or individuals undertaking collection and/or processing of personal data of whatever nature to establish processes and procedures to ensure that consent is acquired from data subjects and that the consent is express, unequivocal, free, specific, and informed.
Data Processors and Controllers should note that failure to comply with the requirements of the Act regarding consent attracts regulatory sanctions including enforcement notices, penalty notices and administrative fines by the Data Commissioner up to five million shillings. The Act also provides that a person who contravenes the Act could be imprisoned for a term not exceeding 10 years. It is therefore crucial for all data controllers and data processors to comply with the provisions of the Act.
Article by Ivyn Makena, James Karuga and Emily Ogonyo
Published on 2nd November 2023
This article is intended for general knowledge only. For substantive legal advice on this, please contact us through