Grain Industries Limited v Mbuvu & another [2024] KEHC 14003 (KLR) | Data Protection | Esheria

Grain Industries Limited v Mbuvu & another [2024] KEHC 14003 (KLR)

Full Case Text

Grain Industries Limited v Mbuvu & another (Civil Appeal E186 of 2024) [2024] KEHC 14003 (KLR) (12 November 2024) (Judgment)

Neutral citation: [2024] KEHC 14003 (KLR)

Republic of Kenya

In the High Court at Mombasa

Civil Appeal E186 of 2024

JK Ng'arng'ar, J

November 12, 2024

Between

Grain Industries Limited

Appellant

and

Esther Kanza Mbuvu

1st Respondent

Office of the Data Protection Commissioner

2nd Respondent

(Being an appeal against the Determination of the 2nd Respondent dated 3rd June 2024 in ODPC Complaint No. 387 of 2024, Esther Kanza Mbuvu v Grain Industries Limited)

Judgment

1. The background of the appeal is that the 1st Respondent lodged a complaint on 6th March 2024 with the 2nd Respondent alleging that the Appellant used her image in its marketing billboard, YouTube promotions and social media platforms under the caption “Tunashukuru mama wa Ajabu” without her consent. That on or about 30th August 2023 while going about her daily errands, she saw a billboard erected which had several photographic images including herself and that the billboards in question were located along Mombasa Malindi Highway at Nyali, at Kibarani area in Mombasa and at Likoni area in Kilifi County.

2. The remedies prayed for by the 1st Respondent were for a declaration that the use of her image was without her consent, a declaration that the use of personal data by the Respondent for commercial purposes without consent amounted to a breach under the Data Protection Act, that the 2nd Respondent’s office imposes a fine to the Respondent for posting the image of the Complainant without her consent, an order of general damages to the Complainant for use of her image without consent, and any other order that this office may deem fit to grant.

3. The Appellant responded to the Complaint vide a letter dated 11th April 2024 and stated that on 13th July 2023, it launched a promotional campaign whose purpose was to celebrate mothers across Kenya during the Mother’s Day period by inviting participants to submit pictures of their mothers for public display on billboards and social media platforms. That the campaign was open to individuals nationwide and was subject to Terms and Conditions which were made available to participants. That the Appellant engaged Brainwave Communications Limited (Brainwave) as its marketing agency which hosted a webpage through which participants enrolled to take part in the campaign. That the Appellant indirectly collected the 1st Respondent’s personal data from her daughter in reliance of her daughter’s acceptance of the T&Cs and that the confirmation contained therein was to the effect that the 1st Respondent’s daughter had sought her express written consent.

4. That the first billboard was put up on 10th August 2023 and throughout the campaign the 1st Respondent’s image was only featured on one billboard and one video on YouTube. That the demand letter dated 31st October 2023 from the 1st Respondent was sent to its general email address which receives a high volume of email on a daily basis and that the 1st Respondent did not serve it with a physical copy of the demand letter or any emails following up on the demand letter. That the said demand letter came to their attention when it received the letter from their office on 20th March 2024.

5. That the 2nd Respondent reviewed the Complaint lodged, the Appellant’s Response, the 1st Respondent’s reply to the Appellant’s Response and all supporting documents provided by the parties, and the investigation officers visited the alleged locations where the billboards in question were located and confirmed that they had been pulled down. A determination dated 3rd June 2024 was made and it was to the effect that the Appellant was found liable for violating the 1st Respondent’s right to be informed, her right of erasure and for using her personal data for commercial purposes without obtaining her express consent. The Appellant was ordered to pay the 1st Respondent Kshs. 1,000,000 as compensation, an enforcement notice was issued against the Appellant, and that the parties had the right to appeal the determination to this court within 30 days.

6. Being dissatisfied with the decision, the Appellant appealed against the whole decision to this court through the Memorandum of Appeal dated 2nd July 2024 on grounds that the 2nd Respondent erred in law in communicating the determination to the Appellant on 7th June 2024, 3 days after the determination is dated and 3 days outside the statutory timelines set out in Section 56 (5) of the Data Protection Act, 2019, that the 2nd Respondent erred in law and fact in relying on the 1st Respondent’s rejoinder to make the determination without providing the Appellant an opportunity to review and respond to it, that the 2nd Respondent erred in law and fact in finding that the Appellant did not rely on a valid lawful basis to process the 1st Respondent’s personal data in accordance with the DPA, that the 2nd Respondent erred in law and fact in failing to appreciate that the 1st Respondent’s adult daughter acted as a data controller in respect of the 1st Respondent’s personal data and the burden of proving consent was validly obtained and was with her daughter, and that the 2nd Respondent erred in law and fact in finding that the Appellant violated the 1st Respondent’s rights to be informed of the use of her personal data, and to the erasure of her personal data.

7. That the 2nd Respondent erred in law in finding that the Appellant failed to fulfil its obligations under the DPA and in issuing an enforcement notice against it, that the 2nd Respondent erred in fact in failing to appreciate that the Appellant had taken down the billboard containing the Respondent’s image even before the 1st Respondent sent a demand letter to it, that the 2nd Respondent erred in fact by stating that the 1st Respondent, in her rejoinder, indicated that the Appellant erected 3 billboards with her image on it when this was not the case, and this fact undoubtedly impacted its computation of the compensation awarded to the Respondent, that the 2nd Respondent erred in law in failing to appreciate that the 1st Respondent did not use the requisite forms provided for in the Data Protection (General) Regulations, 2021 to exercise her rights, and that the 2nd Respondent erred in law and fact in finding that the Appellant violated the DPA in its indirect collection of the 1st Respondent’s personal data from her daughter,

8. That the 2nd Respondent erred in concluding that the use of the 1st Respondent’s personal data by the Appellant was wholly Commercial, and in relying on the 1st Respondent’s rejoinder relating to the level of exposure of the personal data while disregarding the evidence tendered by the Appellant and its service provider, Brainwave Communication Limited (Brainwave), the 2nd Respondent erred in awarding the 1st Respondent compensation of Kshs. 1,000,000 when she did not prove, with any degree of specificity any financial, reputational, or other harm occasioned to her by the Appellant’s use of her personal data, the 2nd Respondent erred in failing to articulate the basis on which it arrived at the compensation awarded to the 1st Respondent absent any particularization of harm by the Respondent, that the 2nd Respondent erred in finding that Brainwave was not the Appellant’s data processor in respect of the processing of the 1st Respondent’s personal data solely on the basis that a data processing agreement was not in place despite Brainwave acknowledging that as its role when responding to the 2nd Respondent, and that the 2nd Respondent erred in absolving Brainwave of liability entirely.

9. The Appellant prayed for orders that the Determination dated 3rd June 2024 and delivered on 7th June 2024 be and is hereby set aside in its entirety, that the Enforcement Notice dated 19th June 2024 be and is hereby set aside in its entirety, that the Determination and the manner in which the 2nd Respondent arrived at it was procedurally flawed and violated the Appellant’s fair hearing and due process rights under the Constitution of Kenya, 2010, that in the alternative and without prejudice to prayer 1 above, the court hereby exercises any of the powers which could have been exercised by the Respondent in the proceedings in connection with which the appeal is brought in arriving at a compensation award proportionate to the harm proven by the 1st Respondent, that in the alternative and without prejudice to prayer 1 above, the court hereby exercises any of the powers which could have been exercised by the 2nd Respondent in the proceedings in connection with which the appeal is brought in apportioning liability between the Appellant and Brainwave, and that the costs of this appeal and of the ODPC be awarded to the Appellant.

10. The appeal was canvassed by way of written submissions. The Appellant filed submissions dated 30th July 2024, the 1st Respondents filed submissions dated 1st September 2024, the 2nd Respondents filed submissions dated 24th September 2024, and the Appellant filed supplementary written submissions dated 11th October 2024 in response to the 2nd Respondent’s submissions which have all been considered by this court.

11. The duty of the first appellate court to re-examine and re-evaluate evidence to come up with its own findings was set out in Selle vs. Associated Motor Boat Co. (1968) E.A 123 as follows: -“… Briefly put they are that this court must reconsider the evidence, evaluate it itself and draw its own conclusions though it should always bear in mind that it has neither seen nor heard the witnesses and should make due allowance in this respect …”

12. This Court has considered the Record of Appeal dated 2nd July 2024 and submissions by the parties. The issues for determination are: -Whether the 2nd respondent violated the appellant’s due process, fair administrative action and fair hearing by failing to provide it with the 1st respondent’s rejoinder and by delivering the determination days after it was rendered.a.Whether the appellant unlawfully processed the 1st respondent’s personal data.b.Whether the appellant failed to fulfil its obligations under the Data Protection Actc.Whether the 1st respondent was entitled to compensation.

Issue one: “Whether the 2nd respondent violated the appellant’s due process, fair administrative action and fair hearing by failing to provide it with the 1st respondent’s rejoinder and by delivering the determination days after it was rendered.” 13. It was the appellant’s case that the tenets of due process and right to fair administrative action under Article 47(1) of the Constitution were breached by the 2nd respondent. That a 90-day period was provided under the Data Protection Act (hereinafter The Act) and the timeline was not discretionary.

14. Section 56 (5) of The Act provides that: -“A compliant made to the Data Commissioner shall be investigated and concluded within ninety days.”

15. I note that the complaint filed by the 1st respondent was received by the 2nd respondent on 6/3/2024 thus the 90-day period lapsed on 4/6/2024. The determination made by the 2nd respondent was dated 3/6/2024 thus the same was within the statutory timeline. It matters not that the email bearing the determination was sent on 7/6/2024 noting that the communication of delivered judgments is an administrative action that follows the actual delivery of the judgment. The 2nd respondent was bound to deliver judgment by 4/6/2024 and it complied. The interpretation that the appellant pleaded with this Court to embrace to the effect that communication of the judgment three days after delivery was un-statutory cannot hold. The same would go against Article 159 of the Constitution which implores this Court to render justice without undue regard to technicalities. To overturn a judgment that was delivered within the statutory period but communicated three days later would be unjust and unreasonable.

16. The appellant also found fault with the 2nd respondent for failing to allow the appellant a chance to review the 1st respondent’s rejoinder to its response yet the same was relied upon in the final judgment. Interestingly, the appellant in its own submissions admitted that The Act and its subsidiary legislation did not make room for a respondent to respond to the complainant’s rejoinder. It is then lost to this Court why or how the 2nd respondent acted without transparency whereas the appellant was allowed an opportunity to respond to the complaint and comply with the 2nd respondent’s directions.

17. In the circumstances, this ground of appeal is a non-starter and is found without merit thus the same cannot succeed.

Issue two: “Whether the appellant unlawfully processed the 1st respondent’s personal data.” 18. It was the appellant’s case that the 2nd respondent failed to consider that the 1st respondent’s daughter played a role in the processing of the 1st respondent’s personal data when she accepted the terms and conditions, obtained the 1st respondent’s image, and shared it with the appellant while representing that she had obtained the relevant consents. The appellant submitted that there was a joint controllership between the appellant and the 1st respondent’s daughter which allowed the appellant to indirectly collect the 1st respondent’s personal data as her daughter had consented in accordance with Section 28 (2) (c) of The Act.

19. I have considered the entire record before this court as well as pleadings filed before it. It is not in contention that the appellant used the 1st respondent’s photograph to run their campaign duped ‘mama wa Ajabu’ without the 1st respondent’s direct consent. It is also not denied that the appellant put up a billboard with the 1st respondent’s photograph to run the said campaign. It is further not denied that a Youtube video was similarly uploaded to aid the campaign and the same contained the 1st respondent’s image. The only point of departure is that the appellant submits that the 1st respondent’s daughter gave the 1st respondent’s personal data and that the said daughter had agreed to the appellant’s terms and conditions thus allowing the appellant to use the 1st respondent’s data to run their campaign.

20. Article 28 of the Constitution provides that every person has inherent dignity and the right to have that dignity respected and protected. The right to privacy is further enshrined under Article 31 of the Constitution.

21. Section 26 of the Data Protection Act provides as follows: -“26. A data subject has a right —(a)to be informed of the use to which their personal data is to be put;(b)to access their personal data in custody of data controller or data processor;(c)to object to the processing of all or part of their personal data;(d)to correction of false or misleading data; and(e)to deletion of false or misleading data about them.”

22. Section 28 of The Act provides that: -“A date controller or data processor shall collect personal data directly from the data subject.”

23. Section 28 (2) further states that: -“Despite sub-section (1), personal data may be collected indirectly where —(a)the data is contained in a public record;(b)the data subject has deliberately made the data public;(c)the data subject has consented to the collection from another source;(d)the data subject has an incapacity, the guardian appointed has consented to the collection from another source;(e)the collection from another source would not prejudice the interests of the data subject;(f)collection of data from another source is necessary —(i)for the prevention, detection, investigation, prosecution and punishment of crime”

24. It then follows that a data controller or data processor such as the appellant must collect personal date directly from the data subject unless any of the circumstances provided above prevail. The appellant admitted that it did not get the 1st respondent’s consent directly but proceed to collect and use her personal data relying on indirect consent from her daughter. The appellant did not plead any of the exemptions either in this Court or before the 2nd respondent therefore the mandatory nature of the obligation under Section 28 of The Act still existed. Failure to comply was a clear breach of The Act. In any case, there is no where in the form signed by the 1st respondent’s daughter where it was indicated that the 1st respondent had herself given consent to use of her images. The only consent obtained was that of a third-party who was not the data subject. There was nothing to prove that the 1st respondent had consented to the collection of her data from another source thus the appellant could not rely on the exemption under Section 28(2) (c) of The Act. It was upon the appellant to ensure that the participants of the campaign directly gave their consent so as to come within the purview of Section 28 of The Act.

25. The appellant was in clear breach of Section 26 and 28 of The Act. It thus this Court finding that appellant unlawfully processed the 1st respondent’s personal data. I see no reason to interfere with the 2nd respondent’s finding. This ground of appeal must similarly fail.

Issue three: Whether the appellant failed to fulfil its obligations under the Data Protection Act 26. It is not in dispute that the appellant is a data controller within the meaning of Section 2 of The Act which provides a data controller as: -“"data controller" means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data”

27. Section 25 of The Act provides for the appellant’s obligation to the 1st respondent and principals of data protection. The provision states thus: -“Every data controller or data processor shall ensure that personal data is —(a)processed in accordance with the right to privacy of the data subject;(b)processed lawfully, fairly and in a transparent manner in relation to any data subject;(c)collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;(d)adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;(e)collected only where a valid explanation is provided whenever information relating to family or private affairs is required;(f)accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;(g)kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and(h)not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject

28. It has already been found that the appellant was in breach of Section 26 and 28 of The Act for failing to obtain personal data directly from the 1st respondent and by failing to ensure that the 1st respondent had given her consent to the third party from whom the personal data was obtained thus breaching the rights of the 1st respondent. The appellant also had a duty to notify the 1st respondent by virtue of Section 29 of The Act which states that the 1st respondent had to be informed of:-“the rights of data subject specified under section 26;(b)the fact that personal data is being collected;(c)the purpose for which the personal data is being collected;(d)the third parties whose personal data has been or will be transferred to, including details of safeguards adopted;(e)the contacts of the data controller or data processor and on whether any other entity may receive the collected personal data;(f)a description of the technical and organizational security measures taken to ensure the integrity and confidentiality of the data;(g)the data being collected pursuant to any law and whether such collection is voluntary or mandatory;and(h)the consequences if any, where the data subject fails to provide all or any part of the requested data.”

29. It followed then that the appellant had a duty to notify the 1st respondent of her rights under Section 26 of The Act, and also notify that it had collected her image and was to use it in its campaign. The appellant also had a duty to inform the 1st respondent of the measures taken to protect her personal data. There was nothing to show that this duty had been complied with at all more so taking into consideration that the appellant admittedly failed to collect the 1st respondent’s data directly from her.

30. The appellant was also obligated to lawfully process data as provided for under Section 30 of The Act which expressly barred the appellant from processing personal data unless the 1st respondent consented to the said processing. There was no such consent thus the appellant breached the Act by using the unlawfully obtained personal data in its campaign. The appellant did not at any point plead any exemptions under Section 30 (1) of The Act that would otherwise allow for processing without consent, consequently, the appellant failed to comply with this obligation.

31. Suffice is to add that such consent is also mandatory under Section 37(1) of The Act which barred the appellant from using personal data for commercial purposes without seeking and obtaining express consent from the 1st respondent. Though the appellant denied that the campaign was not for commercial purposes and that it only aimed at celebrating mothers, it is not lost to this Court that amongst the paramount purpose for marketing is to create brand awareness which in turn attracts customers to purchase from the business entity. Be that as it may, the spirit of The Act calls for express consent before any personal data is obtained, processed and used and the appellant was in breach from the very beginning. It matters not whether the billboards and Youtube videos lasted a day or four months. The appellant ought not to have used the 1st respondent’s persona data until it fully complied with its obligations under The Act.

32. I find that the 2nd respondent correctly found that the appellant failed to fulfil its obligations under The Act. This ground of appeal cannot succeed.

Issue four: Whether the 1st respondent was entitled to compensation. 33. It has already been found that the appellant breached the 1st respondent’s rights under The Act by failing to comply with its various obligations and by unlawfully obtaining, processing and using her personally data. The 2nd respondent granted the prayer for compensation in terms of general damages for the use of her image without consent.

34. Section 65 of The Act provides for compensation to a data subject who suffers damage by reason of a contravention of a requirement of the Act. The provisions states that: -“65. (1)A person who suffers damage by reason of a contravention of a requirement of this Act is entitled to compensation for that damage from the data controller or the data processor.(2)Subject to subsection (1)—(a)a data controller involved in processing of personal data is liable for any damage caused by the processing; and(b)a data processor involved in processing of personal data is liable for damage caused by the processing only if the processor —(i)has not complied with an obligation under the Act specifically directed at data processors; or(ii)has acted outside, or contrary to, the data controller's lawful instructions.(3)A data controller or data processor is not liable in the manner specified in subsection (2) if the data controller or data processor proves that they are not in any way responsible for the event giving rise to the damage.(4)In this section, "damage" includes financial loss and damage not involving financial loss, including distress.”

35. By virtue of the foregoing, the appellant was liable for any damage caused by the processing having failed to have complied with its obligations under The Act. Indeed, the section provides that damage includes financial and financial loss including distress. Though the appellant submitted that no such damage was suffered as the billboards and Youtube video was pulled down, this Court cannot turn a blind eye to the 1st respondent’s contention both before the 2nd respondent and before this Court that she only found out that her image was used in the appellant’s campaign when she saw her image on various billboards and later in a Youtube video. It is not strange to imagine that she was in obvious distress having suddenly seen her image in a campaign that she knew nothing about nor had participated in. That would indeed be unsettling and distressful.

36. I also note that the appellant admitted to having received the demand letter sent by the 1st respondent via email but failed to read or notice it as the email used was full of traffic from other senders. Respectfully, that was an internal issue that the 1st respondent had no control of. The email used was lodged by the appellant itself on its website and it was expected that it could deal with whatever amounts of emails received. The fact remains that the appellant was served with the demand and failed to act promptly causing further distress on the 1st respondent’s part.

37. Consequently, I find no fault in the 2nd respondent’s award for compensation of Kshs. 1,000,000/= for damages noting that the same was not inordinately high so as to warrant interference from this Court. This ground has failed.

Conclusion 38. In the end, I find that the memorandum of appeal dated 2/6/2024 is unmeritorious and the same is hereby dismissed with costs to the respondents. The judgment rendered by the 2nd respondent dated 3/6/2024 is hereby upheld.It is so decreed.

DATED AND DELIVERED VIRTUALLY AT MOMBASA THIS 12TH DAY OF NOVEMBER, 2024. ………………………J.K. NG’ARNG’AR, HSCJUDGEIn the presence of: -Sugow Advocate for the AppellantWanyaga Advocate for the 1st RespondentWanjiru Advocate for the 2nd RespondentCourt Assistant – Mr. Samuel ShitemiJ.K. NG’ARNG’AR, J.