Introduction

The Office of the Data Protection (ODPC) was constituted by the Data Protection Act, under the auspices of Section 5. The Act bestows upon the Office the function of, inter alia, exercising oversight of data processing operations, either suo moto, or upon request by a data subject.¹ Recently, the ODPC rendered two rulings of great importance. The first, in the Hilda Mwangi complaint, addressed significant issues regarding the use of a minor’s image and the complexities involved. Another case, involving Victor Manga Munyua, was also critical, as it examined the intricacies of consent, particularly in situations involving commercial gain.

Before a conclusion can be rendered on the cases and their cross-cutting nature, it behoves one to fully appreciate the facts and conclusion of each case.

1. Processing Minors’ Personal Data: Insights from Hilda Mwangi, suing as legal guardian vs Edgar Obare

The case concerns the processing of a minor’s personal data. The dispute centred on the publication of a minor’s image by the respondent, who claims to be a citizen journalist. His platform, BNN, is a telegram channel which is divided into a paid membership channel and a free to access channel. The photo in dispute was taken from the complainant’s social media and published on the free to access channel. The gravamen of the complaint was that the respondent had exploited the minor’s image for commercial gain by posting it on his platform without her consent. In response, it was averred that the complainant had herself publicised the photo by posting it on her social media and that having further blurred the minor’s image hence making them unidentifiable, the respondent was well within journalistic standards and the ambit of the Data Protection Act 2019 (DPA).

The main issue presented was whether the child’s data had been lawfully processed, turning on the question of whether the complainant’s consent would have been required and whether the minor had been appropriately deidentified. Specifically, the following issues were determined:

(i) Whether the processing was for commercial purposes and thus express consent required.

(ii) Whether the complainant’s consent was required in obtaining the minor’s personal data.

i. Whether the processing was for commercial purposes and thus express consent required

Children have the same rights as adults over their personal data. This includes the right to access their personal data, request rectification, object to processing and have their personal data erased. In addition to the general rights afforded to data subjects, Section 37 sets out that a person shall not use, for commercial purposes, personal data obtained pursuant to the provisions of this Act unless the person has sought and obtained express consent from a data subject; or is authorised to do so under any written law and the data subject has been informed of such use at the time of data collection.²

This creates a requirement for consent before a person’s data can be processed for commercial purposes. Regulation 14(1) of the Data Protection Regulations further buttresses this by setting out that for the purposes of section 37, a data controller or processor shall be considered to use personal data for commercial purposes where the data is used to advance commercial or economic interests. The section then proceeds to set out a class of activities which include inter alia inducing another person to join, subscribe to, provide or exchange information or services, or enabling or effecting whether directly or indirectly, a commercial transaction.³ The issue thus turned on whether the evidence tendered showed that the defendant directly or indirectly, sought to advance a commercial interest in the sharing of the images. Since the image was not published on the Respondent’s monetised channel, it was found that the data was not processed for a commercial purpose and thus the issue was summarily dealt with and dismissed.

ii. Whether the Complainant’s consent was required in obtaining the minor’s personal data

The DPA sets out further protections where the data subject is a child. Section 33 stipulates that a data controller or processor shall not process personal data relating to a child unless consent is given by the child’s parent or guardian and the processing is conducted in a manner that protects and advances the rights
and best interests of the child.⁴ This establishes the consent requirement for processing a child’s personal data.

It is further required, per section 33, that data controllers and data processors ensure they have appropriate age verification and consent mechanisms to enable them to process the personal data of a child.⁵ The section creates an exception only for a data controller or data processor that exclusively provides counselling or child protection services, stating that such an agent may not be required to obtain parental consent.⁶ This provision ensures that minors are protected and their rights are upheld.

The rationale for this requirement is that,
due to children’s lack of capacity, the protection of a child’s data subject rights may only be assured through a parental authority or by a guardian. This concern for the welfare of the child is further evidenced by the section’s reference to the principle of best interest of the child. Article 3 of the United Nations (UN) Convention on the Rights of the Child Convention sets out the principle that in all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration.⁷

The UN Convention on the Rights of the Child, which Kenya has ratified, defines a child as every human being below the age of eighteen years unless the law applicable to the child stipulates that majority is attained earlier
.⁸ In Kenya, the age of majority is eighteen years as the Children’s Act defines a child to be an individual who has not attained the age of eighteen years.⁹ Thus, the implication is that section 33 of the DPA creates a prima facie requirement for parental consent when collecting and processing the data of anyone below the age of eighteen years.

Children need particular protection in the collection and processing of their personal data because they may be less aware of the risks involved. A lawful basis for processing a child’s personal data is required and consent provides this lawful basis. Since a child is not competent to exercise their own data protection rights or consent to processing themselves, then it is usually in their best interests to allow an individual with parental responsibility to act on their behalf.

In this case, the issue of consent turned on the complainant having published the image of the child on her social media.
Section 28 of the DPA provides that a data controller or data processor shall collect personal data directly from the data subject¹⁰.
However, personal data may be collected indirectly, inter alia, where the data is contained in a public record and the data subject has deliberately made the data public.¹¹

Thus, the Commission found that, by deliberately posting the minor’s image on her social media platform, the complainant made the photograph public; hence, the collection fell under the ambit of indirect collection per section 28 of the DPA. As a consequence, the complainant’s consent would not have been required for collecting the minor’s data.

2. Image Rights Under Scrutiny: The Case of Victor Manga Munyua vs Liquid Intelligent Technologies

The upshot of this case concerns a complainant, Victor Manga Munyua, who alleged that the respondent, Liquid Intelligent Technologies, used his image on their website for commercial gain without express consent.

As the case is anchored upon the contravention of image rights, it behoves one to appreciate what these rights are, and the legal threshold for what constitutes an infringement of image rights. A well authored summation of the same can be curated by reference to the comprehensive report authored by the Centre of Intellectual Property and Information Technology Law (CIPIT). In the report, Florence Ogonjo, referencing Syonidun’s work,¹² defines image rights as the rights pertaining to an individual’s exclusive authority over the commercial or public utilization of their likeness, name, signature, and other distinct personal identifiers. This legal construct, in her view, empowers individuals to restrict unauthorized applications of their image, particularly for commercial advantage, thereby ensuring a measure of control over the manner in which their identity is publicly represented. The significance of these rights has seen an intense rise in relevance with the proliferation of digital and media technologies, which have amplified the dissemination of personal images, often rendering them susceptible to unpermitted and potentially exploitative uses.

In making a cogent case for the contravention of one’s image rights, a tripartite test of conjunctive nature must be fulfilled:¹³

1. Utilization of a Protected Attribute: The claimant’s likeness, name, or another legally acknowledged personal characteristic must be employed. Typically, this encompasses the use of their image or identity in a manner that is overtly commercial in nature.

2. Commercial Exploitation Purpose: The use in question must be demonstrably exploitative, aimed at generating profit, enhancing promotion, or yielding other commercial benefits. This requirement distinguishes such uses from those intended for informational purposes, such as news reporting, or expressive uses that lack a commercial intent.

3. Absence of Consent: A crucial requirement is the individual’s lack of consent for the use in question. Consent, when provided, negates any basis for asserting claims under image rights law, as it signifies a waiver of such potential claims.

In the present case, the complainant argued that in his view, the use of his image damaged his reputation by falsely associating him with Liquid Intelligent Technologies, a company with which he was not affiliated. Despite sending a demand letter, the respondent removed the image but denied liability and refused compensation, prompting the complainant to file a formal complaint. Aggrieved by this lack of compensation, the complainant involved the Office of the Data Protection Commissioner (ODPC) to adjudicate the respondent’s liability (or lack thereof).

On their part, the respondent argued that the complainant gave express consent to use his image, having participated in a photoshoot and signed a model release form on April 24, 2018. Importantly, however, mere signatures were collected, and no names corresponded with them. The respondent insisted that pulling down the image after receiving the demand letter did not imply liability. Despite attempts to resolve the issue through Alternative Dispute Resolution, no resolution was found. Equally, they argued that the complainant had not demonstrated any commercial benefit or damage from the image’s use, making the compensation request unjustified.

Thus, the ODPC found before it a case in which the following issues arose:

1. Whether the respondent obtained the complainant’s consent as required by the Act to use his image for commercial purposes;

2. Whether there was a violation of the complainant’s rights under the Act; and

3. Whether the complainant is entitled to any remedies under the Act and the attendant Regulations.

1. Whether the Respondent obtained the Complainant’s consent as required by the Act to use his image for commercial purposes

The contextual underpinnings of consent can be attributed to Section 30 (2) of the Data Protection Act which provides thusly:¹⁴ that a data controller or data processor is prohibited from processing personal data unless the data subject has provided consent for the processing, expressly for one or more specified purposes.¹⁵ Consent, as the ODPC acknowledged, is defined under the ambit of Section 2 as any demonstration of express, unequivocal, voluntary, specific, and informed intent by the data subject, whether through a statement or a clear affirmative action, signifying their consent to the processing of personal data.¹⁶

The centrality of consent is contextually demonstrable within the Act, as Section 37 (1) bars the use of personal data for commercial purposes unless the express consent of the data subject has been granted.¹⁷ It was equally pronounced by the ODPC, that by virtue of Section 32 (1), the burden of proving that any such consent was obtained is at the hands of the controller or processor.¹⁸

On what amounts to ‘commercial use’, the ODPC employed the Data Protection (General) Regulations – specifically, Rule 14 (1). The same dictates that, for the purposes of Section 37(1) of the Act, a data controller or processor is deemed to use personal data for commercial purposes when such data is employed to further commercial or economic interests. This includes actions aimed at inducing others to buy, rent, lease, join, subscribe to, provide, or exchange products, property, information, or services, or facilitating, directly or indirectly, a commercial transaction.

With the law stated clearly, the ODPC made some key pronouncements in this regard. First, the principle emphasised by the ODPC was that consent is sacrosanct; it must be unequivocally clear both that the individual has granted consent and precisely what they have consented to. A distinct and affirmative indication of agreement to the processing of data is required. Moreover, this clarity is intertwined with the necessity that consent be verifiable, ensuring that one can substantiate the data subject’s authorization of such processing.

Upon considering the foregoing provisions in unison, it becomes evident that valid consent arises from a deliberate, informed choice, necessitating affirmative action. Such consent must not only be given but must also demonstrable and subject to proof. This position is crucial and appears to closely reflect the scholarly consensus, which mirrors the opinion of the ODPC in this regard.¹⁹ Equally, international standards echo this principle of the positive and affirmative nature of consent. For instance, the General Data Protection Regulation (GDPR), cited as the flagship of Data Protection Regulations,²⁰ states that consent must be freely, specific, informed and unambiguous.²¹

By virtue of this, it was not enough that the model consents bore the signature of the complainant since they could not be relied upon to demonstrate consent; none of the signatures appearing on the forms could be attributed to the complainant thereby compounding the ambiguity of the process.

Another point of great importance is that the ODPC declared that it was not enough to claim that the purported violation occurred prior to the Act’s enactment, especially when the respondent continued to use the complainant’s image for years after the Act came into force. Therefore, the ODPC concluded, with regards to the first issue, that consent had not been properly obtained by the respondent as required by the Act to use the complainant’s image for commercial purposes.

2. Whether there was a violation of the Complainant’s rights under the Act;

With regards to the second issue, the ODPC used Section 40 as its starting point. Section 40 (1) of the Act enshrines the right to rectification and erasure,
stipulating that a data subject may request the data controller or processor to promptly erase or destroy personal data that is no longer authorised for retention, is irrelevant, excessive, or unlawfully obtained.²² Of equal importance, Regulation 12(3) of the Data Protection General Regulations mandates that a data controller or processor must address a request for erasure within fourteen days.²³

In the present matter, the complainant did indeed demand, via a letter, that the respondent cease using his image on its website and to remove it immediately. In exercising his rights to erasure and rectification, and as confirmed by both parties, the complainant’s image was duly deleted from the website shortly thereafter.

Consequently, the second issue appeared cut and dry, and the ODPC found and determined that with respect to the issue at hand, the respondent did not infringe upon the complainant’s rights as outlined by the Act.

3. Whether the Complainant is entitled to any remedies under the Act and the attendant Regulations.

Upon thorough review of the complaint’s merits, including the evidence presented by both parties, it was duly established that the respondent processed the complainant’s image for commercial purposes without meeting the lofty requirements of consent as required by the Act. This therefore constituted a breach of the Act and its preconditions.

Moreover, it was apparent that the respondent continued to process the complainant’s personal data in violation of Sections 30(1)(a), 32(1), and 37 of the Act, even after its enactment. The respondent failed to substantiate that its actions were compliant with the Act during the period of continued use of the complainant’s image. To remedy such a situation, Section 65(1) of the Act provides for compensation to a data subject suffering damage due to a contravention of the Act, including both financial loss and non-financial damage such as distress.²⁴ By virtue of the Acts corresponding regulations, – specifically Regulation 14(3)(e) of the Data Protection (Complaints Handling and Enforcement Procedures) Regulations – bestows the power upon the ODPC to grant compensation.²⁵

The complainant requested several remedies, including the removal of the image from the website, a penalty or fine, and compensation. The respondent argued against compensation, asserting that the image was removed and that they had obtained consent through a model release form. Given the respondent’s inability to prove that it secured express consent and its continued use of the complainant’s image post-enactment of the Act, the respondent was therefore ordered to compensate the complainant a sum amounting to Kshs. 500,000 for the unauthorised commercial use of the image.

Conclusion

The cases and complaints discussed above exemplify the complexities surrounding consent and the commercial utilisation of personal data under the DPA. Of critical importance are the common threads that arose in both decisions. Both cases grappled with the validity and requirements of consent under data protection laws. In both instances, the respective parties disputed whether valid consent was obtained for the processing of personal data, whether that data was used commercially, and whether it was used in compliance with the Data Protection Act. Equally, both cases involved the commercial use of personal data and whether such use was authorised. The cases highlighted the need to differentiate between commercial and non-commercial uses of personal data and to ensure that appropriate consent is in place. However, the findings in each case illustrate that the standard for consent is broad. Further, ensuring appropriate consent is critical in both cases, whether dealing with minors or adults. The focus is on whether consent was properly obtained and recorded according to legal requirements, rather than the legal age of the subject.

The cases illustrate the centrality of consent in data protection, particularly in the context of commercial use and the processing of minors’ personal data. They underscore the need for clear, verifiable consent and adherence to data protection laws. The common tie is the scrutiny of how personal data is processed and used, highlighting the need for rigorous compliance with consent requirements and data protection principles. For additional insights on these issues, CIPIT’s published manual on the commercial use of personal data provides an in-depth guide to compliance.