| Authority: |
High Court |
| Jurisdiction: |
Kenya |
| Relevant law: |
Legal provisions reviewed |
| Type: |
Law suit |
| Outcome: |
Application Struck Out |
| Started: |
2 February, 2025 |
| Decided: |
12 August 2025 |
| Published: |
Yes |
| Fine: |
N/A |
| Parties: |
Henry Arunda vs. Office of the Data Protection Commissioner & another; Data Privacy and Governance Society of Kenya (Interested Party) (Constitutional Petition E010 of 2025) [2025] KEHC 12262 (KLR) (Constitutional and Human Rights) |
| Case No.: |
Petition E010 of 2025) [2025] KEHC 12262 (KLR) (Constitutional and Human Rights) |
| Appeal: |
N/A |
| Original Source: |
Kenya Law Reports |
| Original contributor: |
MZIZI Africa |
Contents
- Summary
- Facts
- Holding
- Comment
- Further resources
- The Decision
Summary
Harry Arunda challenged the Data Protection Commissioner's (ODPC) jurisdiction and the constitutionality of its powers to handle privacy breaches. The High Court ruled the ODPC's functions are administrative and quasi-judicial, not judicial, with High Court appellate oversight. The court dismissed the petition, affirming the ODPC's constitutional role in data protection.
Facts
Harry Stephen Arunda, an advocate of the High Court, initiated the petition. His core arguments were:
- Unconstitutional Usurpation of Jurisdiction: The Office of the Data Protection Commissioner (ODPC), an executive agency, lacks the jurisdiction to determine breaches of the right to privacy guaranteed under Article 31 of the Constitution. He argued that only the High Court, under Articles 23(1) and 165(3)(b), is constitutionally mandated to determine violations of the Bill of Rights.
- Unconstitutionality of DPA Provisions: Section 56 of the Data Protection Act, 2019 (DPA) and Regulation 14(5) of the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021 are unconstitutional. He contended that these provisions impermissibly confer judicial powers on an executive body by granting the ODPC authority to issue binding and enforceable orders, including remedies like compensation, which are akin to those granted by the High Court under Article 23(3). This, he argued, violated the doctrine of separation of powers.
- ODPC Not a Subordinate Court: The Petitioner asserted that the ODPC is not a "subordinate court" within the meaning of Article 169(1) and therefore cannot exercise jurisdiction over constitutional questions.
- Unlawful Overlap with KNHREC: The ODPC’s jurisdiction unlawfully overlaps with that of the Kenya National Human Rights and Equality Commission (KNHREC), which is expressly empowered under Article 59 to investigate human rights violations.
- Inapplicability of Exhaustion Doctrine: The Petitioner argued that the ODPC's dispute resolution mechanism is inadequate and unconstitutional, making it futile and unconstitutional to require him to exhaust remedies under the DPA before approaching the High Court. He believed matters involving alleged violations of the Bill of Rights are exclusively for the High Court.
- Reliance on Precedent: The Petitioner relied on authorities such as Samura Engineering Ltd v Kenya Revenue Authority eKLR and Hussein Khalid & 16 Others v Attorney General & 2 others KESC 90 to underscore the High Court's exclusive jurisdiction in constitutional matters.
The 1st Respondent (ODPC), 2nd Respondent (Attorney General), and the Interested Party (Data Privacy and Governance Society of Kenya) opposed the Petition.
- 1st Respondent (Office of the Data Protection Commissioner - ODPC):
- Contended that the DPA was enacted to give effect to Article 31(c) and (d) and established the ODPC to regulate personal data processing.
- Its mandate, under Sections 8(1)(f), 56, 58, and 65, includes receiving and investigating complaints, issuing enforcement notices, and awarding compensation for data breaches.
- Argued that its functions are administrative and quasi-judicial, not judicial, and that Section 64 of the DPA preserves the High Court's appellate jurisdiction, ensuring constitutional propriety.
- Submitted that it is a legitimate forum under Article 159(2)(c), which encourages alternative dispute resolution (ADR), citing Kirimi & Another v Mobi Changa Ltd in support.
- Maintained that its powers are akin to those of other regulatory agencies that issue enforcement actions subject to judicial review.
- Refuted any unlawful overlap with KNHREC, stating that its mandate is distinct and focused on data protection, grounded in Article 31(c) and (d).
- 2nd Respondent (Attorney General):
- Concurred with the ODPC and invoked the doctrines of constitutional avoidance and exhaustion.
- Submitted that courts must respect statutory dispute resolution frameworks unless exceptional circumstances exist, and that the Petitioner had neither lodged a complaint with the ODPC nor demonstrated that its process was inadequate.
- Argued that the Constitution permits the creation of sector-specific regulatory bodies to actualize constitutional rights (Articles 59(4) and 21(3)), making the ODPC’s establishment constitutional and necessary for focused, expert enforcement.
- Interested Party (Data Privacy and Governance Society of Kenya):
- Emphasized that the ODPC was established to fill a legislative and institutional gap in enforcing the right to privacy, highlighting its technical competence and the need for accessible, sector-specific redress.
- Contended that the ODPC does not usurp judicial authority but provides a specialized forum for administrative enforcement.
- Argued that specialized data protection authorities are globally accepted and constitutionally permissible, citing Nubian Rights Forum v AG eKLR and comparative jurisprudence from South Africa and Uganda.
- Stated that the ODPC’s capacity to make "enforceable" determinations should be understood in an administrative and regulatory context, not as an intrusion into judicial independence.
- Supported the view that the mandates of KNHREC and ODPC are complementary rather than duplicative, drawing on examples from the European Union and South Africa.