.png)
**ABOUT US • DECISIONS DATABASE • LAWS & SUMMARIES • FINES DATABASE • JURISPRUDENCE TRANKER • ARTIFICIAL INTELLIGENCE • DATA AUTHORITIES • HEALTH DATA . AUDIO NOTES • PRIVACY LENS, Blog • DATA VISUALS**
By distilling judgments into accessible summaries, the tracker enables legal professionals, DPOs, and organisations to see how courts and tribunals are shaping obligations in practice. It is not just a record of cases, but a live reference point for understanding the evolving meaning of data protection law in Kenya.
With the Jurisprudence Tracker, DataHub delivers on its vision of being Africa’s legal intelligence layer, equipping professionals to stay current, make informed decisions, and anticipate compliance risks.
KENYA
| No. | Case Title / Link | Court & Date | Legal Issue Question Clarified | Key Principle / Holding Established | Practical Implication |
|---|---|---|---|---|---|
| 1 | ‣ | High Court at Nairobi (Milimani) - 12 June 2025, AC Mrima | Whether the ODPC, in handling complaints, must comply with the constitutional standards of fair administrative action (Art. 47) and apply mandatory ADR before finalising investigations. | The High Court held the Data Commissioner failed in its duty by not sharing investigation reports and not utilising ADR. ODPC decisions can be overturned for procedural unfairness. | Organisations can challenge ODPC enforcement where due process is skipped. Also signals that ADR is now a jurisprudentially embedded requirement in Kenyan data protection enforcement. |
| 2 | ‣ | Employment and Labour Relations Court at Nairobi - Byram Ongaya - 30 November 2023 | .Whether the legal requirement to obtain approval from the Data Commissioner before transferring sensitive personal data outside Kenya still remained where the data subjects approved the transfer of their information and where no complaint had been filed to the Data Commissioner. Whether the transfer of employees' sensitive personal data from Kenya to Scotland, without proper legal authorization, violated the employees’ right to equal protection and benefit of the law under article 27 of the Constitution. | The 4th and 5th respondents were bound by section 48 of the Data Protection Act, which required data controllers or processors to obtain approval from the Data Commissioner before transferring sensitive personal data outside Kenya. Even though the employees may have consented to the transfer, the respondents were obligated to ensure the Data Commissioner was informed and satisfied with the security and protection measures in place. Although no complaint was filed with the Data Commissioner, the legal duty to obtain approval from the Commissioner remained. | Any company exporting health data, financial data, or employee records (sensitive data) outside Kenya must file with and obtain approval from ODPC first. Skipping this step, even with employee consent, creates legal exposure. |
| 3 | ‣ | High Court at Nairobi (Milimani) - 31 May 2023 - Justice H.I. Ong’udi | Whether private CCTV installation by a neighbour, capturing or capable of capturing another’s property, amounts to a breach of the right to privacy under Art. 31 and the Data Protection Act, 2019. | Registration with the Data Commissioner was mandatory, despite the CCTV being for private “security use.” | Exemptions in the DPA (e.g., domestic/household use) will be narrowly read by courts. Even small-scale CCTV use may trigger registration and compliance. Corporate CCTV, biometric, and surveillance programs face heightened liability if unregistered. |
| 4 | ‣ | High Court at Nairobi (Milimani), Judicial Review Division - Justice JM Chigiti SC - 14 July 2023 | Can a party subject to a penalty imposed by the Data Protection Commissioner bypass internal appeal/review mechanisms and proceed directly to judicial review? Does failure to exhaust statutory remedies under the Data Protection Act, 2019 and the Fair Administrative Action Act (FAAA) render a judicial review application premature? | The doctrine of exhaustion applies: where the Data Protection Act and FAAA provide for internal remedies (appeal, review, waiver), a party must pursue those avenues before approaching the High Court. Judicial review is not available where a party seeks to challenge the quantum or fairness of a penalty but has not exhausted the statutory review/appeal process. Exceptional circumstances could exempt exhaustion, but the Applicant neither pleaded nor proved such grounds. The application was therefore dismissed as premature, reinforcing the role of the ODPC’s internal dispute mechanisms. | Organisations facing enforcement or penalty notices from the ODPC must first pursue the remedies set out in the DPA 2019 and regulations before seeking judicial review. Courts will strictly enforce the exhaustion doctrine to prevent regulatory bypass and uphold ADR/administrative efficiency. Organisations must be aware that immediate recourse to the High Court is not viable unless exceptional grounds exist. This ruling reinforces similar holdings out of the High Court. Read together with ‣ |
| ‣ | High Court of Kenya at Nairobi (Milimani Law Courts), Judicial Review Division - Justice J. Ngaah - 2 December 2024 | Whether judicial review is the proper remedy where a statute (Data Protection Act, Section 64) provides a right of appeal against the Data Protection Commissioner’s (DPC) decision. | Appeal, not judicial review, is the remedy: Where a statute (e.g., DPA Section 64) provides a right of appeal against an administrative decision (here, the DPC’s refusal to admit a complaint), judicial review is inapplicable and improper. | Exhaust statutory appeals first: Organisations challenging DPC decisions must use the appeal mechanism (DPA Section 64) instead of judicial review. Bypassing this renders proceedings an abuse of process. | |
| 5 | ‣ | High Court of Kenya at Nairobi (Milimani Law Courts), Judicial Review Division - JM Chigiti - 16 May 2024 | Did the DPC infringe on the Applicants right to be heard when it gave him 14 days to respond to a complaint the basis of the determination, and not the 21 days mandated by the DPA,19? | Giving the Applicant 14 days to respond as opposed to the statutory 21 days took away the applicants right to be heard. | When entities receive a complaint, enforcement notice, or penalty notice, confirm that the ODPC has given the full 21 days (or whatever period is set out in law). If not, they can raise this as an objection or ground for appeal. |
| 6. | ‣ | High Court of Kenya at Nairobi (Milimani Law Courts), Judicial Review Division - JM Chigiti - 12 May 2023 | Whether the Data Protection Commissioner (DPC) loses jurisdiction by rendering a decision outside the 90-day statutory timeline under Section 56(5) of the Data Protection Act. Validity of a DPC decision issued after statutory timelines. | Strict statutory timelines: The DPC’s jurisdiction under Section 56(5) of the Data Protection Act is time-bound. Decisions rendered after 90 days from complaint lodgement are ultra vires and a nullity (Joint Venture of Lex Oilfield Solutions Ltd v Public Procurement Administrative Review Board applied). Locus standi affirmed: Law firm partners have sufficient interest to lodge DPC complaints concerning client data breaches due to their fiduciary duty to protect client information. Jurisdictional lapse: The DPC’s determination dated 6 January 2023 (issued ~170 days post-complaint) was void ab initio for exceeding the 90-day limit. No "purposive interpretation" excuses non-compliance. Corporate entities excluded: While natural persons are "data subjects" under the Act, juristic persons (e.g., law firms) cannot independently lodge complaints (Section 3, DPA) | Timelines are mandatory: DPC investigations must conclude within 90 days. Organisations should demand timely resolutions and may challenge delayed determinations as void. Locus standi limitations: Only natural persons or their authorized representatives may lodge complaints. Entities must act through partners/officers with fiduciary ties to affected data. Remedy for tardy decisions: Judicial review (certiorari) lies to quash determinations made outside statutory timelines. Courts may order fresh investigations via mandamus. Compliance urgency: The DPC must prioritize resource allocation to meet deadlines. Delays caused by parties do not extend jurisdiction. |
| 7. | ‣ | ODPC | Whether a data controller's prompt and effective mitigation measures, taken after a data protection infringement can influence the determination of compensation (quantum of damages), particularly for non-pecuniary harm like distress, under the Data Protection Act, 2019. | The Office of the Data Protection Commissioner (ODPC) established that mitigation measures undertaken by a data controller are a relevant and influential factor in assessing the quantum of compensation for data protection infringements. Despite finding a clear breach and ordering compensation, the ODPC factored these mitigating steps into its determination, leading to an award of Kenya Shillings Fifty Thousand (Kshs. 50,000). This demonstrates that while mitigation does not absolve liability, it can temper the final compensation amount. | The practical implication for data controllers and processors is significant: swift and demonstrable mitigation following a data protection breach is crucial for potentially reducing financial liability in terms of compensation. Data controllers are incentivized to implement robust incident response plans and act promptly to rectify any infringements. Immediately ceasing the offending activity, erasing affected personal data, providing transparent communication to the data subject, and implementing safeguards to prevent recurrence will be viewed favourably by the ODPC. Such proactive steps, even when a breach has occurred, can lead to a lower compensation award compared to situations where breaches are persistent, unaddressed, or handled with a lack of good faith, thus underscoring the importance of accountability and prompt corrective action in data protection compliance |
| 8. | ‣ | High Court | Whether automatic cancellation of a subscriber contract upon opting out of messages is valid. Whether continued messaging was lawful where equipment-return obligations kept the contract “alive.”Unreviewed Issue: Whether sending different categories of messages violated the purpose limitation principle under Section 25(c) of the Data Protection Act, 2019. | ODPC: Found Zuku in violation of the DPA19 for sending messages despite the subscriber’s opt-out.High Court (on appeal): Held that the contract was not fully terminated, as equipment return obligations maintained its pendency. The Court did not address the purpose of collection or whether subsequent messaging was compatible with the original purpose. | A contract’s pendency (e.g., equipment return clauses) may justify some processing, but this does not automatically extend to all types of communication. Organisations must review purpose alignment: data collected for service provision/billing cannot be repurposed for marketing or unrelated messaging without fresh consent or another lawful basis. The ODPC missed an opportunity to clarify this, leaving purpose limitation a grey area for future disputes. The High Court limited its review to what was in dispute at the ODPC as required under its appellate jurisiction. |