The intricacies of consent in the data protection act 2019 and its implications to business owners.

In a significant development in the Kenyan privacy space, the Office of the Data Protection Commissioner (ODPC) has recently handed down substantial fines to organizations that process personal data. These data processors, including digital credit providers, a school and restaurant/bar were slapped with hefty fines as a response to the processors violation of the privacy rights of data subjects. The restaurant was specifically fined for posting a reveler’s image on their social media for marketing purposes without the Data Subject’s consent. This action has sparked a renewed interest in the intricacies of Consent with processors, most notably restaurants and night clubs hastily releasing privacy and consent notices with the aim of releasing themselves from any liability. Many of these notices, however, fall flat on their face as they do not accurately encapsulate the intricate digital dance that is consent.  

What is consent?

If an individual in photos or videos can be identified or is identifiable, then those files are considered to be personal data. The Data Protection Act, 2019 defines consent as any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject. This definition in the Data Protection Act provides all the elements that must be satisfied for consent to be determined to be valid. They include:

1. Express Consent: To align with the Data Protection Act 2019, establishments have to ensure that patrons in their premises or attending their events have the freedom to choose whether their images would be taken and shared online and actively allow the establishment to capture and use the images for marketing or other purposes. Capturing images of revelers without their knowledge or consent and posting them online cannot be justified by having a notice of filming simply displayed at the entrance. The mere presence of the revelers’ in that establishment also does not act as consent.
2. Specific Consent: Establishments have to tie consent to a specific purpose for data processing, as mandated by the Act. To comply with this requirement, patrons must be adequately informed about the club’s data collection practices and how exactly their images would be used in order for the consent to be considered valid. 
3. Informed Consent: In accordance with the Act, establishments must provide sufficient information to patrons about their data collection practices and how exactly the data will be used, enabling individuals to make informed decisions about what exactly they would be consenting to before granting or withholding their consent.
4. Unambiguous/Unequivocal Consent: To adhere to the Act’s requirements, consent should be clear. Establishments and events cannot rely on silence, blanket privacy notices or ambiguous language to obtain consent. Instead, they ought to take deliberate action to allow patrons to explicitly signify their agreement. The practice of capturing and posting images without patrons’ knowledge or explicit agreement violates this requirement. Establishments must seek explicit and unambiguous consent from customers before using their images for marketing purposes. The mere presence of customers in an establishment does not imply consent to be used for such purposes.

The Data Protection Act provides that for personal data to be used for commercial and marketing purposes, the data subject must give written Consent. Issues of validity of Consent also arise, as for consent to be valid, it must meet specific criteria:

1. The individual must have a free choice and must be able to refuse or withdraw consent without being at a disadvantage. Consent isn’t freely given if, there is a clear imbalance between the individual and the business/organization.
   1. The data subject must have capacity to Consent, meaning they must be of the age of majority and have the mental capacity to consent. Intoxicated persons cannot properly give consent as intoxication impairs mental capacity.
   1. The individual must have the ability to withdraw the given consent at any time without detriment to themselves.

It is therefore evident that in the pursuit of meeting data privacy obligations, it is crucial to ensure that all establishments and their staff members are well-informed in matters related to consent and data privacy. This training on privacy has to contain a comprehensive understanding of the relevant data privacy laws and regulations in Kenya.

Additionally, there is need for professional training that covers the specific procedures for obtaining informed consent such as the use of Consent forms and their proper handling, opt-in or opt-out mechanisms, and how to address situations where patrons refuse consent or request revocations. It is also paramount that staff are trained in recognizing signs of intoxication among other factors that may vitiate consent.

Conclusion

The substantial fines for privacy violations and the violation of consent elements serves as a stark reminder that data protection laws are not limited to traditional business settings but apply to all organizations that handle personal data. Businesses in the entertainment and service industries also have obligations to review their data handling practices, particularly those involving the collection and use of personal information from customers or clients. Implementing clear policies, obtaining informed consent, and providing transparent information about data processing activities are essential and unavoidable steps toward compliance.

Consent remains a critical aspect of data processing, and individuals’ privacy rights must be respected, even in the world of nightlife and entertainment. The actions taken by the Data Protection Commissioner signal a commitment to safeguarding privacy rights, protecting consumers and ensuring that all businesses adhere to the principles of responsible data handling.

Date: October 5, 2023 By: Anne Gathirwa

For more insights pertaining to this matter, you can reach the writer at annegathirwalaw@gmail.com. You can also contact us at MMS Advocates, Lower Duplex Apartments, LOWER HILL ROAD, or email us at info@mmsadvocates.co.ke