•The Commissioner dismissed the suit mainly on the grounds it had not been furnished with the relevant documents, that the alleged victims lacked locus standi, and that formal notice procedures, while filing the complaint, had been overlooked.
• It places too much regard on technicalities and fails to advance much- needed jurisprudence on a sensitive issue
The Office of the Data Protection Commissioner of Kenya, this week dismissed a suit filed by Wamae & Allen law firm alleging breach of clients’ personal data by two former employees, both advocates.
The complaint filed by the firm alleged that the two accused, over a year — during which one of them had already left the firm — shared Wamae & Allen’s client files and pleadings, illegally.
In so doing, the firm claimed, the two infringed on its intellectual property rights, and breached the data privacy rights of the clients, whose personal details were contained within the shared files.
The matter came up before the Office of the Data Protection Commissioner, which while declining jurisdiction to hear the intellectual property infringement, found that it was competent to entertain the issues touching on data protection and breach of personal data.
In a 26-page ruling, the Commissioner dismissed the suit in toto, mainly on the grounds that it had not been furnished with the relevant documents, that the alleged victims lacked locus standi, and that formal notice procedures, while filing the complaint, had been overlooked.
The complainant, it noted, maintained the right of appeal.
The decision, while a landmark one — in my opinion — is unsound.
It places too much regard on technicalities and fails to advance much- needed jurisprudence on a sensitive issue such as unauthorised sharing of client files by staff with third parties, not just in law firms, but also in other forms of business — hospitals, schools, supermarkets, telecoms etc.
In reaching the decision, the ODPC gave several reasons.
First, that it was not furnished with the material documents alleged to contain personal details that had been shared, and therefore, could not make a determination as to whether the same had been breached.
Second, that the shared client case files or pleadings were already in the public domain, having been published online on Kenya Law Reports, or being High Court documents in general. Thus, sharing them could not be deemed to have been unauthorised sharing of personal data.
The Commission also said the complainants’ clients, were not natural persons (individuals) but legal persons (companies etc), and thus did not enjoy protection under the Data Protection Act, which exclusively covered natural persons.
In a parting shot, the ODPC also observed it had not received formal notice of appointment of the firm that filed the petition on behalf of the complainants hence the same did not have authority to bring the complaint.
The decision is disappointing in many respects but mostly for revealing lack of effort, and for shying away from growing jurisprudence.
The core issue for determination in my opinion here was whether a personal data breach occurred or not.
Section 9 (a) of the Act provides that the ODPC on its own motion, can institute investigations into a matter, or can do so following a complaint by a data subject. Subsection (e) of the same says the ODPC can also require the production of any documents or information that would enable it do its work.
For the Commission to casually note that it was not furnished with certain documents hence could not make a determination if a breach had occurred,is not only lazy but inimical to the ends of justice.
Of paramount importance is to figure out if infringement of a human right, the right to privacy, had occurred, not whether the complainant misfiled documents.
Article 159(2)(d) of the Constitution, was drafted precisely to deal with this structural rigidity and reads, “(d) justice shall be administered without undue regard to procedural technicalities”.
Nothing in the ruling tells us whether the Commission requested for the said documents and failed to get them. But nothing would have been easier to do than that in line with its powers under Section 9 of the Act, if indeed, it intended to establish if there had a been a personal data breach.
In the landmark decision the Irish Data Protection Commissioner issued last November against Facebook for the breach of users’ accounts details, it clearly said it undertook an investigation on its own volition, despite having earlier received a complaint from Digital Rights Ireland, a pressure group.
This underscores the core issue for determination, which is whether or not, a breach of Kenyans personal data had occurred, irrespective of whether a complaint with or without supporting documents had been filed.
After all, majority of Kenyans are not lawyers, yet have the right to file grievances with the ODPC. It will do them no favours, to subject them to and undue regard to technicalities, rather than dealing with the substance of the matter.
This decision, in my opinion, does not advance the ends of justice.