DataHub | What New Court Rulings Mean for Your Compliance
Sep 02, 2025 4:31 am
Lead Case: CCTV and Privacy - A Turning Point or Bad Law?
Case:Ondieki v Maeda [2023] KEHC 18290
The High Court ruled that private individuals installing CCTV may still need to register as data controllers under the DPA, despite exemptions in law.
Why it matters
- Extends obligations to neighbours and small-scale users.
- Risks overreach into private disputes.
- Sets persuasive precedent for landlords, employers, and communities.
Insight: Courts are actively shaping obligations. The profession must stay alert to interventions that may overextend the Act.
Enforcement Watch: Fair Hearing at Risk
A recent ruling faulted the Data Commissioner for giving a respondent 14 days (instead of the statutory 21) to reply to an investigation.
Implication for organisations
- Track all ODPC timelines.
- Push back when statutory windows are cut short.
- Due process failures can void enforcement.
Compliance Quick Take: Cross-Border Transfers
Courts have confirmed: Consent is not enough when exporting sensitive personal data abroad. Under Section 48, ODPC approval is mandatory.
What this means in practice
- Notify ODPC before transfers.
- Demonstrate safeguards.
- Obtain written approvals.
Risk: Outsourcing payroll, HR, or IT abroad without ODPC approval could invalidate arrangements.
Closing Note
Kenyan data protection jurisprudence is accelerating, and sometimes misfiring. Lawyers are filing reviews instead of appeals; courts are extending obligations beyond the Act.
That’s why we have launched the Jurisprudence Tracker on DataHub:
- Easy to follow.
- Linked to full rulings.
- Highlights the practical implications for organisations.
________________________________________________________________
QnA: Test Your Knowledge
You are advising a property management company in Nairobi. A tenant has installed CCTV cameras pointing at their neighbor’s compound. The neighbor is demanding removal, citing invasion of privacy.
Question:
Under Kenya's Data Protection Act, 2019, which of the following is correct?
A) The tenant must register as a data controller with the ODPC, even though they are a private individual, if the CCTV captures identifiable personal data.
B) The neighbor’s consent is not required as long as the CCTV is installed for “security purposes.”
C) The installation is exempt from the DPA because the CCTV is on private property.
D) The tenant only needs to notify the estate management, not the ODPC, since it is a local dispute.
Correct Answer:
✅ A – The High Court in Ondieki v Maeda (2023) confirmed that CCTV surveillance capturing personal data triggers obligations under the DPA, including registration with the ODPC, regardless of exemptions claimed.
Practical Takeaway:
Even “private” data processing like CCTV can fall under the DPA. Organizations (and individuals) must factor this in when advising clients or setting compliance policies.
________________________________________________________________
The Fines Database
Our Fines Database is a resource tracking data protection enforcement actions.
Smallest Fine: KES.20K against Zerox Technology Company Ltd
The Privacy Lens
The Unique Kenyan Stance on Data Localization. You can read the full article by clicking on the link below.
Audio Notes, a Podcast
Episode 13 Digital Footprints - Personal Data by Triangulation which reviews personal data by triangulation is up. Click for a listen.
________________________________________________________________
Training & Advisory
Microlearning Courses are available via the MZIZI Africa LMS.
Email: info@mzizi-africa.com
________________________________________________________________
DataHub | Building Africa’s Legal Intelligence Hub for Data Protection
Follow DataHub on LinkedIn, Twitter or check us out online.
DataHub is a free to use to use resource by MZIZI Africa
