KES 1.95 Million Penalty for Data Rights Violation

/ Legal Updates & Insights / By

Introduction

In a recent decision, the Office of the Data Protection Commissioner (ODPC) in Kenya tackled one of the most significant privacy cases under the Data Protection Act, 2019. This case, involving former Scangroup CEO Bharat Thakrar, and corporate giants WPP Scangroup PLC, WPP PLC, and Control Risks Group (CRG), has set a high standard for the privacy rights of individuals and the responsibilities of companies. With data privacy breaches making headlines worldwide, this determination is a pivotal moment for Kenya’s data protection regime, highlighting both the rights of data subjects and the accountability measures expected from data controllers and processors.

Case Summary: ODPC Complaint No. 1159 and No. 1106 of 2024

In a consolidated complaint, Bharat Thakrar, former CEO of WPP Scangroup PLC, filed grievances with Kenya’s Office of the Data Protection Commissioner (ODPC) against WPP Scangroup PLC, its parent company WPP PLC, and Control Risks Group (CRG). Thakrar alleged multiple breaches of his privacy rights, stating that the respondents processed his personal data without lawful basis or his consent, resulting in significant harm to his professional and personal reputation. This complaint put under scrutiny the data handling practices of these high-profile companies, raising critical questions around transparency, data access rights, and the lawful basis for data processing.

Key Allegations by the Complainant

  1. Unauthorized Access and Processing of Personal Data: Thakrar contended that CRG, as a third-party consultant engaged by Scangroup and WPP, accessed his personal devices, including his laptop and iCloud, without consent. The data accessed allegedly included private messages unrelated to his professional duties, which were later disclosed in a report shared with the Capital Markets Authority (CMA) and other parties.
  2. Denial of Access to Personal Data: The complaint noted that both WPP and Scangroup denied Thakrar’s data access requests, obstructing his rights under the Data Protection Act. Thakrar argued that this restricted his ability to fully understand the scope and purpose of the data processing activities undertaken by the respondents.
  3. Transparency and Third-Party Data Sharing: According to Thakrar, the respondents failed to be transparent regarding data sharing with external parties. He cited unauthorized disclosures of his personal information to the CMA and WPP, which he claimed went beyond the intended purpose of employment-related data processing.
  4. Misuse of Legal Privilege and Confidentiality: Thakrar asserted that the respondents invoked legal privilege and confidentiality without valid grounds to deny his access requests. He argued that these claims of privilege were improperly used to prevent access to investigative reports and communications that involved his personal data.

Respondents’ Defense

The respondents, represented by legal counsel, argued that their data processing activities, including the investigation led by CRG, were justified under the employer-employee relationship. They claimed that the data processing was necessary for fulfilling legal obligations, compliance with the Capital Markets Act, and protecting Scangroup’s legitimate interests following allegations of misconduct against Thakrar. The respondents also asserted that the data access requests (Data Subject Access Requests, or DSARs) submitted by Thakrar were overly broad, excessively costly, and an attempt to bypass discovery processes in related ongoing litigation.

ODPC’s Determination

After careful examination, the ODPC addressed the following key issues:

  1. Data Subject Access Rights: The ODPC held that Thakrar’s right to access his personal data was valid under Section 26(b) of the Data Protection Act. The ODPC found that the respondents could have provided him with access to non-privileged personal data, with privileged or confidential information redacted if necessary, rather than broadly denying his access requests.
  2. Transparency in Data Processing: The ODPC emphasized that the respondents failed to adequately demonstrate transparency, particularly regarding data sharing with third parties. This lack of transparency breached data protection principles, particularly in terms of notifying Thakrar about the purpose and legal basis of sharing his data with the CMA and other entities.
  3. Public Interest Exemption Misapplication: The respondents attempted to invoke public interest exemptions to justify data processing in the context of the investigation. However, the ODPC ruled that public interest exemptions must be narrowly applied and cannot be used to circumvent compliance with data protection principles or deny data subjects their lawful rights.
  4. Balancing Legal Privilege and Data Access Rights: While the ODPC acknowledged the role of legal privilege, it concluded that the respondents should have provided access to Thakrar’s personal data by redacting any sensitive or legally privileged information, rather than outright denying access on broad claims of privilege.
 

Final Determination and Orders from the ODPC:

  1. Access to Personal Data: The 1st and 2nd respondents (WPP Scangroup PLC and WPP PLC) were ordered to provide the complainant, Bharat Thakrar, access to his personal data related to his tenure as CEO and Director at WPP Scangroup. This access must align with Section 26(b) and Regulation 9 of the Data Protection (General) Regulations, 2021, and was to be granted within seven days of the determination.
  2. Monetary Compensation: The respondents were collectively ordered to compensate the complainant for breaches of his data protection rights, totaling KES 1,950,000 (Kenya Shillings). The breakdown is as follows:
    • 1st Respondent (WPP Scangroup PLC): KES 700,000
    • 2nd Respondent (WPP PLC): KES 700,000
    • 3rd Respondent (Control Risks Group): KES 550,000
  3. Issuance of an Enforcement Notice: An enforcement notice was to be issued to all respondents, reinforcing compliance requirements under the Data Protection Act.
  4. Right to Appeal: The respondents retain the right to appeal the determination to the High Court of Kenya within 30 days from the date of issuance.

Conclusion

In an era where data is power, this determination underscores that individuals have the right to know and control how their personal data is handled. For those managing personal data in Kenya, compliance with the Data Protection Act is not optional—it’s a fundamental responsibility. Stay informed on legal updates and best practices in data privacy by subscribing to our newsletter, where we break down complex rulings and provide insights to help you navigate Kenya’s evolving regulatory landscape.