Chinese based Kenyan franchise of a global smartphone manufacturer, Oppo Kenya risk a class action law suit over privacy breach likely to have serious worldwide ramifications even to the parent entity.
Already, the Office of the Data Protection Commissioner (ODPC) has issued a penalty notice against Oppo Kenya after it defied an enforcement notice issued against it following a complaint over breach of personal data.
Oppo is required to pay a penalty of Sh5,000,000 pursuant to Section 63 of the Data Protection Act, and Regulation 20 of the Data Protection (Complaints Handling Procedure and Enforcement).
On November 3, the ODPC issued an enforcement notice against Oppo Kenya for violating a complainant’s privacy by utilizing their image on the business’ Instagram account (stories) without their permission.
“ODPC urges Data Controllers and Data Processors to ensure that the processing of personal data is in accordance with the provision of the Act. Failure to comply with the Act will result in instituting enforcement procedures,” she said in a statement.
The penalty notice was issued under Sections 62 and 63 of the Data Protection Act of 2019 (Act) and Rules 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations of 2021.
Oppo Kenya reportedly refused to work with the ODPC and has not created a policy to comply with Section 37 of the Act which prohibits the use of personal data obtained in accordance with the Act’s provisions for commercial purposes unless the user has obtained the consent of the data subject or is otherwise permitted to do so by a written law.
Along with failing to provide a data protection policy in response to the enforcement notice, Oppo Kenya also failed to provide evidence that it had established an internal complaints procedure to handle complaints from data subjects.
Data Commissioner Immaculate Kassait urged entities to comply with the Data Protection Act by implementing data protection principles and safeguards to all processing activities that relate to the collection, storage and other processing of personal data and sensitive personal data.
ODPC said only 18 of 40 entities had responded to its compliance audit notice to submit documents for preliminary preview.
The agency said a comprehensive review of the documents submitted was ongoing.