Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

Credit Watch Investment Limited appealed the ODPC finding that it violated the rights of three respondents by using their data without consent for debt recovery. The Appellant challenged its liability and the Ksh. 300,000/- compensation awarded to each respondent. The High Court upheld the ODPC determination, dismissing the appeal as devoid of merit.

Facts

The Appellant, Credit Watch Investment Limited, was aggrieved by an ODPC's decision that held it liable for violating the Respondents’ right to privacy and failing to fulfil its obligations under the Data Protection Act, and which ordered it to pay Ksh. 300,000/- each its obligations under the Data Protection Act, and which ordered it to pay Ksh. 300,000/- each in compensation to the three Respondents.

<aside> ➡️

An Appeal from the decision of the Office of the Data Protection Commissioner delivered on 1st December, 2023 in ODPC Consolidated Complaints Nos. 1626, 1797 and 1835 of 2023 | Peter Mbugua & 2 Others vs. Credit Watch Investment Ltd - ODPC Complaints No. 1835, 1626 & 1797 of 2023

</aside>

The Apellant presented several grounds of appeal dated 3rd January 2024. The core issues raised by the Appellant were:

1. The ODPC erred in law and fact by finding that the Appellant had violated the Respondents' right to privacy and that the Appellant had failed to fulfil its obligations as a data controller under the Data Protection Act, 2019.
2. The ODPC erred by failing to find that the Appellant did not breach the Respondents’ right to privacy because, in the Appellant’s view, this responsibility lay with the loan borrower (the data processor in that context).
3. The Appellant argued that the circumstances of the case showed the Respondents had given their consent for their data to be submitted as emergency contacts, making them aware that their data had been shared with the Appellant, thus arguing that it complied with Sections 28 (Collection of personal data) and 29 (Duty to notify) of the Data Protection Act. They asserted that the obligation to obtain the consents of the emergency contacts lay with the loan applicants (the borrowers).
4. The Appellant contended that the sole purpose of the emergency contacts was to ascertain the whereabouts of the borrowers if they could not be reached.
5. The ODPC erred by awarding each of the Respondents Ksh. 300,000/- as compensation for damages/distress when this sum was neither pleaded nor proven. Furthermore, the ODPC failed to provide the basis, criteria, and rationale for awarding this specific sum.

The three Respondents (Peter Mbugua, Timothy Ngome, and Aggrey Timothy) had initially lodged complaints because they were listed as guarantors or emergency contacts for a loanee (Pascal Mwanje) without their respective consents.

In response to the appeal, the 1st Respondent (Peter Mbugua) presented submissions, which the 2nd and 3rd Respondents adopted and relied upon. The Respondents maintained that they were not consulted or privy to the agreements between the loan defaulters and the Appellant and felt harassed and distressed by the incessant messages, phone calls, and veiled threats they received. The messages received demanded that they reach out to the defaulters as an obligation and ensure the loans were paid up, with some containing veiled threats of unspecified action if payment was not made.