Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

The Kenya Union of Journalists sued Kenya Broadcasting Corporation (KBC) over its mandatory facial biometric attendance system. The High Court ruled the rollout violated privacy (Article 31) and data protection laws due to lack of consent, transparency, and a Data Protection Impact Assessment (DPIA). KBC conceded, and the HC ordered the erasure and destruction of all collected biometric data.

Facts

The Kenya Union of Journalists (KUJ), representing its members employed by the Kenya Broadcasting Corporation (KBC), filed an Originating Motion challenging KBC's introduction and enforcement of a mandatory facial biometric attendance system.

The Applicant asserted that the implementation of this system, which used facial recognition to record time and attendance, violated the employees’ constitutional right to privacy under Article 31 and the protection of personal data under Section 25 of the Data Protection Act. KUJ argued that the system was rolled out without obtaining the consent of the data subjects, without providing them with pertinent information on the processing of their data, and by ignoring their objections and concerns. Crucially, the Applicant stated that KBC failed to carry out a mandatory Data Protection Impact Assessment (DPIA) prior to the rollout, as required for sensitive data.

Furthermore, KUJ claimed that KBC refused to engage in consultation, violating the requirement for public participation under Article 10(2)(a), and refused to provide information regarding the identity and licensing of the systems service provider, which violated the principles of good governance, integrity, transparency, and accountability under Article 10(2)(c). The Applicant sought the erasure and destruction of the unlawfully collected biometric data and protective orders against continued unlawful processing.

When the matter came up for interpartes mention, the counsel for the Respondent, KBC, informed the High Court that KBC did not oppose the application. KBC's counsel unequivocally confirmed that the Respondent was in the process of undertaking full compliance with the Data Protection Act, including conducting a DPIA, and was amenable to any orders or directions the Court deemed just. Essentially, KBC conceded the application in its entirety.

Given KBC’s concession, the High Court found that the remedy of judicial review was merited due to undisputed evidence of procedural and substantive irregularities and the violation of constitutionally guaranteed rights. The Court's analysis included:

1. Sensitive Data and Heightened Safeguards: The Court noted that processing facial biometric data constitutes processing sensitive personal data, which necessitates heightened safeguards under the Data Protection Act.
2. Mandatory DPIA: The Court found that the Applicant demonstrated, and the Respondent did not dispute, that no DPIA preceded the roll-out of the system, which is mandatory under Section 31 of the Data Protection Act for new technologies and sensitive data.
3. Lack of Transparency: The Applicant’s averments concerning the lack of consultation, disclosure, and transparency in the system's procurement remained unchallenged.
4. Violation of Constitutional Standards: The Court held that the unilateral and opaque adoption of a facial biometric surveillance tool without obtaining informed consent fell short of constitutional standards, specifically violating Article 10 (public participation, transparency, and accountability) and Article 31 (privacy).
5. Disregard of Safeguards: The Court expressed deep perturbation at the continuing disregard of constitutional and statutory safeguards, noting that public bodies like KBC were harvesting sensitive biometric data in patent breach of the Data Protection Act and Article 31 of the Constitution, despite previous clear judicial pronouncements.