[kictanet] Day 5: Policy and Regulatory Framework on Privacy and Data Protection- Offences and Remedies

Grace Bomu nmutungu at gmail.com
Tue Aug 28 08:53:13 EAT 2018

Offences are public in nature and their prosecution and sentencing is
carried out through the criminal justice system. Remedies on the other hand
may be considered from a civil lens and examples include damages,
restitution, coercive (injunctions) and declaratory remedies. They are
personal and their aim is to give justice to the injured person. A trend
with newer laws is the provision of both offences and remedies.  In the
copyright law for example, in addition to criminal offences,  one can
recover profits from pirated material.
Back to our bill, the following offences are created:

*Offence *

*Penalty *

Knowingly supplying false information to the data commissioner during
registration as a data controller or processor ( clause 15 (3))

General penalty under clause 59:

5 million shillings fine or 5 years imprisonment or both


possible forfeiture of equipment and prohibition order

Data controller or processor failing to notify the data commissioner about
a change in particulars (clause 16 (7))

General penalty

unlawful  processing of personal data (clause 27)

5 million shillings fine or 5 years imprisonment

Unlawful processing of sensitive personal data (part v)

5 million shillings fine or 5 years imprisonment

Refusing to comply with a notice from the data commissioner or knowingly
furnishing the commissioner with false information during investigations
(clause 52(3))

General penalty

Disclosure of personal data by controller against specified purpose (clause
58 (1))

General penalty

Disclosure of personal data by processor without authority of controller
(clause 58 (2))

General penalty

Obtaining personal data without prior authority of controller or processor
(clause 58 (3)(a))

General penalty

Disclosure to a third party (clause 58 (3) (b))

General penalty

Offer (advertisement) to sell personal data obtained through unlawful
disclosure ((clause 58 (4))

General penalty

The bill has taken the criminal law track and has not provided remedies
targeting persons injured by contravention of the bill. It does however
create a complaints mechanism where the public can lodge complaints with
the data commissioner. The powers of the commissioner in addressing such
complaints are limited to issuing notices.(and we shall be discussing more
about the office powers of the data commissioner in due course)

Our discussion today is on the question of choosing the offences route as
opposed or in addition to the civil route. What are our thoughts on this?
Should we have borrowed the pro-rated model of the GDPR where
controllers/processors are charged administrative fines according to their
And when we come to offences, are they adequate? Should the magnitude of
the offence be measured against the size of the data processor or are all
sins equal despite might of the transgressor?

Listers, please share your views on these issues. As usual, we welcome
identification of good and problematic clauses. Welcome to the discussion.

Grace Mutung'u
Skype: gracebomu
PGP ID : 0x33A3450F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20180828/97f25e3c/attachment.htm>

More information about the KICTANet mailing list