By Jerameel Kevins Owuor Odhiambo
Worth Noting:
- The facts of the case are as clear as a cloudless African sky. Ms. Gatambu, a patient at AAR Healthcare’s Roysambu clinic, had her confidential medical information shared with a third-party insurance agent without her consent. This unauthorized disclosure led to the unsolicited marketing of insurance products to Ms. Gatambu, a violation of her privacy that cuts as deep as Okot p’Bitek’s Song of Lawino cuts into the heart of cultural conflict.
- The Office of the Data Protection Commissioner (ODPC) found AAR Healthcare liable for violating several principles of data protection. The healthcare provider failed to process data lawfully and fairly, violated the purpose limitation principle, and neglected its duty to notify the data subject of her rights.
In their seminal work “Privacy’s Blueprint: The Battle to Control the Design of New Technologies,” Woodrow Hartzog and Neil Richards argue that “privacy law should focus on the power relationships between people and the companies that control their data” (Hartzog & Richards, 2018). This principle lies at the heart of the case between Grace Gatambu and AAR Healthcare Kenya Limited, a decision that, while groundbreaking in its recognition of data privacy rights, falls short in providing meaningful redress to the aggrieved party.
The facts of the case are as clear as a cloudless African sky. Ms. Gatambu, a patient at AAR Healthcare’s Roysambu clinic, had her confidential medical information shared with a third-party insurance agent without her consent. This unauthorized disclosure led to the unsolicited marketing of insurance products to Ms. Gatambu, a violation of her privacy that cuts as deep as Okot p’Bitek’s Song of Lawino cuts into the heart of cultural conflict.
The Office of the Data Protection Commissioner (ODPC) found AAR Healthcare liable for violating several principles of data protection. The healthcare provider failed to process data lawfully and fairly, violated the purpose limitation principle, and neglected its duty to notify the data subject of her rights. Furthermore, AAR Healthcare did not report the data breach within the stipulated 72-hour window, a lapse as egregious as failing to report a bush fire in the dry season.
The decision rightly acknowledges the violation of Ms. Gatambu’s constitutional right to privacy, as enshrined in Article 31(c) of the Constitution of Kenya, 2010. It also recognizes the infringement of her rights as a data subject under the Data Protection Act, 2019, including her right to be informed, to object to data processing, and to have her data erased. This recognition is a step in the right direction, as solid as the foundations of the Great Zimbabwe ruins.
However, the decision’s failure to award compensation to Ms. Gatambu is a glaring omission that threatens to render the entire judgment a Pyrrhic victory. As the Swahili proverb goes, “Haba na haba hujaza kibaba” (Little by little fills the measure), but in this case, the measure of justice remains woefully empty. The lack of monetary compensation fails to acknowledge the tangible and intangible harms suffered by Ms. Gatambu, including potential emotional distress and loss of control over her personal information.
The ODPC’s decision to issue only an Enforcement Notice to AAR Healthcare, without any punitive measures or compensatory awards, is akin to slapping a lion with a feather. It fails to create a strong deterrent effect that would compel data controllers and processors to take their obligations seriously. As Chinua Achebe might say, “When we gather together in the moonlit village ground it is not because of the moon. Every man can see it in his own compound. We come together because it is good for kinsmen to do so.” Similarly, the enforcement of data protection laws should bring together the interests of individuals and organizations, creating a harmonious balance that respects privacy rights.
Moreover, the decision’s silence on compensation overlooks the broader implications of data privacy violations in the digital age. In an era where personal data is often referred to as “the new oil,” the unauthorized sharing of sensitive medical information can have far-reaching consequences beyond immediate privacy concerns. It can affect an individual’s insurability, employability, and social standing. By not addressing these potential ramifications through compensatory measures, the decision fails to fully grasp the gravity of modern data privacy breaches.
The ODPC’s approach also misses an opportunity to set a precedent for robust enforcement of data protection laws in Kenya. As the country positions itself as a tech hub in Africa, known colloquially as the “Silicon Savannah,” it is crucial to establish a legal framework that not only protects individual privacy rights but also provides meaningful remedies when those rights are violated. The lack of compensation in this case sends a troubling message that violations of data privacy, while recognized, are not treated with the seriousness they deserve.
In conclusion, while the ODPC’s decision marks a significant milestone in recognizing data privacy rights in Kenya, its failure to award compensation to Ms. Gatambu is a shortcoming that cannot be overlooked. It is reminiscent of the hollow victory described in Ngũgĩ wa Thiong’o’s “A Grain of Wheat,” where the achievement of independence is marred by unresolved issues. For Kenya’s data protection regime to truly serve its purpose, it must evolve to include robust compensatory mechanisms that provide tangible redress to individuals whose privacy rights have been violated. Only then can we say, in the words of Ayi Kwei Armah, that “the beautiful ones are [truly] born” in the realm of data privacy protection.
The Writer is a lawyer and legal researcher.