Connect with us


Data Breach: Law Firm Want Radisson Blu Investigated For Invading Privacy By Leaking Guests Records To The Media



When it rains, it pours. A Lawyer has filed a PIC with the data protection commissioner with regards to a potential data breach of the records of hotel guests of Radisson Blu Hotel & Residence, Nairobi Arboretum, Nairobi, Kenya (Radisson) on August 3, 2021.

In the heat of deputy President William Ruto getting blocked from traveling to Uganda on a scandalous private visit, it emerged that in his entourage was a Turkish citizen Harun Aydin who apparently is a terror suspect. It would be later told that the Turkish has been on intelligence watch.

Ruto has apparently brokered a deal with Turkish investors led by Aydin and a Ugandan partner to put up a COVID-19 vaccine plant in Uganda. Intelligence grabs suspected this was a full throttle money laundering scheme hence the rush to put a lid in it.

It was later reported that Aydin had been arrested in Frankfurt, Germany, in October 2001 on charges of “having planned serious acts of violence as a member of a terrorist group with an Islamic fundamentalist background”.

As events unfolded, it became public that Aydin had been staying in Kenya.

24/06/2021 Turkish national Harun Aydin checked into Nairobi’s Radisson Blu Hotel, for face value he was just any other guest and maintained that low profile for weeks until Monday 2nd when he’ll broke lose and his cover blown.

After the news broke, the businessman quickly checked out of a Radisson Blu Hotel where he had been staying since June. It was not immediately clear who checked him out.

It emerged that Immigration officials had stormed the hotel seeking to question the man who has been linked to terrorism.

Under unclear circumstances, a guest list from Radisson Blu Hotel detailing the profiles of guests to oust Aydin was leaked to the public through bloggers.

It is this leakage of the guest list that included not only details of Aydin the man in focus but names, rooms and check out information of other 34 guests that is now putting the hotel in trouble. Prow & Company advocates want the hotel to be investigated and held responsible for evading privacy of guests.

Related Content:  The Revised University of Nairobi Fee Structure To Tale Effect Starting September

“This is insufferable, inconsiderate, contumelious, and opprobrious behavior that wanton to disregard the privacy of hotel guests in Kenya and more specifically Radisson Blu Hotel in order to score short lived perceived political wins.” Reads the letter seen by Kenya Insights.

“We believe that this is a serious data breach by Radisson Blu Hotel and infringement of the rights to privacy of all Radisson visitors whose private details have been illegally published/leaked. The leaked information, indicates a serious non-committal or willful ignorance of the data privacy protection laws by Radisson.” Part of the letter reads.

Coming at a time when Kenya is struggling to hold up from the consequences of the pandemic that has slammed the economy, the firm raised a concern on the effects a move like Radisson’s would have on tourism. “The ministry of tourism and Wildlife should treat this matter as a serious national threat to the already ailing tourism industry.” It states.

“It cannot be gainsaid that the duty of any hotel is the protection of the guest’s privacy, as it is sacrosanct expression of respect, dignity, and psychological integrity of the guests.”

Indeed the hotel staff is obliged to discreetly protect the guests’ and private data through limited access to the cupboard at the reception desk, inserted passwords on their computers, guests’ data inaccessibility by the unauthorized persons, avoid loud pronouncing of the guest room numbers at key delivery and not revealing name of the guest, address and room number. As such, any information leak connotes serious connivance on the part of the staff and third parties. Imagine a situation where your hotel information is availed to your enemies who won’t hesitate to cause harm? The eventualities are unimaginable.

The Constitution of Kenya guarantees the right to privacy as a fundamental right. To give effect to this constitutional right under Article 31(c) and (d), the Data Protection Act, 2019 (‘the Act’) was enacted and came into effect on 25 November 2019. The Act has been implemented and progress towards implementation started in November 2020 with the appointment of the Data Protection Commissioner (‘the Commissioner’). As of the date of publication, the Office of the Data Protection Commissioner is in the process of setting up operations. A key action the Office of the Data Protection Commissioner has taken, through the ICT Advisory Committee on COVID-19, was the development of the Guidance Note on Access to Personal Data During COVID-19 Pandemic (‘COVID-19 Guidelines’). The COVID-19 Guidelines were put out for public and stakeholder participation on 12 January 2021, and closed on 9 February 2021. Upon implementation, the COVID-19 Guidelines are expected to provide a policy guidance on processing personal data to actualise responses to and research on the COVID-19 pandemic.

Harun Aydin on anti-terror Police custody.

On 15 January 2021, the ICT Cabinet Secretary appointed the Taskforce for the Development of the Data Protection General Regulations, with a term of six months, whose mandate includes development of the data protection regulations, auditing of the Act, identification of gaps or inconsistencies in the Act, and proposing any new policy or legal and institutional framework that may be needed to implement the Act, as well as other tasks related to the full implementation of the Act.

Related Content:  Impacts of counterfeiting on GDP and Foreign Direct Investments

The constitution of Kenya 2010 provides at article 31 ‘that every person has the right to privacy, which includes the rights not have-(a) their person, home or property searched; (b) their possessions seized;(c) information relating to their family or private affairs unnecessarily required or revealed or (d) the privacy of their communication infringed.

The Data Protection Act of 2019 which was assented to by the President of the Republic of Kenya on 08 November 2019 (the “Act“).

The Act brings into play comprehensive laws that protect the personal information of individuals. It establishes the Office of the Data Protection Commissioner, makes provision for the regulation of the processing of personal data, provides for the rights of data subjects and obligations of data controllers and processors.

The Commissioner’s office is mandated with overseeing the implementation of the Act together with establishing and maintaining a register of data controllers and data processors; receiving and investigating any complaints on infringements of the rights under the Act; carrying out inspections of public and private entities with a view to evaluating the processing of personal data; imposing administrative fines for failures to comply with the Act, amongst other functions.

Privacy laws are more relevant today than ever before. With data crossing borders following the increased internet penetration and increased use of social media and other digital information platforms, it is becoming more important to ensure that personal data is protected, processed and used for the correct purpose. While these protection laws are (sometimes) good news for those who have data stored or transferred online, it may not be so for those who have to navigate this mass of regulation.

Related Content:  CS Balala Defends Model Naomi’s Appointment

The lack of a data privacy law previously has been an enormous lacuna in Kenya’s digital rights landscape. With the new law in operation, those violating the law face a maximum fine of 3 million shillings ($29,283) or two years in jail.

”Notably, Radisson has compounded duty of notification and communication breach under article 43 of the act which provides that, “where personal data has been acquired by unauthorized person, and there’s a real risk of harm to the data subject whose personal data has been subjected to the unauthorized access, a data control shall-(a) notify the data commissioner without delay within 72 hours of becoming aware of such breach.”

As of the date of publication, Radisson was yet to make any public statement in respect to the open data breach that was internally orchestrated.

The lawyer now want the hotel to be slapped with a Sh5 million fine for the breach or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, whichever is lower.

The ball is now in the commissioner’s court and one of the crucial cases that will have serious ripple effect and most guest of not only Radisson Blu Hotel but larger tourism sector will be paying attention to as far as their privacy is guaranteed.

As for Radisson guests, there’s much to worry about your privacy as of the latest developments. As the letter signs out, “press play” we await the results.

Kenya Insights allows guest blogging, if you want to be published on Kenya’s most authoritative and accurate blog, have an expose, news TIPS, story angles, human interest stories, drop us an email on [email protected] or via Telegram

Kenya West is a trained investigative independent journalist and a socio-political commentator on matters Kenya and Africa. Do you have a story, Scandal you want me to write on? Send me tips to [[email protected]]


Most Popular