Oppo Kenya Fined Sh5M For Data Breach

The Office of the Data Protection Commissioner

(ODPC) has issued its first penalty notice against Oppo Kenya as a result of neglect and/or default to comply with an enforcement notice issued against it.

ODPC on 3 November 2022 issued an enforcement notice against Oppo Kenya(“Company”) after it infringed on the privacy of a complainant by using their photo on the company’s Instagram account (stories) without the complainant’s consent.

The penalty notice has been issued pursuant to Section 62 and 63 of the Data Protection Act, 2019 (Act) and Regulation 20 and 21 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021.

Oppo Kenya has refused to co-operate with ODPC by among others; failing to adduce and/or develop a policy for compliance with Sections 37 of the Act, which provides that a person shall not use, for commercial purposes, personal data obtained pursuant to the provisions of the Act, unless the person has sought consent from a data subject or is authorized to do so under any written law.

Oppo Kenya has also failed to adduce a data protection policy pursuant to the enforcement notice issued; and proof that it has developed an internal complaints mechanism to address data subjects’ complaints.

Oppo Kenya is therefore, required to pay to the ODPC a penalty of Kenya Shillings Five Million (KES 5,000,000) pursuant to Section 63 of the Data Protection Act, and Regulation 20 of the Data Protection (Complaints Handling Procedure and Enforcement).

Data Commissioner, Immaculate Kassait, MBS, in her remarks, has urged entities to comply with the Data Protection Act by implementing data protection principles and safeguards to all processing activities that relate to the collection, storage and other processing of personal data and sensitive personal data.

“ODPC urges Data Controllers and Data Processors to ensure that the processing of personal data is in accordance with the provision of the Act. Failure to comply with the Act will result in instituting enforcement procedures,” she remarked.

Regarding the compliance audit notice which was previously issued to the 40 Digital

Credit Providers, ODPC wishes to notify the public that as of the deadline for submission of documents for the compliance audit, 18 out of 40 entities had responded to the letter from the Office by submitting documents for preliminary review.

A comprehensive review of the documents submitted is currently ongoing.

In its preliminary findings, the Office notes that majority of the Digital Credit Providers have more than one product mentioned earlier registered under one entity.

Of the Digital Credit lenders that received a notice, 22 have failed to provide a response and notifications have been issued against them.

More details will be issued once the investigation is concluded.

Lastly, the Office notes that Aga Khan Hospital which had been issued an enforcement notice in October 2022 responded and is demonstrating compliance to the Data Protection laws.