The High Court in Nairobi has overturned a decision by the Office of the Data Protection Commissioner (ODPC) in a ruling that could significantly shape how companies handle data retention under Kenya’s Data Protection Act.
In Wananchi Group (K) Ltd v Victory Owino & ODPC (Civil Appeal No. E179 of 2024), Justice Kizito Magare allowed Wananchi Group’s appeal against a 2024 decision that had found the company in breach of data protection laws and ordered it to pay Kshs. 250,000 in compensation.
At the heart of the dispute was whether Wananchi Group (commonly known as Zuku) had the right to retain personal data of a former customer after they stopped using the service, but failed to return the company’s router. The ODPC had ruled that the data should be deleted, finding Wananchi in breach of Sections 25, 30, 32, 39, and 41 of the Data Protection Act.
Court Rejects ODPC’s Position
The High Court disagreed, holding that the contractual relationship between the parties had not been lawfully terminated since the router was never returned. Justice Magare emphasized that tribunals and regulators cannot re-write contracts between parties:
“A Court of law cannot re-write a contract between the parties. The parties are bound by the terms of their contract… save for special cases where equity might intervene.”
The Court noted that deleting data while the company’s equipment was still unreturned would leave Wananchi unable to enforce its contractual rights. This, the judge said, would lead to “absurd and impractical results.”
No Misuse of Data Proven
The Court further found no evidence that Wananchi misused the customer’s data. Communications between the company and the customer were limited to account-related issues, not promotional harassment as alleged.
Outcome and Costs
As a result, the High Court:
- Set aside the ODPC’s decision and compensation award.
- Dismissed the complaint against Wananchi.
- Ordered the 1st Respondent, Victory Owino, to pay Kshs. 65,000 in costs within 30 days.
Implications for Data Governance
This ruling clarifies a critical tension between data minimization and legitimate retention under Kenya’s Data Protection Act. It underscores that data controllers may lawfully retain personal data where contractual obligations are ongoing, particularly when company property is involved.
For regulators and businesses alike, the judgment highlights the delicate balance between protecting data subjects’ rights and respecting commercial agreements.