Log In
Join for free

Beyond ‘Legitimate Interest’: Why Liquid Telecom’s Data Defense Failed Under Kenyan Law

Beyond 'Legitimate Interest': Why Liquid Telecom's Data Defense Failed Under Kenyan Law

In a significant ruling by the Office of the Data Protection Commissioner (ODPC), Liquid Telecommunications Kenya Ltd. was held liable for serious violations of Kenya’s Data Protection Act, 2019. The case of Andrew Alston v. Liquid Telecommunications Kenya Ltd. (ODPC Complaint No. 1125 of 2025) underscores the critical importance of compliance with consent, purpose limitation, and the right to erasure in corporate data processing.

The Facts

The complaint arose from a consultation call between the complainant, Andrew Alston, and Liquid Telecommunications Kenya Ltd.’s HR representatives. During this call:

  • Mr. Alston explicitly refused consent for the recording
  • The HR representative acknowledged his refusal and assured him that the recording would be deleted immediately

Despite this assurance, the recording was later used as evidence in an arbitration case in South Africa involving Liquid Telecommunications Mauritius, a sister company. The complainant only became aware that the recording had been retained over a year later, resulting in legal costs of nearly USD 5,000 to object to its admissibility.

Respondent’s Defense

Liquid Kenya admitted the recording took place and that the complainant had refused consent. They argued that retention of the recording was justified;

  • Under legitimate interest (Section 30(1)(b)(vii)), to preserve an objective account of discussions due to the threat of international arbitration
  • The recording was securely retained and processing restricted for evidentiary purposes
  • No harm was alleged since the recording was ultimately withdrawn from the arbitration

ODPC Findings

After reviewing the facts, the ODPC made several key determinations

  1. Personal Data: The call recording, including the complainant’s voice, qualifies as personal data, specifically a biometric identifier
  2. Violation of Duty to Notify: The Respondent failed to provide proper notice of recording and processing, as required under Section 29 of the Act
  3. Unlawful Processing: The claim of “legitimate interest” failed the necessity test, as less intrusive methods, like written minutes, could have been used
  4. Breach of Purpose Limitation: The data collected for HR consultation was improperly repurposed for a sister company’s arbitration, violating Section 25(c)
  5. Right to be Informed and Right to Erasure: The Respondent ignored the complainant’s request for erasure and delayed notification of the retention, violating Sections 26(a) and 40

Orders and Remedies

The ODPC’s determination was decisive

  • Liability: Liquid Telecommunications Kenya Ltd. was found liable for contravening the Data Protection Act
  • Compensation: The company was ordered to pay the complainant KES 700,000
  • Enforcement Notice: The ODPC issued an enforcement notice against the Respondent to ensure compliance

The determination was dated 3rd November 2025 in Nairobi

Key Takeaways for Organizations

This ruling highlights several critical lessons for organizations operating in Kenya and across Africa

  1. Explicit Consent is Non-Negotiable: Recording personal data without consent is a clear breach, even if the intent is to preserve evidence
  2. Purpose Limitation Must Be Honored: Data collected for one purpose cannot be repurposed retroactively
  3. Right to Erasure is Enforceable: Organizations must honor deletion requests promptly and notify data subjects within a reasonable time if erasure cannot be fulfilled
  4. Legitimate Interest Requires Necessity and Proportionality: Retaining personal data under “legitimate interest” must pass a strict necessity test and demonstrate minimal harm to the data subject
  5. Transparent Communication is Crucial: Automated notifications alone do not meet the standards of Sections 29 and 26 of the Act

Conclusion

The Andrew Alston case reinforces that even well-intentioned practices can breach the Data Protection Act if consent, purpose, and rights are disregarded. For businesses operating in Kenya and the wider African context, this case is a reminder that robust data governance and compliance culture are not optional, they are legal imperatives

Organizations must ensure all HR, legal, and operational teams understand their obligations under the Data Protection Act and implement practical safeguards, including

  • Consent management
  • Purpose limitation audits
  • Transparent retention and deletion protocols

The ODPC continues to send a strong message that data protection rights are enforceable and breaches carry real financial and reputational consequences

Leave a Reply

Your email address will not be published. Required fields are marked *