1. Introduction
The case is in respect to the complainant, Brandon and Associates Advocates against the Truehost Cloud, an email hosting service provider on irregular handling and deletion of personal data against the complainant wishes. This action is against the Data Protection Act, 2019 provisions.
Table of Contents
2. Nature of Complaint
The parties were in a contract in Email Hosting Services for Cloudroom Mail, a service provided by the respondent. The complainant alleged that the respondent, in possession of the firm’s three work emails had them terminated and permanent deletion of data belonging to the complainant’s company on the contract expiry which entailed business and personal data.
3. Analysis of Evidence
Complainant’s Position
- Procured the email hosting services thereby creating two emails for the firm’s business engagement paying for the domain for a period of one year.
- Created third email for purposes of sending and receiving communication in respect of payment of legal fees by his clients.
- Invoiced on 3rd August 2023 due on 3rd September 2023 which the complainant settled on 4th September 2023.
- Continued using the email accounts until 16th September 2023 when he lost access to the accounts but later regained through customer assistance but all the data was deleted.
- The respondent justified to the complainant that process was in regard to the contract agreed.
- Availed practicing certificate, invoice, email threads and demand email.
Respondent’s Defense
- Sold the email service with complainant agreement to be bound by the term and conditions of the service.
- In complainant’s breach of agreement, automatically suspended the accounts and hence permanent loss of data on service expiry.
- Availed copies of terms of service and invoice, termination of service email and Respondent’s statement of compliance with the data protection laws.
4. Issues for Determination
- Whether there was a violation of the Act.
- Whether the Complainant is entitled to any remedies under the Act and the attendant Regulations.
5. Final Determination
The Data Commissioner found:
- The Respondent found liable for violation of the Complainant’s right to access his personal data.
- The Respondent ordered to Compensate the Complainant KES 250,000 for the unlawful processing of the Complainant’s personal data.
- The Respondent directed to delete the Complainant’s personal data from its systems and records within 7 (seven) days from the therein.
- Parties have the right to appeal the determination to the High Court of Kenya within thirty (30) days.
Orders:
- Compensation of KES 250,000 to the Complainant
- Deletion of personal data from respondent’s systems within 7 days
- Right of appeal to the High Court within 30 days
6. Significance and Impact
SMEs and Digital Transformation
- User-centric data retention will increase consumer confidence in the cloud. Conversely, inactions of the Cloud Service Providers might warn SMEs to maintain offline backups, potentially slowing cloud adoption.
Standard of Care for Cloud Service Providers
- Automated deletion without human intervention or specific warning is unlawful processing, it will force every Cloud Service Providers in Kenya to redesign their backend workflows to include mandatory data-retention buffers.
Impact on the Kenyan Digital Economy
- Hosting providers must implement adequate technical and organizational safeguards, failure to do so may lead to regulatory liability even without direct interaction with data subjects.
Broader Impact: Cloud infrastructure providers may bear responsibility for safeguarding personal data hosted on their systems. It strengthens regulatory oversight in Kenya’s digital ecosystem and contributes to emerging standards on accountability for technology service providers across Africa.