Kenya’s Office of the Data Protection Commissioner (ODPC) has issued a landmark final determination in the case of Aaditi Rajput v Diamond Trust Bank Kenya Limited and Diamond Trust Bank Uganda Limited, reinforcing the growing framework for cross-border data protection enforcement in East Africa.
The determination marks a significant moment for regional cooperation on privacy rights, particularly where personal data is processed or disclosed across multiple jurisdictions.
Compensation Ordered for the Complainant
The ODPC found both the Kenyan and Ugandan entities of Diamond Trust Bank liable for violating the complainant’s data protection rights. The Commissioner ordered the following remedies:
- DTB Kenya to pay KES 250,000 as compensation.
- DTB Uganda to pay KES 250,000 as compensation.
- An Enforcement Notice was issued to DTB Uganda to ensure corrective action.
- Right of Appeal: All parties may appeal the determination to the High Court of Kenya within thirty days.
This ruling underscores the ODPC’s position that individuals must have access to redress even when their data travels beyond national borders.
How Regional Collaboration Made the Case Possible
A notable feature of this determination is the coordinated work between Kenya’s ODPC and the Personal Data Protection Office (PDPO) of Uganda. The collaboration helped overcome one of the most common hurdles in cross-border data protection cases. Regulators often struggle to compel responses from entities located outside their jurisdiction.
Key cooperation steps included:
- The ODPC requested the PDPO to assist with initiating an investigation into DTB Uganda.
- The PDPO formally wrote to DTB Uganda, attaching the Notice to involve them in the complaint.
- This compelled DTB Uganda to submit a response to the ODPC, enabling the case to proceed fairly.
This joint action demonstrates a promising model for regional enforcement, proving that regulators in East Africa are increasingly willing to support each other when data subjects are affected across borders.
Implications for East African Regulators and Businesses
The decision highlights a few important trends:
- Emerging regional coordination: Kenya and Uganda are showing that collaboration is practical and effective even without a fully harmonized regional privacy framework.
- Raised compliance expectations: Multinational businesses operating across East Africa must now anticipate scrutiny from more than one regulator when handling personal data.
- Growing protection for data subjects: Individuals are gaining stronger avenues to seek redress regardless of where their data is processed.
This case will likely serve as a reference point for future cross-border matters, especially as the region moves toward deeper digital integration.