The Jurisprudence Review Vol. II
Our first jurisprudence review mapped twelve decisions on ODPC determinations. This second review looks at nineteen further High Court rulings that push Article 31 privacy rights into succession disputes, neighbour disputes, employment disputes, business acquisitions, and — for the first time — the regulation of artificial intelligence. Read together, they show how far Kenyan privacy law now reaches beyond the Data Protection Act's own complaints process.
Volume I of this review asked a narrow question: how is the High Court handling appeals, judicial reviews and petitions arising directly out of ODPC determinations? Volume II asks a wider one. Once Kenyan litigants realised Article 31 of the Constitution could do independent work — not just as a gateway into the Data Protection Act, but as a freestanding right — they began raising it everywhere: in succession causes over DNA testing, in neighbour disputes over surveillance and WhatsApp groups, in employment and business-sale disputes over commercial use of a person's image, and in a landmark petition over the absence of any AI regulatory framework at all. Nineteen further 2026 KEHC decisions now answer, in practical terms, when a privacy claim needs to go through the ODPC first, when it can bypass the ODPC entirely, and what counts as protectable personal data outside the Act's own definitions.
The single most common outcome across this second batch of rulings is dismissal or striking out — not because the underlying grievance was weak, but because the claimant went to the High Court before the ODPC.
Five separate petitions fell on this ground alone. A petitioner who alleged his phone messages were used without authorisation in a Succession Cause was told this was a collateral attack on proceedings already before another court. An advocate sued personally over documents he filed for a client was struck out because he was acting as agent, not as a wrongdoer in his own right, and because the real complaint was again a disguised attack on an evidentiary ruling elsewhere. A university employee who filed a constitutional petition just four days after lodging an ODPC complaint on the same facts was found to be forum shopping. A petitioner opposing an ODPC-adjacent objection on mental incapacity nonetheless lost on the separate, cleaner ground that clear statutory remedies existed and had not been tried. And a former employee whose image was kept on a company website after resignation lost entirely because he never approached the ODPC at all before petitioning.
The pattern across all five is consistent: Kenyan courts are not hostile to privacy claims, but they insist on the right sequence. A constitutional petition that could have been an ODPC complaint, or that collaterally attacks a decision already made elsewhere, will not survive a preliminary objection.
Before drafting a privacy petition, ask three questions: has this been raised, or could it be raised, in another proceeding already under way? Has a complaint been lodged with the ODPC? And is the relief sought something the ODPC could actually grant? A "no" to the first two, or a "yes" to the third, means the petition is not yet ripe.
Four rulings on almost the same fact pattern — a business keeps using someone's photo commercially after the relationship that produced it has ended — together map out exactly what counts as valid, ongoing consent.
Where a business could not point to anything beyond a general notice at a venue entrance, or simply asserted implied consent from an old photoshoot, the claims succeeded: an advocate photographed at a business's premises was awarded Kshs 1.5 million after the Court held a blanket entrance notice is not specific, informed consent to commercial use; a former employee whose image was still being used years after his termination succeeded on the basis that consent to being photographed during employment does not survive indefinitely; and a company that acquired a competitor as a going concern was found liable for continuing to display a former employee's image, because consent to the seller does not automatically transfer to the buyer or extend to a new commercial purpose, though the compensation was trimmed on appeal as excessive. Where a business instead produced a signed consent letter and a contemporaneous WhatsApp approval of the final image, the claim failed outright — allegations of forged consent must be specifically pleaded and proved, not simply asserted.
Read together, these four rulings settle a genuinely practical question for any Kenyan business that uses staff, client or visitor images commercially: consent is purpose-bound and time-bound, the burden of proving it rests on whoever wants to keep using the image, and a documented, specific authorisation is the only reliable protection once someone leaves, a business changes hands, or years pass.
Three rulings extend Article 31 protection into territory the Data Protection Act does not squarely cover at all — recognising new categories of protectable personal information outside the Act's own definitions.
The most significant is a petition brought by prisoners over the unregulated reassignment of deactivated mobile numbers. The High Court held that a registered mobile number is itself a "digital identifier" attracting Article 31 protection, and ordered the Attorney General to develop safeguards against unfettered reassignment — with a hard deadline and a default order if nothing was done. A second ruling addressed neighbourhood harassment: persistent calls, secret filming of a residence, and a WhatsApp group set up specifically to discuss a resident were held to violate Articles 28 and 31, with damages of Kshs 1 million awarded, even though none of the respondents was a data controller in any conventional sense. A third, in a succession dispute, saw the Court decline to order a DNA test on a minor, holding that compelled genetic testing implicates both privacy and bodily integrity and will not be ordered where the underlying legal question can be resolved without it.
None of these three cases involved the ODPC at all. Together they confirm that Article 31 functions as a freestanding constitutional right that Kenyan courts will apply directly to new categories of personal information — digital identifiers, surveillance footage, genetic material — as they arise, rather than waiting for the Data Protection Act to catch up.
The final strand of this volume clarifies exactly how the High Court's data protection jurisdiction sits alongside the ODPC's, and shows the judiciary's first substantial engagement with regulating artificial intelligence.
One ruling put to rest, in the clearest terms yet, an argument data controllers had been raising in preliminary objections: that the existence of the ODPC strips the High Court of jurisdiction over data protection claims entirely. The Court rejected this as "mistaken and misconceived," describing the High Court's jurisdiction as staggered rather than absent — the ODPC investigates and determines first, and the High Court's constitutional role follows, either on appeal or through adoption and enforcement of the resulting award. A separate ruling confirmed that the right of access to information under Article 35 extends to private entities, not just public bodies, where the information is needed to protect a right, and that using a relative's KRA PIN to file statutory returns without their knowledge is an independent violation of Article 31.
The most closely watched decision, however, is the first Kenyan ruling to squarely engage with regulating artificial intelligence. Petitioners sought a broad moratorium on "high-risk" AI systems generally. The Court declined to issue anything so undefined, but recognised the underlying case for AI regulation, granted leave to amend the petition to name specific systems, joined the Kenya National Commission on Human Rights, and adopted a structural interdict requiring the government to file periodic reports on progress toward an AI regulatory framework. It is a template — specificity required, but active judicial oversight guaranteed — that is likely to shape how AI regulation litigation proceeds in Kenya well ahead of any dedicated statute.
The High Court's data protection jurisdiction is deferred to the ODPC, not surrendered to it — and Kenyan courts are already applying the same constitutional privacy toolkit built for the Data Protection Act to entirely new questions, from recycled phone numbers to artificial intelligence.
Quick answers to the questions we're asked most often about privacy litigation and ODPC disputes in Kenya — each grounded in the case law above.
In most cases, yes. Kenyan courts have dismissed or struck out several petitions filed without first lodging an ODPC complaint, including one filed only four days after a complaint was submitted on the same facts. The exception is where the petition raises a genuine constitutional question the ODPC cannot resolve, or seeks a remedy the ODPC has no power to grant.
Generally no, without fresh, specific consent. Consent given for a photoshoot during employment does not extend indefinitely, and does not transfer automatically to a new owner if the business is sold. Continued commercial use without fresh authorisation has resulted in damages awards running into the millions of shillings. See our individual case notes on the Blog for the four rulings on this point.
Yes. The High Court has recognised a registered mobile number as a digital identifier protected under Article 31 of the Constitution, and ordered the government to develop safeguards against unregulated reassignment of deactivated or recycled numbers.
No. The High Court has confirmed its jurisdiction over data protection claims is "staggered," not absent — the ODPC investigates and determines first, and the High Court's role, on appeal or in enforcing the resulting award, remains fully intact.
There is no dedicated AI statute yet. In 2026, the High Court declined to issue a broad moratorium on undefined AI systems, but recognised the need for regulation, ordered the petition amended with specific systems named, joined the Kenya National Commission on Human Rights, and required government progress reports — an active oversight approach pending fuller legislation.
Whether the question is exhaustion, consent, digital identity or a straightforward ODPC appeal, the forum you choose and the evidence you can produce usually decide the outcome.
Muchangi Patrick & Co. Advocates represents complainants and respondents before the Office of the Data Protection Commissioner and on appeal, judicial review and constitutional petition before the High Court of Kenya.
This overview draws on all nineteen rulings in our Volume II case-by-case digest. Jump directly to any decision: