The Jurisprudence Review
Every published High Court decision reviewing an ODPC determination, read together, tells a coherent story about where Kenyan data protection law is heading. This is that story — the forum questions, the liability questions, the compensation questions, and what they mean for privacy rights in Kenya more broadly.
Ask what Kenyan law actually says about a data protection dispute, and until recently the honest answer was: mostly the statute, and very little else. That has changed. Since the Office of the Data Protection Commissioner began issuing six-figure compensation orders in earnest, a real body of High Court jurisprudence has grown up around it — appeals under Section 64 of the Data Protection Act, 2019, judicial review applications testing the ODPC's own process, and constitutional petitions invoking Article 31 directly. Twelve decisions now form the backbone of that jurisprudence. Individually, each is a case note. Read together, they answer the questions every data controller, complainant and advocate in Kenya is currently asking: where do I file, who is actually liable, how much is a breach worth, and what happens when the regulator itself is the one at fault.
The single clearest trend across all twelve rulings is that Kenyan courts will enforce the Data Protection Act's substance, but they police the ODPC's own process and jurisdiction with equal rigour.
Two decisions capture this most sharply. In one, the ODPC pressed ahead to a compensation award while a passenger's real grievance — a wheelchair never provided — was still working through the airline's own internal resolution process; the High Court set the award aside as an overreach into a dispute that was never really about data at all, and repeated a principle that now runs through the entire body of case law: a technical violation of the Act is not, by itself, evidence of compensable harm under Section 65. In another, a determination reached on the mistaken premise that a respondent had simply gone silent — when a response had, in fact, been emailed weeks earlier — was exposed as a live risk of relying on a single, unverified channel of service.
The throughline for any business facing an ODPC complaint: the Commissioner's investigative powers are real and increasingly well used, but they are not unlimited, and a determination built on an incomplete factual record or an overextended mandate does not survive appellate scrutiny.
Section 64 of the Act gives a statutory right of appeal from an ODPC determination — but four separate rulings confirm it is not the only door, and picking the wrong one can be fatal to an otherwise strong case.
The dividing line the High Court keeps drawing is between being heard and disagreeing with the outcome, and never being heard at all. The former is a Section 64 appeal. The latter — a party who was genuinely denied any opportunity to respond before a determination was made — is treated as an exceptional circumstance under Section 9(4) of the Fair Administrative Action Act, opening the door to judicial review instead. A separate ruling narrows the High Court's own jurisdiction further: where a data protection complaint is rooted in a contract of employment, it may belong before the Employment and Labour Relations Court under Articles 162(2) and 165(5), not before the High Court at all — and running an appeal and a judicial review against the same determination at the same time is treated as an abuse of process in its own right.
A third strand deals with constitutional petitions. Where the relief actually sought — a permanent injunction, a constitutional declaration, general damages for a constitutional violation — is something the ODPC simply has no power to grant, the doctrine that a complainant must first exhaust the ODPC's own remedies does not apply. And a party cannot use a jurisdictional objection as an afterthought: one ruling held that admitting a court's jurisdiction earlier in a pleading forecloses raising a jurisdictional objection later without first amending that pleading.
"I was heard but I disagree" → appeal. "I was never heard at all" → judicial review may be available. "The ODPC can't grant what I'm actually asking for" → a constitutional petition may be the only real route. "This is fundamentally an employment dispute" → check the ELRC's jurisdiction before filing anywhere else.
Three rulings settle recurring fintech and telco fact patterns, and together they are reshaping how compensation claims under Section 65 are argued and defended.
On liability, the position is now settled: a data controller cannot escape responsibility for unlawful processing carried out by its own sales agents acting within the scope of their delegated authority, and a controller that cannot produce its own agency agreements when asked should expect the court to draw an adverse inference against it. But settled liability has not meant unchecked quantum. The same rulings that affirm vicarious liability also revise ODPC compensation awards downward — sometimes substantially — on the basis that an award pitched at a level that risks the closure of a smaller respondent is punitive rather than compensatory, and that compensation must track actual proven damage or distress, not the size of the respondent's balance sheet.
A related question — who actually counts as a "data subject" — was tested where a man who had never been a customer of a SACCO kept receiving its account alerts after inheriting a recycled mobile number. The High Court held he was not a data subject in respect of that number at all, because no data about him, specifically, had ever been processed, and was blunt that the Act "should not be used as a cash cow" for the inconvenience of a recycled number. Read across all three rulings, the same two-part test keeps recurring: can the controller show its oversight of the agent relationship, and is the compensation figure actually tied to proven harm.
Two rulings look at the other side of the relationship — what happens when the regulator itself sits on a complaint, and what happens once it has actually issued a determination.
Where the ODPC acknowledges a complaint, assigns it a reference number, and then goes quiet well past the 90-day statutory determination window under Section 56(5), the High Court has confirmed that mandamus is available to compel action — and treated that statutory timeline as mandatory rather than aspirational. On the other side of an award, one ruling confirms that an ODPC determination is binding and enforceable as a court order under Regulation 14(5) of the Complaints Handling Procedure and Enforcement Regulations, that filing an appeal does not automatically suspend enforcement under Order 42 Rule 6, and that a respondent who wants breathing room must apply separately and promptly for a stay of execution.
Read alongside Article 31 of the Constitution, this case law is doing more than interpreting a single statute — it is defining how privacy rights actually get enforced in Kenya.
One useful data point comes from outside the ODPC process entirely: a shareholding dispute where a recording of a meeting was challenged on Article 31 and Data Protection Act grounds. The High Court held that an objector must actually demonstrate how their privacy was infringed — a bare invocation of the Constitution or the Act is not enough on its own, and questions about how evidence was obtained are typically for full trial rather than a preliminary skirmish. The practical effect is that Kenyan courts are treating the constitutional right to privacy and the statutory data protection framework as complementary but distinct: the Constitution supplies the underlying right and the standard for limiting it, while the Act and the ODPC supply the ordinary enforcement mechanism — with a constitutional petition reserved for the cases the statutory scheme genuinely cannot reach.
For anyone tracking Kenyan data protection cases, ODPC enforcement trends, or privacy rights litigation more generally, this is the clearest signal yet that Kenya's courts are building a genuinely Kenyan jurisprudence on data protection — not simply importing GDPR reasoning wholesale, but working out, case by case, how Article 31, the Data Protection Act, 2019, and the Fair Administrative Action Act fit together.
Kenyan courts are enforcing the Data Protection Act's substance and policing the ODPC's own process just as strictly — and treating the constitutional right to privacy as a distinct, higher-order right that the statutory scheme does not exhaust.
Quick answers to the questions we're asked most often about ODPC disputes and Kenyan data protection litigation — each grounded in the case law above.
The Office of the Data Protection Commissioner is Kenya's data protection regulator under the Data Protection Act, 2019. It investigates complaints from data subjects, issues determinations and compensation orders, and enforces the Act against data controllers and processors.
Between 2023 and 2026, the High Court has decided a growing number of appeals, judicial review applications and constitutional petitions arising from ODPC complaints — addressing procedural fairness, the correct forum for a dispute, vicarious liability of data controllers, how compensation should be quantified, and how ODPC awards are enforced. See our individual case notes on the Blog for all twelve rulings.
Courts require a claimant to demonstrate a specific, actual infringement of privacy rather than a bare invocation of Article 31 or the Act. Where the relief sought is one the ODPC has no power to grant, a claimant may proceed directly by constitutional petition instead of going through the ODPC first.
Not automatically. Several of the largest ODPC compensation awards reviewed so far have been reduced or set aside — most often for lack of proven damage or distress, undisclosed evidence in the ODPC's process, or a complaint that fell outside the ODPC's jurisdiction to determine.
The forum you choose and the procedural record you build in the first 30 days usually decide the outcome of an ODPC dispute — whether you are defending a complaint, appealing a determination, or enforcing an award that isn't being paid.
Muchangi Patrick & Co. Advocates represents complainants and respondents before the Office of the Data Protection Commissioner and on appeal, judicial review and constitutional petition before the High Court of Kenya.
This overview draws on all twelve rulings in our case-by-case digest. Jump directly to any decision: