Legal Boundaries Of Data Commissioner’s Enforcement Powers

Introduction 

In a landmark judgment Metropolis Star Lab Kenya Ltd v Kioko & another (Civil Appeal E1140 of 2024) [2025] KEHC 8211 (KLR) (Civ) (12 June 2025) (Judgment), the High Court of Kenya has reaffirmed the centrality of fair administrative action and constitutional due process in regulatory proceedings under the Data Protection framework. The decision, delivered on 12th June 2025 by Hon. Justice A.C. Mrima, underscores the non-negotiable obligation of the Office of the Data Protection Commissioner (ODPC) to adhere to procedural fairness and alternative dispute resolution mechanisms when handling complaints. 

This precedent-setting decision sets the tone for future enforcement action in Kenya’s growing digital economy and strengthens the constitutional guardrails surrounding personal data governance 

Background of the case 

The Appellant, Metropolis Star Lab Kenya Ltd, challenged a determination by the Office of the Data Protection Commissioner (ODPC) which found it culpable of unlawfully processing the Respondents’ personal data, telephone numbers, for marketing and advertisement purposes despite repeated opt-out attempts by the Respondents.  

The ODPC initiated investigations that included a forensic audit of the 2nd Respondent’s phone and a site visit to the Appellant’s premises to review its databases and systems. Relying on its investigative report, the ODPC concluded that the Appellant had violated the Respondents’ right to object to data processing, awarded each Respondent Kshs. 250,000 in compensation, and issued an Enforcement Notice against the Appellant. 

Aggrieved by the determination, the Appellant filed a Memorandum of Appeal on the grounds that the proceedings undertaken by the Office were unprocedural. 

Determination 

In its determination, the High Court relied on Articles 47 and 50(1) of the Constitution, which safeguard the right to fair administrative action and the right to a fair hearing, respectively. Drawing from the South African Constitutional Court's decision in President of the Republic of South Africa & Others v South African Rugby Football Union & Others (CCT 16/98), the Court affirmed that the right to fair administrative action is more than a codification of common law, it establishes a constitutional framework to ensure that administrative actions affecting individuals meet standards of fairness, transparency, and accountability. 

The Court thoroughly reviewed the Report and noted two important issues. First, the Report did not explain how the forensic audit on the 2nd Respondent’s phone was conducted. Second, while the site visit to the Appellant’s premises was confirmed and the Appellant’s representatives participated, the Report offers no additional significant findings apart from those used in deciding the complaints. 

When these observations are considered alongside the relevant legal requirements, it was evident that the investigation process did not meet the required standards. At the very least, the Appellant should have been notified before the forensic audit on the 2nd Respondent’s phone was carried out. 

Additionally, a detailed report of the forensic audit should have been prepared and shared with the Appellant, allowing them an opportunity to review and respond to its contents, including presenting any evidence or challenges. Similarly, the Appellant should have been provided with the site visit report and given a chance to scrutinize and dispute the findings, with the opportunity to submit evidence in their defense. 

The ODPC was obligated to consider the Appellant’s feedback on both reports before issuing any final determination. 

Failure to Pursue Alternative Dispute Resolution 

Regulation 15 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations mandates the ODPC to first promote alternative dispute resolution such as negotiation, mediation, or conciliation before formally hearing and determining any complaint. In instant case, there was no evidence that the Data Commissioner engaged the parties in these alternative mechanisms.  

Conclusion 

The Court ultimately found that the ODPC acted in violation of the Constitution and statutory law by denying the Appellant a fair hearing and bypassing the prescribed complaint-handling procedures. The decision reinforces the principle that data protection enforcement must balance regulatory action with procedural fairness, transparency, and accountability. Regulatory bodies must strictly adhere to constitutional safeguards and legal processes in order to protect both data subjects and data controllers in Kenya’s maturing data ecosystem. 

Implications for Organizations 

This decision has far-reaching consequences for data controllers, processors, and the ODPC itself: 

Takeaway  | Implication 
Procedural safeguards are mandatory  | Investigative and enforcement procedures must meet the standards of fair hearing and due process. 
ADR is not discretionary  | Regulators must exhaust alternative resolution pathways before escalating complaints. 
Evidence disclosure is a right  | Audit reports, site visit findings, and adverse material must be shared with the affected party. 
Judicial oversight is robust  | Courts will not hesitate to overturn administrative actions that breach constitutional and statutory safeguards. 

How CM Advocates LLP Can Support You 

At CM Advocates LLP, our Data Protection, Privacy & Cyber Security Practice is uniquely equipped with multidisciplinary expertise to support corporates, SMEs, start-ups, public entities, and multinationals in navigating the digital and regulatory environment. Our services include: 

1. Policy Drafting, Review & Registration Services 

We offer comprehensive legal support in: 

• Drafting and reviewing Privacy Policies, Data Protection Policies, Cookie Policies, and Data Retention Policies; 
• Preparing data subject rights response templates, data processing agreements (DPAs), and third-party contracts; 
• Advising on cross-border data transfer protocols and impact assessments; 
• Facilitating registration of data controllers and data processors with the ODPC, ensuring full compliance with statutory and regulatory requirements. 

2. Regulatory Compliance Advisory 

We assist clients in designing, implementing, and auditing robust data governance frameworks aligned with the Data Protection Act, 2019, GDPR (where applicable), and industry-specific regulations. Our services cover: 

• End-to-end compliance diagnostics and implementation support; 
• Internal data protection impact assessments (DPIAs); 
• Drafting internal compliance manuals and protocols; 
• Sector-specific compliance solutions (e.g. fintech, healthtech, HR, education). 

3. ODPC Investigations & Legal Representation 

We provide end-to-end legal representation in dealings with the Office of the Data Protection Commissioner (ODPC), including: 

• Preparing responses to complaints, investigation notices, and enforcement letters; 
• Attending hearings and managing ODPC inquiries; 
• Ensuring procedural fairness, rights to evidence, and adherence to statutory safeguards; 
• Negotiating resolution terms and administrative settlements. 

4. Alternative Dispute Resolution (ADR) Facilitation 

We proactively engage in negotiation, mediation, and conciliation of data-related disputes, in line with Regulation 15 of the Complaints Handling Procedure. Our goal is to: 

• Preserve reputational integrity; 
• Minimize litigation risk and legal costs; 
• Promote swift, fair, and confidential dispute resolution. 

5. Training, Capacity Building & Awareness 

We offer tailored training programs to equip leadership, DPOs, and staff with: 

• Practical understanding of lawful processing, consent management, and breach protocols; 
• Tools for managing emerging risks such as AI ethics, cybersecurity vulnerabilities, and phishing scams; 
• Awareness sessions to build a privacy-first culture across the organization. 

6. Litigation, Appeals & Judicial Review 

Our litigation team provides strategic legal redress for clients facing: 

• Unfair enforcement notices; 
• Arbitrary penalties; 
• Procedural breaches by regulators. 

We routinely file appeals, judicial review applications, and constitutional petitions to defend our clients' interests before Kenyan courts and tribunals. 

Our commitment is to ensure that your business stays ahead of evolving data governance risks—proactively compliant, legally secure, and digitally resilient. 

Legal Support at Your Fingertips 

For bespoke legal support or to explore how this judgment may impact your organization’s compliance strategy, enforcement risk, or governance frameworks, please reach out to our dedicated team of data privacy and regulatory law specialists: 

CM ADVOCATES LLP
Data Protection, Privacy & Cyber Security Unit
📧 Email: law@cmadvocates.com
📞 Tel.: Line: +254 716 209 673
🌐 Website: www.cmadvocates.com