Access to remedies in safeguarding rights to privacy & data

29 Nov 2022 10:45h - 11:45h

Session page

Event report

Across many jurisdictions, users who have been victims of a data breach lack effective remedies and access to justice. Ineffective regulatory enforcement and oversight of data protection are among the main issues that have prevented rights holders to seek justice. Understanding the way different national and regional enforcement mechanisms can develop and the role of citizens’ rights in such mechanisms were the primary topics of discussion during the session. 

Data violations have become rampant and it is thus imperative that citizens understand their rights. In the Kenyan legal framework, the Data Protection Act 2019 is the main provision of laws on how to conduct registrations of data controllers and processors, while also providing complaint mechanism procedures under the Office of the Data Protection Commissioner (ODPC). In Kenya’s reporting mechanisms, three steps of complaint are available in a data breach. The first calls for an alternative dispute resolution (ADR), which encourages the parties to solve the issue through negotiation or arbitration. If the case is not closed in the first step, the second step is to address the complaint to the ODPC, which can be done online. If a decision is not reached, then the case is taken to the High Court. 

In Uganda, the National Data Protection Office is an independent enforcement mechanism that was set up by the Ugandan government. This mechanism was implemented in May 2022, incorporating an automated system in which citizens can file their complaints online. Considering the difficulties and challenges when seeking remedies for a data breach, this mechanism has made it more efficient and more effective for victims seeking justice. Once a complaint is filed the office then conducts an investigation and reaches a decision. If, however, the plaintiffs are not satisfied with the decision, it is possible to appeal. So far, the office has received more than 2,000 complaints indicating concerns over data protection.

In regard to digital services and platforms and AI, it is imperative to ensure localisation of remedies. Considering the difficulty in pointing out smaller entities, enabling effective localisation would assist in centralising technology. And while laws regulating data protection are available in Africa, the terminology used is inconsistent and it is thus imperative to work together with other stakeholders in adopting sufficient provisions. 

Financial inclusivity and non-discrimination should be significant aspects in providing effective rights to privacy, to ensure effective remedies to data breaches and access to justice. At the same time, governments should comply with data protection policies. This was seen in a case study presented from Kenya where, during elections, the government accessed citizens’ data to mislead the voting procedure. 

As for enhancement of regulatory and oversight bodies, it should be ensured that controllers and processors are processing data legally, have a data protection assessment, and conduct privacy audits, among other safeguards.

By Bojana Kovac