MasiboLaw

Book a Consultation

Regus Kenya Data Protection Case: What Kenyan Businesses Can Learn About ODPC Compliance

Published by

masibolaw

on

In today’s digital economy, personal data is one of the most valuable assets a company can hold—and one of the riskiest to mishandle. The recent decision in Regus Kenya Limited v. Data Protection Commissioner [2025] eKLR (Civil Appeal No. E472 of 2023) serves as a powerful reminder that non-compliance with Kenya’s Data Protection Act, 2019, can have serious financial and reputational consequences.

Background of the Case

The case began when JN, a former client of Regus Kenya Limited lodged a complaint with the Office of the Data Protection Commissioner (ODPC). The complainant alleged that Regus continued to send unsolicited automated marketing messages even after the termination of their commercial relationship. These messages, they claimed, infringed their constitutional right to privacy under Article 31 and contravened the Data Protection Act, 2019.

The ODPC issued a Complaint Notification to Regus on 27 October 2022, requesting a response to the allegations. After Regus failed to respond, the Commissioner sent a reminder notice on 11 November 2022. The company again remained silent.

Faced with continued non-compliance, the ODPC escalated the matter by issuing an Enforcement Notice on 16 February 2023, directing Regus to implement corrective measures within 30 days to ensure compliance with the Act. When Regus still failed to act, the Commissioner issued a Penalty Notice on 11 April 2023, imposing an administrative fine of Kshs. 5 million—the maximum allowable under Section 63 of the Act.

Regus’ Appeal and the High Court’s Decision

Regus sought an internal review of the enforcement and penalty notices, but filed it 40 days late, well outside the 30-day review period set out in Regulation 58(1) of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations. The Commissioner, therefore, dismissed the review as time-barred.

Regus then appealed to the High Court of Kenya at Nairobi (Milimani), arguing that:

  • The ODPC acted outside its jurisdiction by issuing the penalty after the 90-day limit in Section 56(5) of the Act.
  • The company was denied a fair hearing and fair administrative action under Article 47 of the Constitution.
  • The Kshs. 5 million fine was excessive and unjustified.

However, Justice A.C. Mrima upheld the Commissioner’s decision, finding that:

  • The 90-day period applies only after a complaint is formally admitted and investigations commence, not from the filing date.
  • Regus had been properly served with all notices but failed to respond or cooperate.
  • The ODPC acted lawfully and within its powers under Sections 58 and 63 of the Act.

While the Court affirmed the Commissioner’s findings and enforcement actions, it held that the Kshs. 5 million fine was harsh for a first-time offender. The penalty was therefore reduced to Kshs. 2.5 million, payable within 30 days, and Regus was also ordered to bear the costs of the appeal.

Key Legal Takeaways

  1. Timely Compliance Is Critical – Organizations must respond promptly to ODPC notifications and enforcement notices. Silence can lead to enforcement and penalties.
  2. Valid Consent and Data Use – Businesses must obtain consent before using personal data for marketing purposes, especially after a relationship ends.
  3. Clarified 90-Day Rule – The clock starts only once a complaint is admitted for investigation, not upon initial filing.
  4. Fair but Firm Penalties – Courts will uphold deterrent fines, ensuring they remain proportionate and fair.

Implications for Businesses in Kenya

The Regus Kenya case underscores that the ODPC actively enforces compliance and that data controllers and processors must maintain robust data protection policies, consent frameworks, and training programs.

To stay compliant, companies should:

  • Conduct periodic data-handling audits;
  • Maintain clear opt-in/opt-out consent records;
  • Appoint Data Protection Officers (DPOs) whether inhouse or external;
  • Educate staff on their obligations under the Data Protection Act, 2019.

Conclusion

The Regus Kenya judgment marks a milestone in Kenya’s data privacy jurisprudence, affirming the ODPC’s authority and the judiciary’s support for strong privacy enforcement.

For all organizations handling personal data in Kenya, the message is clear: privacy compliance is not optional—it is a legal and ethical duty.

💼 Need Guidance on Data Protection Compliance?

At MasiboLaw, we help organizations navigate Kenya’s Data Protection Act, respond to ODPC investigations and enforcement notices, and design robust data-privacy compliance frameworks.

📞 Contact our Data Protection & ICT Law team:
📧 info@masibolaw.co.ke
🌐 http://www.masibolaw.co.ke
📱 +254 114 529 457

MasiboLaw – Trusted advisors in technology, privacy, and regulatory compliance.

Leave a Reply

Previous Post
Next Post