Q I am a member of several social media groups, like WhatsApp and Facebook, where I share/give (and receive) personal information and data about me, my family, my connections, and generally my life. Are there legal limits to other members sharing what I have shared, basically to legally protect my personal stuff?
A Kenya’s Data Protection Act (DPA) defines personal data processing to include several/various actions/acts performed with/on such data, including collecting, accessing, storing, retrieving, using, sharing (transmitting) disclosing etc. In principle, all data processing activities must be carried out in-keeping with data protection principles and data subjects’ rights in section 25 and 26 of the DPA. The principles include data minimisation, lawfullness and transparency, accuracy, and observing data subject’s privacy right.
There are a few exceptions to the requirement to follow the DPA’s principles and rights. These include where the data processing “relates to processing of personal data by an individual in the course of a purely personal or household activity”. This ‘household exception‘, though seemingly clear, becomes grey in the face of social media where household can extend to the whole world in the context of personal data shared in social media groups.
In a private/closed WhatsApp groups, all ‘members’ (not only the Admin) become data processors soon as they join. In determining the data protection limits in such groups, it is important to distinguish between instances when a group member gives (by sharing) their personal data to other members, and instances where a member gives (by sharing) personal data of a third party- member or not- to the other group members.
In the first case, where a member of a private/close WhatsApp group shares his personal data, he inherently consents to the other members processing this data. Note however that the extent to which the other group members can process the data may be limited expressly or by implication depending on the context. For example, if member Lisa shares pictures of her family on holiday in Mykonos for purposes of showing (or showing off) others the beautiful places they visited and how happy they were, can imply consent only to view, perhaps store and retrieve the pictures, but does not imply consent to group members to further share with third parties (like KRA) or on other platforms. As such, even with members self-sharing their personal data with the group, the limits and extent of those other members data processing is unclear.
Contrast this with public social media groups and pages, such as non-closed social media groups. If a group member shares his personal data with other group members, the fact that the group can essentially (theoretically) be comprised of the general public, implies that the sharer, the data subject, consents to a wide range of data processing activities by the general public (infinite number of individuals), including sharing widely.
On the other hand, when personal data of a non-member is shared on a WhatsApp group by a member (whether or not it carries a seeming liability exclusion like ‘forwarded’), there probably no way any of the other members can be certain of the limits of permissible processing activities because of lacking context of the data subject’s consent.
As Kenya’s law currently stands, it is therefore advisable to:
- avoid sharing, forwarding, posting messages that contain personal data or even personal identifiable information of third parties;
- share your personal data knowing that the extent and limits of data processing by other group members is grey (but feel free to expressly state the limits as necessary, eg do not share or forward);
- use available means to limit processing activities by other members of the personal data you have shared, eg using ‘disappearing messages’ or expressly stating the limits as necessary, eg ‘do not share or forward’ etc
Room for clarity through Regulations
It would be helpful if the Regulations under the DPA, once in force, provide guidance on the household exception, much like a proposed amendment to GDPR, similarly to clarify the extent, scope and limits of this exception, which currently reads as follows:
“This Regulation should not apply to processing of personal data by a natural person, which is exclusively personal or domestic, such as correspondence, the holding of addresses of personal contacts or the use of social network sites that is outside the pursuit of a commercial or professional objective. In determining whether the processing falls within the exemption, consideration should be given to whether the personal data is disseminated to an indefinite number of persons, rather than to a limited community of friends, family members or acquaintances; whether the personal data is about individuals who have no personal or household relationship with the person posting it; whether the scale and frequency of the processing of personal data suggests professional or full-time activity; and whether there is evidence of a number of individuals acting together in a collective and organised manner. The application of the exemption is constrained by the need to guarantee the rights of third parties, particularly with regard to sensitive personal data. In this connection, account should be taken of the extent to which a natural person might be liable according to the
provisions of other, relevant national civil or criminal laws, e.g. defamation. The exemption should not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities. The supervisory authorities shall in all cases have the power to investigate whether particular processing falls within the scope of the exemption.”
However, as Kenya’s law currently stands, it is therefore advisable to:
- avoid sharing, forwarding, posting messages that contain personal data or even personal identifiable information of third parties;
- share your personal data knowing that the extent and limits of data processing by other group members is grey (but feel free to expressly state the limits as necessary, eg do not share or forward);
- use available means to limit processing activities by other members of the personal data you have shared, eg using ‘disappearing messages’ or expressly stating the limits as necessary, eg ‘do not share or forward’ etc
Photo by Sara Kurfeß on Unsplash