Kenya Union of Journalists v Kenya Broadcasting Corporation (Judicial Review Miscellaneous Application E355 of 2025) [2025] KEHC 17216 (KLR) (25 November 2025) (Judgment)

Key Facts

Issues

• The court considered the appropriate judicial remedies, including declarations of illegality, orders of prohibition to halt implementation, certiorari to quash the decision, mandamus to compel data erasure, and cost allocations. The respondent conceded the application, necessitating the court to formalize these orders while ensuring compliance with data protection obligations.
• The court determined whether the Kenya Broadcasting Corporation's introduction of a mandatory biometric attendance system, using facial recognition technology, violated constitutional requirements (Article 31 privacy rights, Article 10 public participation, Article 35 right to information) and statutory obligations under the Data Protection Act 2019 and related regulations. Key issues included lack of consent, absence of Data Protection Impact Assessment (DPIA), failure to disclose information to data subjects, and non-compliance with transparency and accountability principles.

Holdings

• The court ordered KBC to delete all biometric data collected from employees, which were unlawfully obtained and stored by an unknown third party. The Data Protection Commissioner was directed to supervise the deletion process in the presence of the applicant's representatives and report compliance to the court.
• The court declared that the rollout of the Biometric Attendance System by Kenya Broadcasting Corporation (KBC) without consent, transparency, or a Data Protection Impact Assessment (DPIA) violated Article 31 of the Constitution and the Data Protection Act, 2019. It further declared that KBC's refusal to consult employees, provide information on the system's use, and disclose details about the service provider breached constitutional principles of public participation, transparency, and accountability under Articles 10(2)(a) and (c), 35(2), and the Data Protection (General) Regulations. The court issued orders to prohibit further implementation of the system without proper compliance, quashed the decision to rollout the system, and mandated the deletion of unlawfully collected biometric data.
• The court dismissed claims for costs, as both parties were to bear their own expenses due to KBC's concession to the application. A follow-up court mention was scheduled for 21 January 2026 to confirm compliance with the data deletion orders.

Remedies

• The court issued a declaration that KBC's refusal to consult data subjects despite repeated requests breached Article 10(2)(a) of the Constitution, which mandates public participation in crucial decision-making processes.
• The court declared KBC's refusal to provide information about the system's use and data processing violated data subjects' right to information under Article 35(2) of the Constitution.
• The court prohibited KBC from implementing the facial biometric attendance system without obtaining staff consent, providing information, addressing concerns, and conducting a Data Protection Impact Assessment (DPIA).
• The court mandated KBC to delete, erase, and destroy all unlawfully collected biometric data from employees, which were obtained without consent and stored by an unknown third party.
• The court quashed KBC's decision to rollout the biometric system due to non-compliance with consent requirements, information disclosure, and DPIA obligations under the Data Protection Act.
• The court directed the Data Protection Commissioner to supervise KBC's data erasure process in the presence of the applicant's representatives and report compliance within 30 days.
• The court declared the introduction and rollout of the Biometric Attendance System by Kenya Broadcasting Corporation (KBC) as unlawful for violating constitutional and statutory data protection rights, including Article 31 of the Constitution and Sections 25, 26, 29, 30, 31, 32, and 36 of the Data Protection Act, 2019.
• The court declared KBC's failure to disclose the identity and procurement process of the biometric system's service provider violated Article 10(2)(c) governance principles of transparency and accountability.

Legal Principles

Precedent Name

Cited Statute

• Constitution of Kenya, 2010
• Fair Administrative Action Act
• Data Protection Act, 2019
• Data Protection (General) Regulations
• Fair Administrative Action Rules, 2024

Judge Name

Passage Text

• An order of mandamus is hereby issued compelling the Respondent to delete, erase and destroy the personal biometric data collected from the employees data subjects which are now in the hands of an unknown third party, having been unlawfully obtained.
• A declaration is hereby issued declaring that the introduction and rollout of the Biometric Attendance system without obtaining the consent of the data subjects; Mailing to provide any pertinent information to the data subjects on the processing of their data; ignoring the data subjects' objections and concerns on the processing of their data; and failing to carry out a Data Protection Impact Assessment prior to the rollout of the system violates Article 31 of the Constitution and Sections 25, 26, 29, 30, 31, 32 and 36 of the Data Protection Act, 2019 and Regulations 4, 25(c) and (d), 30, and 36(a) (b) (d) of Data Protection (General) Regulations.
• This Court therefore expects strict and demonstrable compliance with the Data Protection Act going forward... The right to privacy is not aspirational; it is a firm constitutional guarantee... anything less amounts to an unconstitutional intrusion.