The High Court has issued two significant judgments that sharpen the limits of how employers may collect, use and retain personal data in Kenya. These decisions demonstrate that privacy rights within the workplace are not suspended merely because one is employed, nor can organisations rely on administrative convenience, internal policy or managerial authority to override the safeguards embedded in the Constitution and the Data Protection Act. The courts expect employers to demonstrate transparency, accountability, meaningful engagement and strict adherence to statutory obligations every time they process employee data. These cases, one involving the commercial use of an employee’s image and the other concerning imposed facial recognition biometric systems, make it clear that the law will protect workers from unlawful data exploitation and from technology introduced without adequate consultation or safeguards.

1. The Moja Expressway case: consent ends when employment ends

In the case of Moja Expressway company versus Cyrus Mwaniki, a High Court appeal, the court confronted a common but deeply problematic assumption among employers. The company had used the image of its former sales employee in promotional videos long after the employment relationship had ended. Their defence was familiar. The employee had consented to the use of his image while he worked for them, and he had never expressly withdrawn that consent.

The court dismissed this argument outright. Consent that is rooted in the employment relationship is not permanent. Once the relationship ends, the legal basis that justified the initial processing collapses. An employer cannot continue to commercialise a former employee’s image as though nothing has changed. The High Court affirmed the decision of the Data Protection Commissioner, holding that fresh consent is mandatory once a person leaves employment.

The court further recognised that the harm arising from such unauthorised use is not limited to financial loss. It includes the exploitation of personal identity for commercial benefit without remuneration. The award of Kshs. 500,000 was therefore upheld as fair and reasonable. It served a clear purpose. It underscored that personal data is not a free resource and that commercial gain derived from unlawful processing will attract legal consequences.

The Moja Expressway decision therefore crystallised three principles. First, employment based consent is not transferable into the post employment period. Second, continued use of a former employee’s personal data demands new and explicit consent. Third, commercial exploitation of a person’s image without authority is actionable and compensable even where the injury is intangible.

2. The KBC facial recognition biometric system case: biometric data demands the highest level of protection

In the case of Kenya Union of Journalists v Kenya Broadcasting Corporation (KBC), the Court addressed the far more intrusive terrain of biometric data. The facts were stark. A mandatory facial recognition attendance system was introduced without consultation, without transparency, without disclosure of the data recipient, and without the Data Protection Impact Assessment that the law expressly requires for new technologies that carry high risk to data subjects.

The union representing journalists demonstrated that employees were not informed of how their facial data would be processed, who the third party vendor was, what safeguards existed, and whether their sensitive data could be compromised. Even cancer patients and medically vulnerable employees were compelled to use the system despite the absence of any information about associated risks. KBC ignored the objections and concerns raised.

The Respondent offered no defence. The High Court therefore examined the uncontested evidence and found clear violations of the Constitution and the Data Protection Act. The court emphasised that sensitive personal data, including facial recognition data, enjoys heightened protection. A Data Protection Impact Assessment is not optional. It is a mandatory safeguard whenever an organisation deploys intrusive technologies.

The court also linked the Respondent’s conduct to broader constitutional duties. It found breaches of Article 10, which requires participation, transparency and accountability. It found violations of Article 35, which entitles individuals to access information held by public bodies. It found a breach of Article 31, which protects the right to privacy. The outcome was decisive. The biometric system was quashed. The Respondent was prohibited from implementing it without full compliance. Most importantly, the court ordered the erasure of all facial biometric data collected.

3. What these judgments mean for employers and public bodies

Taken together, the two decisions reshape the legal landscape of workplace data governance in Kenya. The message is clear.

Consent is not eternal. It is specific, time bound and dependent on context. Once employment ends, consent premised on that relationship disappears.

Biometric data is sensitive and requires exceptional protection. A Data Protection Impact Assessment, transparency, disclosure of third party processors, and full employee consultation are not optional luxuries. They are mandatory legal duties.

Commercial exploitation of personal data without authority is unlawful. Courts are willing to award compensation even for intangible harm.

Public bodies face a heightened constitutional burden. They must demonstrate integrity, transparency and accountability when processing personal data.

These decisions reinforce a fundamental principle: personal data belongs to the individual, and the Constitution protects employees throughout the entire employment cycle from recruitment to exit. The Moja Expressway and KBC biometric rulings together signal a turning point, demanding greater discipline in data governance and reminding institutions that failure to comply carries real consequences that the courts are prepared to enforce.