Brewing some cool things
Hang tight, magic is happening
Loading your adventure
Please wait, content is loading

Is Posting Your Partner Online a Data Protection Violation?

Post Image

Huruma and Pendo had been dating for a while. To celebrate their anniversary, Pendo surprised Huruma with a weekend getaway. Excited, Huruma posted a few pictures from their trip—one of Pendo laughing over dinner, another of them holding hands by the beach. It was a simple, heartfelt post.

A few months later, the relationship ended on a sour note. One evening, Huruma received a message from Pendo: “I didn’t consent to you posting my pictures. I’m reporting you to the ODPC for violating my privacy under the Data Protection Act!”

Huruma was stunned. Could she really be in legal trouble for sharing photos of her partner?

Understanding Data Protection: Who’s a Data Controller?  

To unpack this, let’s look at some key definitions from the Kenya Data Protection Act, 2019 (DPA):

🔹 Data Subject – The person whose personal data is being processed (in this case, Pendo).
🔹 Data Controller – The individual or entity that determines how and why personal data is processed.
🔹 Processing – Any action performed on personal data, including collection, recording, storage, or sharing (like posting on social media).

Since Pendo’s face is in the photos, he is the data subject. Since Huruma shared his pictures online, she did indeed process his personal data. But does that make her a data controller under the law?

The Household Exemption: When Data Protection Laws Don’t Apply  

The DPA does not apply to personal data processing done purely for personal or household affairs. That means if Huruma posted those pictures on her private social media for personal reasons, she wouldn’t be considered a data controller.

This principle was tested in the Lindqvist v. Sweden (CJEU – C-101/01) case, where the court ruled that data protection laws don’t apply to personal activities within private life—unless the data is used in a public or professional way.

Where Do We Draw the Line?  

So, how do we know when personal data use becomes regulated processing under the law? Here are some guiding questions:

✔️ Are you sharing data publicly, beyond your close friends and family?
✔️ Are you frequently posting personal data about others (not just yourself) in a way that suggests a professional or business purpose?
✔️ Are you working with others to process and distribute this data in an organized way?
✔️ Could your actions adversely impact someone’s privacy?

If yes, then your actions may fall outside the personal use exemption, and data protection laws may apply.

Huruma vs. Pendo: What’s the Verdict?  

Huruma did not break the law simply by posting photos of her partner on her personal page. However, if she was running a blog, using the photos for marketing, or widely distributing personal data beyond personal use—then the situation could change.

Misinformation about data protection can create unnecessary panic. The DPA was designed to regulate organizations and entities that process personal data at scale, not personal interactions between individuals.

Prev
How Artificial Intelligence is Transforming the Modern Workplace: Benefits, Risks, and Ethical Use
Next
No more posts
  • No Comments
Comments are closed.