The 90-Day Rule Under Kenya’s Data Protection Act

 In Data Protection

Section 56(5) of Kenya’s Data Protection Act provides that a complaint made to the Data Commissioner “shall be investigated and concluded within ninety days.” Although the provision appears straightforward, decisions of the High Court have demonstrated that its interpretation is anything but settled. Two decisions, Gichuhi v Data Protection Commissioner (2023) and Regus Kenya Ltd v Data Protection Commissioner (2025) offer contrasting approaches to the commencement and legal effect of the statutory timeline. Together, they reveal an evolving jurisprudence on administrative efficiency, jurisdiction, and the practical realities of regulatory enforcement.

In Gichuhi, the High Court adopted a strict textual approach. The complaint had been lodged with the Office of the Data Protection Commissioner (ODPC) on 20 July 2022, but the Commissioner’s determination was issued approximately six months later. The Court held that section 56(5) imposed a mandatory jurisdictional limit. The use of the word “shall” left no room for discretion, and the Commissioner’s authority to investigate and determine the complaint automatically expired upon the lapse of ninety days. Consequently, the determination was declared a nullity, having been made without jurisdiction.

The Court anchored its reasoning in well-established principles of administrative law. Jurisdiction is conferred by statute and cannot be expanded through administrative convenience, equitable considerations, or judicial interpretation. Once Parliament has prescribed a time-bound jurisdiction, neither the regulator nor the courts possess authority to enlarge it in the absence of express legislative power. Importantly, the Court rejected the Commissioner’s argument that delays by the complainants justified the extension of time, holding that two wrongs cannot make a right. The appropriate response to procedural difficulties, the Court observed, was not to disregard statutory limits.

The decision in Gichuhi was welcomed by many as reinforcing regulatory accountability. It incentivised prompt investigations, protected parties from prolonged uncertainty, and affirmed the constitutional values of legality, procedural fairness, and the rule of law. However, it also raised significant practical concerns. Complex complaints frequently require extensive correspondence, requests for further information, technical investigations, mediation efforts, and engagement with multiple parties. A rigid ninety-day countdown commencing immediately upon receipt of every complaint risked undermining thorough investigations and encouraging hurried decision-making.

These concerns became central in Regus Kenya Ltd v Data Protection Commissioner. Unlike Gichuhi, the dispute involved enforcement proceedings arising from alleged unsolicited electronic marketing communications. The appellant argued that the Commissioner lacked jurisdiction because the enforcement and penalty notices had been issued more than ninety days after the complaint was received. The High Court declined to adopt such a rigid interpretation.

Rather than reading section 56(5) in isolation, the Court examined it alongside the Data Protection (Complaints Handling Procedure and Enforcement) Regulations. The Regulations establish a structured process beginning with a preliminary review of every complaint. Following this review, the Commissioner may decline admission, admit the complaint, refer it elsewhere, facilitate mediation or alternative dispute resolution, conduct an inquiry, undertake investigations, or utilise another appropriate dispute resolution mechanism. The Court reasoned that the ninety-day period only becomes applicable where the Commissioner has completed the preliminary review, admitted the complaint, and elected to conduct investigations.

The Court further distinguished complaint investigations under section 56 from the Commissioner’s separate enforcement powers under sections 58 to 62 of the Act. Enforcement notices and administrative penalties, it held, operate within a distinct statutory framework and are not necessarily constrained by the ninety-day investigation period. Where a data controller ignores complaint notifications and enforcement notices, the Commissioner is entitled to exercise statutory enforcement powers without the limitation advanced in Gichuhi.

The significance of Regus lies not merely in reaching a different conclusion but in reframing the legal question. Rather than treating the filing of a complaint as the automatic trigger for the ninety-day countdown, the Court viewed complaint handling as a multi-stage administrative process. This interpretation arguably aligns more closely with the Regulations and accommodates the practical realities facing an emerging regulator charged with investigating increasingly sophisticated data protection disputes.

Nevertheless, the two decisions leave an unresolved tension in Kenyan data protection law:

  • Gichuhi treats section 56(5) as a strict jurisdictional deadline commencing upon receipt of a complaint.
  • Regus interprets the provision as applying only after the Commissioner has admitted the complaint and elected to investigate, while excluding enforcement proceedings from its scope.

Since both decisions originate from the High Court, neither overrules the other. The result is a degree of legal uncertainty for complainants, data controllers, and the ODPC itself.

Ultimately, the question extends beyond statutory interpretation. It reflects the broader challenge of balancing regulatory efficiency with procedural fairness and effective enforcement. Strict timelines promote accountability and protect parties against administrative delay, but excessive rigidity may impair the regulator’s ability to investigate complex matters effectively. Conversely, a more flexible interpretation facilitates robust investigations but risks weakening the certainty that statutory deadlines are intended to provide.

The issue is therefore ripe for consideration by the Court of Appeal or legislative clarification. Until then, Regus represents the more nuanced interpretation by harmonising section 56 with the broader statutory and regulatory framework, while Gichuhi remains an important reminder that statutory timelines are not merely aspirational but fundamental safeguards against administrative overreach.

 

Recent Posts