Striking the Balance: Constitutional Guarantee or Statutory Mechanism?

This updater raises an argument that while the right to privacy is constitutionally guaranteed in Kenya and Tanzania, enforcement primarily occurs through statutory and civil mechanisms, with constitutional litigation serving as a remedy of last resort.

In the recent decision of Ndung'u & Another (the Petitioner) v. Wachira & Another (the Respondent) [2025] KEHC 7265, the High Court of Kenya (the HCK) reaffirmed that constitutional petitions should not be the first recourse where statutory remedies exist. The HCK emphasised on the doctrines of exhaustion of remedies and constitutional avoidance, highlighting the role of regulatory institutions in addressing data protection disputes while reserving constitutional intervention for cases where statutory mechanisms are insufficient.

This updater examines the relevance of this decision  to Tanzania’s personal data protection framework. It explores the statutory framework established by the Personal Data Protection Act, Cap. 44 R.E. 2023 ( the PDP Act), the Personal Data Protection (Personal Data Collection and Processing) Regulations GN No. 499C of 2023 (the Collection and Processing Regulations), the Personal Data Protection (Complaints Settlement Procedures) Regulations GN No. 449B of 2023 (the Complaints Settlement Regulations) (as amended), and the constitutional framework under both the Constitution of the United Republic of Tanzania, R.E 2023 (the Constitution of the URT) and the Basic Rights and Duties Enforcement Act  Cap. 3 R.E. 2023 (the BRADEA). 

Facts of the Case

The Petitioners alleged that the Respondents had produced and published a song on YouTube using their names and images without consent. They further contended that the content contained defamatory statements concerning their personal and family matters. Moreover, the Petitioners argued that these acts amounted to a breach of their constitutional rights to dignity and privacy enshrined under article 28 and 31 of the Constitution of Kenya, 2010, and sought both declaratory and injunctive relief against the respondents.

In response, the Respondents raised a Preliminary Objection (P.O), asserting that the petition was improperly filed before the HCK. They argued that alternative remedies were available under the Kenya Data Protection Act of 2019, specifically under Section 56, the Media Council Act, or through civil claims such as defamation or invasion of privacy, and that these remedies should be exhausted before resorting to constitutional litigation.

Legal Issues

In resolving the matter, the HCK (Mwamuye J.) was called upon to consider the following issues:

(a) whether the Petitioners could invoke the HCK’s constitutional jurisdiction, or whether the Respondents’ PO had merit; and

(b) whether the Petitioners had demonstrated entitlement to the interlocutory relief sought in their two applications.

Holding of the HCK

The HCK struck out the  petition, holding it was improperly filed as the Petitioners had not exhausted alternative statutory and civil remedies for alleged privacy and defamation violations. Additionally, the Respondents’ P.O was upheld, noting that the dispute involved private individuals and could be addressed under the Kenya Data Protection Act, the Media Council Act, or through other civil actions. The HCK emphasized that constitutional jurisdiction cannot bypass ordinary legal channels, and no exceptional circumstances justified direct recourse. 

Kenya’s Approach to Addressing Data Protection Disputes 

The Data Protection Act, 2019 (the DPA) establishes the Office of the Data Protection Commissioner (the ODPC) as the principal authority for addressing grievances arising from the processing of personal data. The DPA is further reinforced by the 2021 Regulations, namely the Data Protection (General) Regulations, the Data Protection (Registration of Data Controllers and Data Processors) Regulations, and the Data Protection (Complaints Handling and Enforcement Procedures) Regulations (the Complaints Regulations). 

The Complaints Regulations set out structured procedures for the reporting of complaints and their investigation and resolution by the ODPC. Regulation 4 of the Complaints Regulations provides that a complaint may be lodged with the ODPC in the prescribed form. The complaint must set out:

(a) the particulars of the complainant; 

(b) the nature of the complaint; 

(c) the remedy sought; and

(d) any steps already taken in relation to the matter.

Upon receipt of a complaint, the ODPC is required to acknowledge the complaint, assess its admissibility, admit the complaint or, where appropriate, advise if jurisdiction lies with another body or institution, and, if admissible, proceed with investigation. 

Upon conclusion of its investigations, the ODPC must issue a determination setting out its decision and granted remedies which may include the issuance of enforcement notices, administrative fines, compensation orders, or other remedial measures as appropriate. Administrative actions of the ODPC may be challenged before the High Court. This safeguards the principles of procedural fairness and due process.

Notably, while the right to privacy is expressly guaranteed under Article 31 of the Constitution, the Kenyan legal framework also recognises other statutory mechanisms through which privacy-related claims may be pursued. For instance, the Defamation Act (Cap. 36) protects individuals from injury to reputation caused by libel, slander, and other malicious falsehoods, with such claims pursued as civil actions under the Civil Procedure Act (Cap. 21) and the Civil Procedure Rules, 2010. 

Additionally, the Computer Misuse and Cybercrimes Act (Cap. 79C) reinforces the right to privacy by identifying its protection as a core objective alongside preventing unlawful computer use and addressing cybercrime.

Taken together, these constitutional and statutory safeguards underscore that privacy in Kenya is not only a fundamental right but also a legally enforceable entitlement protected through multiple complementary avenues. At the core of this framework, however, the DPA remains the primary instrument governing the protection of personal data and providing mechanisms for the resolution of data protection disputes. 

Tanzania’s Approach to Addressing Data Protection Disputes 

Before the enactment of the data protection framework in Tanzania, individuals seeking remedies for personal data privacy breaches were largely confined to constitutional intervention. This position has since changed with the enactment of the PDP Act, which established the Personal Data Protection Commission (the Commission) as the principal forum for addressing personal data privacy grievances. The framework is further reinforced by the Collection and Processing of Personal Data Regulations and the Complaints Settlement Regulations, which operationalise the PDP Act and provide clear procedures for handling complaints.

Regulation 4(1) of the Complaints Settlement Regulations, requires complaints to be lodged with the Commission using Form No. 1, as prescribed under  the Schedule to the Complaints Settlement Regulations. Additionally, complaints may be submitted orally and subsequently reduced to writing by the Commission using the prescribed form, as per Regulation 4(2) of the Complaints Settlement Regulations. Regulation 5(1) further requires that a complaint should establish a cause of action, be submitted within the statutory timeline, not involve a matter pending before any court, tribunal, arbitration, or quasi-judicial body, fall within the scope of the PDP Act, and demonstrate that the complainant has locus standi, in order for it not to be rejected. Upon receiving a complaint, the Commission evaluates it to determine its propriety and compliance with the PDP Act and the Collection and Processing Regulations.

The Commission is empowered to investigate complaints, issue enforcement notices, and make awards that are enforceable as orders of the High Court of Tanzania. Moreover, the Complaints Settlement Regulations also provide a right of appeal to the High Court of Tanzania (the HCT) against decisions of the Commission, thereby ensuring judicial oversight and reinforcing due process.

Nevertheless, despite the right to privacy being a constitutional right guaranteed under Article 16 of the Constitution of the URT , the Tanzanian legal system also recognises other statutory avenues for privacy-related claims. For instance, Part V of the Media Services Act, Cap. 299 R.E. 2023 (the MSA), along with the Media Services (Defamation Proceedings) Rules, 2019 (the MSR), sets out a specific procedure for bringing privacy claims related to defamation. Rule 4(1) of the MSR provides that proceedings under Part V of the MSA must be instituted by way of a petition in Form DP, as set out in the Schedule to the MSR. Similarly, the Civil Procedure Act, Cap. 33 R.E. 2023, offers an additional pathway for instituting civil proceedings, further underscoring that, although privacy is a constitutional right there are other  statutory avenues that play a crucial role in ensuring its enforcement.

Recent jurisprudence illustrates this shift. For example, in Safari Automotive Limited v. Godwin Danda, Civil Appeal No. 978 of 2024 (arising from the District Court of Kinondoni, Civil Case No. 86 of 2022), the matter proceeded as a civil claim rather than a constitutional petition, illustrating the shift towards statutory and ordinary civil remedies. Similarly, the Commission has already assumed a decisive role, as illustrated in Abdul Said Naumanga v. Mi Casa Company Limited, Complaint No. 08 of 2024, which it addressed directly under the Personal Data Protection framework.

In both Kenya and Tanzania, the enforcement of constitutional privacy rights is closely tied to the principle of exhaustion of remedies. While the Constitution of the URT guarantees the right to privacy, this right is typically enforced through established procedural channels rather than direct constitutional litigation. Section 4(1) of the BRADEA provides that any person alleging a contravention of constitutional rights may apply to the HCT for redress, without prejudice to other lawfully available remedies. Similarly, Section 8(2) of the BRADEA empowers the HCT to decline jurisdiction where adequate statutory remedies exist. Consequently, as in Kenya, constitutional litigation in Tanzania is considered a remedy of last resort, and personal data protection disputes are ordinarily addressed through regulatory commissions or civil proceedings, with direct constitutional claims reserved for exceptional circumstances.