On 30th September 2025, the High Court in Nairobi delivered a landmark judgment in Regus Kenya Limited v. ODPC & James Ndung’o (Civil Appeal No. E472 of 2023). The Court interpreted the application of the statutory ninety-day period within which the Office of the Data Protection Commissioner (ODPC) is mandated to investigate and conclude complaints filed before it.
Why this case matters
Section 56(5) of the Data Protection Act, 2019, provides that “a complaint made to the Data Commissioner shall be investigated and concluded within ninety days.” On the face of it, this provision seems straightforward yet in practice, uncertainty has long surrounded the question: when does this 90-day clock start ticking?
This ambiguity arises because under Regulation 6 of the Complaints Handling and Enforcement Regulations, the ODPC has several options upon receiving a complaint. The Commissioner may:
- admit and investigate the complaint,
- decline to admit it,
- refer it to another body, or
- opt for alternative dispute resolution (ADR) mechanisms such as mediation or conciliation.
Until now, it was unclear whether the 90-day period applied from the date a complaint was lodged, from the date of admission by the Commissioner, or whether it applied at all where ODPC opted for alternatives such as ADR.
The High Court has now provided an authoritative guide.
Background of the Case
The dispute arose when a data subject complained of receiving unsolicited spam messages from Regus Kenya Limited. Despite being served with complaint notifications, Regus failed to respond. The ODPC escalated the matter by issuing an Enforcement Notice requiring remedial measures within thirty days, and when that too was ignored, a Penalty Notice was imposed, ordering Regus to pay five million shillings. Regus appealed, contending among other things that the ODPC acted outside its jurisdiction because the penalty was issued beyond the ninety-day window, and further that the fine was excessive.
Determination
In his decision, Justice A.C. Mrima clarified that the ninety-day limit only begins to apply once the Commissioner has reviewed and admitted a complaint and made a decision to conduct investigations. Where the Commissioner chooses another avenue, such as referring a matter to another institution, resolving it through mediation, or issuing an enforcement notice without first investigating, the strict ninety-day period does not apply. In the Regus case, the Court found that the company’s own refusal to engage with the Commissioner prevented any investigations from being undertaken, and that the ODPC acted within its powers in escalating to enforcement and penalties. The Court, however, agreed that the maximum fine of five million shillings was harsh for a first offender and reduced it by half to two and a half million.
Key Insights
The judgment has important implications for data processors and data controllers. It makes clear that data processors and data controllers cannot rely on the lapse of ninety days from the date of lodging a complaint by a data subject as a technical shield against enforcement. What matters is whether the ODPC has admitted a complaint and decided to investigate it.
For example, if a complaint is referred to mediation and the mediation succeeds, the complaint ends there. But if mediation fails and the complaint is referred to the ODPC for investigation and determination, the ninety-day period will begin running afresh from that point. In practical terms, data processors and controllers should not assume that engaging in ADR will “use up” the Commissioner’s time window; instead, it provides additional time for a consensual resolution before formal enforcement resumes.
The Court also underlined the importance of engaging with the ODPC in good faith; silence or non-cooperation only strengthens the case for penalties. While the Court moderated the fine, it affirmed the Commissioner’s broad enforcement powers and the principle that penalties must be effective, proportionate, and dissuasive.
Conclusion
This case is therefore a timely reminder that compliance with the Data Protection Act is not optional. The right to privacy is entrenched in Article 31 of the Constitution, and regulators and courts are increasingly assertive in its protection. For data processors and data controllers, the lesson is simple: respond promptly to regulatory notices, maintain clear data protection policies, and train staff on proper handling of personal data. Waiting to challenge enforcement on technicalities is a costly gamble.
At J.K Kibicho Advocates, we view this ruling as a wake-up call for organisations processing personal data in Kenya. We help organisations not just to respond to complaints, but to build proactive compliance frameworks that reduce risk, protect customer trust, and align with best practice. Should your organisation wish to strengthen its data protection policies or receive training on complaint handling, our team stands ready to support you on your compliance journey.
This alert is for information purposes only and is provided for general purposes only and does not constitute legal advice. Should you have any questions or need legal advice, please contact us on info@jkkibicho.co.ke.
Contributors:
Maureen Cheruiyot-Senior Associate
Michael Muyela-Trainee Advocate
