Courts in Kenya and Tanzania have reaffirmed that while the right to privacy is constitutionally protected, enforcement of this right generally relies on statutory and civil remedies rather than direct constitutional litigation.
In a recent case, Ndung’u & Another v. Wachira & Another [2025] KEHC 7265, the High Court of Kenya emphasized that constitutional petitions should not be the first step when statutory remedies are available. The court highlighted the doctrines of exhaustion of remedies and constitutional avoidance, underscoring the importance of regulatory institutions in resolving data protection disputes. Constitutional intervention is reserved for situations where statutory mechanisms prove inadequate.
The facts involved petitioners who claimed their names and images were used without consent in a song published on YouTube, which they said also contained defamatory statements about them and their families. They argued these actions violated their rights to dignity and privacy under Articles 28 and 31 of the Constitution of Kenya, 2010, seeking both declaratory and injunctive relief.
Respondents countered with a Preliminary Objection, arguing that alternative remedies existed under laws such as the Kenya Data Protection Act of 2019, Section 56, the Media Council Act, or through civil claims like defamation or invasion of privacy. They maintained these options should be exhausted before approaching the constitutional court.
The High Court agreed with this position. It struck out the petition because alternative statutory and civil remedies had not been pursued for alleged privacy and defamation violations. The court upheld the respondents’ objection, noting that since private individuals were involved, avenues such as the Kenya Data Protection Act or other civil actions were appropriate forums for redress. The judgment stressed that constitutional jurisdiction cannot bypass established legal channels unless exceptional circumstances exist.
Kenya’s legal framework includes several statutes governing data protection disputes. The Data Protection Act (DPA), 2019 designates the Office of the Data Protection Commissioner (ODPC) as principal authority for grievances related to personal data processing. Regulations set out procedures for lodging complaints with ODPC, including requirements for complainant details, nature of complaint, remedy sought, and steps already taken. Upon investigation completion, ODPC can issue determinations including enforcement notices or administrative fines; its decisions may be challenged before the High Court.
Other Kenyan laws also address privacy concerns: The Defamation Act protects against reputational harm from libel or slander through civil proceedings; meanwhile, provisions in acts like Computer Misuse and Cybercrimes reinforce privacy protections alongside cybercrime prevention objectives.
Tanzania has seen similar developments following enactment of its Personal Data Protection Act (PDP Act). Before this law was passed, individuals relied mainly on constitutional interventions for personal data breaches. Now, Tanzania’s Personal Data Protection Commission handles most complaints about personal data privacy under structured procedures outlined by supporting regulations.
Complaints must be lodged using prescribed forms—either written or orally then transcribed—and must establish cause of action within statutory timelines without overlapping pending cases elsewhere. If accepted by the Commission after evaluation against relevant criteria in law and regulation, investigations may follow leading to enforceable awards equivalent to orders from Tanzania’s High Court; parties retain rights to appeal commission decisions judicially.
Statutory avenues supplement Tanzania’s constitutional guarantees: For example, Part V of its Media Services Act provides specific procedures for defamation-related privacy claims; general civil proceedings remain possible under broader legislation like Civil Procedure Act.
Recent Tanzanian jurisprudence shows an increasing reliance on ordinary civil claims rather than direct constitutional petitions for privacy issues—for instance in Safari Automotive Limited v. Godwin Danda—and demonstrates active use of new regulatory frameworks by bodies such as the Personal Data Protection Commission.
Both countries thus tie enforcement closely to exhaustion-of-remedies principles: Direct constitutional litigation is considered only when no adequate statutory recourse exists—a stance reinforced by provisions such as Section 4(1) and Section 8(2) of Tanzania’s Basic Rights and Duties Enforcement Act (BRADEA).
This approach underscores a shift toward multi-layered legal frameworks where commissions or courts handle most matters under statute before any potential escalation to higher constitutional adjudication.