The need for privacy within public spaces and social gatherings, such as nightclubs and other events, has grown significantly in today’s context. Businesses in these spheres face a delicate balancing act, aiming to create vibrant atmospheres, often through promotional activities involving photos, videos, or live streaming, and respecting individual privacy. This challenge is compounded by the endeavor to comply with data protection laws. Yet, the measures some people have taken to comply with the data protection regulations prompt inquiries into their efficacy and consequences.

How do we navigate the delicate balance between fostering a vibrant atmosphere and respecting individuals’ privacy preferences? As individuals and organisations strive to steer clear of legal ramifications regarding data protection breaches, discussions have centered on the options provided by opt-in and opt-out frameworks, reflecting the dynamics of consent within these spaces.

Using Kenya’s legal framework as a lens, particularly focusing on nightclubs as an example of multifaceted public spaces, this article correlates opt-in methods with consent and opt-out mechanisms with notices, aiming to clarify their distinctions. It is crucial to note that while Kenya’s legal infrastructure may vary, the fundamental principles governing data protection laws generally hold similarities across jurisdictions.

The nightclub scene, known for its lively ambiance and social interactions, often intersects with the need for privacy. The emergence of opt-in and opt-out modalities has become a focal point in addressing this intersection. Opt-in approaches require active consent from individuals to participate in any form of media coverage, placing the onus on attendees to expressly agree to being photographed or recorded. Conversely, opt-out strategies offer attendees the choice to decline media coverage by utilising a visible marker, like a wristband, to indicate their preference for privacy.

Opt- in and opt -out frameworks defined

Simply put, opt-in methods require individuals to actively agree or give explicit consent before any action or participation occurs. It necessitates individuals to take a specific action to signal their willingness to engage or allow a particular activity. In this scenario, consent is clearly and directly provided by the individual. For example, a nightclub that requires attendees to sign a consent form explicitly agreeing to be photographed or recorded during the event for promotional purposes.

Opt-out approaches, on the other hand, presume consent unless individuals take action to decline or opt out of an activity or permission. It involves individuals being automatically included unless they take specific steps to indicate their preference against participation. However, this method could be seen as a form of implied consent rather than an explicit expression of willingness. An example is a nightclub where attendees are automatically included in media coverage unless they request and wear a designated wristband indicating they do not wish to be photographed or recorded.

The term “consent” is defined under section 2 of the Data Protection Act, 2019 to mean “any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.”

From the above definition, the ingredients of consent for data processing are as follows:

i)                   Express: Consent needs to be clearly and explicitly stated, leaving no ambiguity about the individual’s agreement to the data processing.

ii)                 Unequivocal: The consent should be straightforward and unambiguous, leaving no room for doubt regarding the individual's intentions or wishes.

iii)               Free: Consent must be given willingly and without coercion or pressure. It should be entirely voluntary, without any form of duress or manipulation.

iv)               Specific: The consent should relate to a particular purpose or set of purposes for processing the personal data. It should not be vague but rather pertain to distinct and well-defined uses.

v)                  Informed: The individual providing consent must have a clear understanding of what they are agreeing to. They should be aware of the nature, scope, and consequences of the data processing. See also section 26(a) of the Data Protection Act, 2019 which provides that a data subject has a right to be informed of the use to which their personal data is to be put.

vi)               Affirmative Action: Consent is indicated through a positive action or statement. It requires an active step or a deliberate affirmative gesture from the data subject.

The problems with opt-out frameworks

Opt-out modalities are unclear on whether the rights of the data subjects have been protected. This is because the data subjects are not informed of the use of their personal data, on how they will access the personal data where need arises and further criteria for correction and deletion of any false or misleading data. The wording in opt-out notices are susceptible to being unclear about how the data collected through media coverage will be handled or used. For instance, it doesn't specify if captured images or videos will be stored for future promotional purposes, shared on social media, or distributed to third-party entities. Without this information, attendees cannot make informed decisions about their privacy. (See Section 26 of the Data Protection Act, 2019 on the rights of a data subject).  

Opt-out strategies give vague consent which amounts to mere notice and hence do not limit the extent to which the data should be processed. This is hence problematic in the sense that a data subject has to consent before there are even aware of the extent of processing of their data. (See Section 30 1(a)of the  Data Protection Act, 2019) It may also be quite unclear on what was consented to and what was not. With the nature of opt-out strategies, the individuals who chose not to take steps to exclude themselves from involvement means that their data can be used. This does not however limit and state to what extent to which this data can be used.

Again, the use of opt-out strategies is vague in the sense that the individuals may not agree on what specific data is being consented to being processed. See (See section 25(a) of the Data Protection Act, 2019). It is thus detrimental to the data subjects since the data that they do not consent to may be processed against their wish.

Further to the above, opt-out frameworks are also unclear on the duration in which the data will be retained contrary to the provisions of the act. An opt-out may not clarify the duration for which the data will be retained. Will the images or videos be deleted after the event, or will they remain in the media team’s archives? This lack of specificity leaves attendees unaware of the extent of their data exposure beyond the event itself. This may lead to data being retained longer than the data subject could have imagined.  And this contravenes section 25(g) of the Data Protection Act, 2019.

Section 32 of the Data Protection Act, 2019 provides for the conditions of consent as follows, in part:

(1)        A data controller or data processor shall bear the burden of proof for establishing a data subject’s consent to the processing of their personal data for a specified purpose.

(2)        Unless otherwise provided under this Act, a data subject shall have the right to withdraw consent at any time.

(3)        The withdrawal of consent under sub-section (2) shall not affect the lawfulness of processing based on prior consent before its withdrawal.

First, the onus is on data controllers or processors to prove a data subject’s consent. The law also grants data subjects the right to withdraw consent at any time. In a nightclub scenario using an opt-out method like wristbands, determining when a person withdraws consent can be challenging for management. They must prove initial consent and establish a clear process for individuals to communicate withdrawal effectively. The complexities lie in identifying the precise moment of withdrawal amidst prior consent.

Once again, opt-in strategies, while ensuring explicit consent, empower individuals to actively participate in media coverage, fostering an environment of informed engagement. They embody a proactive approach that prioritizes individual choice and respects privacy rights from the outset.

On the other hand, opt-out methods provide a simpler means for attendees to decline participation in media coverage. However, they raise questions about the potential for inadvertently infringing upon personal freedoms or inadvertently stigmatizing those who choose to opt out. The visibility of opt-out indicators might unintentionally draw attention or create social divisions, impacting the inclusive nature of club environments.

The debate surrounding these modalities underscores the importance of striking a balance between individual autonomy and a communal sense of enjoyment within club settings. Creating a space where privacy is respected while ensuring everyone feels included and free to engage is the ultimate goal.

The discourse regarding opt-in versus opt-out modalities intertwines with the discussion on whether notices alone can suffice as adequate consent. Proponents of notices as consent make two leading arguments namely (II) that notices inform individuals about the nature of certain actions or conditions, ensuring they are aware of what might occur. This awareness, they argue, serves as a form of consent as individuals choose to engage despite being informed. (II) that in certain settings, such as online agreements or standardized procedures, notices might be perceived as an agreement due to the assumption that individuals accept the terms by proceeding unless they actively opt out.

In contrast, this article argues that while both notice and consent serve important roles in informing individuals, their fundamental difference lies in the level of involvement and agreement they entail. Consent requires active agreement and participation, while notice focuses on providing information and awareness without mandating explicit agreement or action. Specifically, the arguments against notice as consent are as follows:

A.    Level of Involvement: Consent requires active involvement and explicit agreement from individuals, ensuring they participate willingly. Notice, however, informs individuals about certain actions or conditions without necessitating their direct agreement or participation.

B.     Agreement vs. Awareness: Consent signifies agreement and permission, indicating a deliberate choice made by individuals after understanding the implications of their decision. Notice, while providing information, does not necessarily imply agreement or active choice.

C.    Legal and Ethical Implications: Consent holds more weight in legal and ethical contexts, as it signifies explicit agreement and compliance with regulations or norms. Notice is crucial for informing individuals, but it might not always fulfill legal requirements or ethical standards regarding explicit agreement.

D.    Clarity of Intention: Consent ensures a clear and deliberate intention to participate or agree to certain actions, whereas notice might lack the clarity of whether individuals actively agree or simply acknowledge the information provided.

Effectively navigating privacy concerns in clubs demands a nuanced approach. A range of options that cater to varying comfort levels regarding media coverage is need. To this end, utilising technology, such as facial recognition blocking features or designated no-coverage zones, can further enhance privacy without impeding the lively atmosphere clubs aim to foster.

Ultimately, understanding and respecting the preferences of attendees are key. Comprehensive communication about privacy policies, clear delineation of consent modalities, and offering diverse choices ensure that clubs can maintain their vibrancy while upholding the privacy rights and preferences of all attendees. Balancing these elements will enable clubs to create environments where consent is central, fostering enjoyable experiences for everyone.

Maintaining compliance with data protection laws is crucial for any business. Data breaches can not only tarnish the reputation of a business but also result in severe financial implications through government sanctions or litigation from affected individuals. Prevention is always more effective than dealing with the aftermath.

Please note that this article serves informational purposes and is not intended as legal advice. Feel free to reach out for any specific inquiries about this topic.