Copyright : Re-publication of this article is authorised only in the following circumstances; the writer and Africa Legal are both recognised as the author and the website address www.africa-legal.com and original article link are back linked. Re-publication without both must be preauthorised by contacting editor@africa-legal.com
The Human Side of Privacy: Lessons from Anampiu v Cleanshelf
On 31 October, Kenya's High Court ruled in a case involving a supermarket, suspected shoplifting, and constitutional rights. Catherine Kariuki Mulika of Cavendrys explores how privacy goes beyond data protection to include dignity and human treatment
OPINION
Kenya’s courts continue to shape what privacy means in practice. While most conversations focus on data protection and digital systems, recent decisions are reminding us that privacy goes far beyond servers and screens. It is also about how people are treated, in workplaces, in retail spaces, and in moments of vulnerability.
The High Court’s decision in Anampiu v Cleanshelf Supermarket Limited [2025] KEHC 15455 brought this to light in a simple but powerful way. The case involved a shopper who was publicly searched after being suspected of shoplifting. No stolen item was ever found, yet the Court held that the supermarket’s actions violated her rights to dignity, privacy, and consumer protection.
It was a small case in legal terms, but a significant one for how we understand privacy in everyday life.
Privacy Beyond Data
The Court reminded us that privacy in Kenya is not limited to information or data protection. Article 31 of the Constitution protects the sanctity of personal life, from one’s home to one’s person. This means privacy applies not only to digital records but also to physical searches, surveillance, and other forms of intrusion.
In Anampiu, the search took place in public view, drawing the attention of onlookers and exposing the petitioner to humiliation. The Court found that even if a search was justified for loss-prevention purposes, it must be conducted in a way that safeguards the individual’s dignity and sense of self-worth.
When Dignity and Privacy Intersect
One of the most compelling parts of the judgment is its recognition that dignity and privacy are inseparable. The Court affirmed that violating privacy often directly impairs dignity, since both rights protect an individual’s autonomy and respect.
This interpretation brings the human side of privacy to the surface.
A person’s right to dignity is not suspended when suspicion arises. It is in those moments of conflict, between protecting property and protecting people, that constitutional values are most tested.
For businesses, this intersection is critical. It means compliance must now go beyond having a policy on paper. It requires cultivating a workplace and customer culture that respects the individual, even when procedures are being enforced.
Policies Are Not Enough
Many organisations already have loss-prevention or security policies that appear sound on paper. The Cleanshelf case exposes a recurring problem: those policies are rarely followed.
The supermarket’s own loss control policy required private searches in the presence of a manager. Yet the search in question was conducted in a public area by a junior attendant. That gap between policy and practice turned what might have been a routine check into a constitutional violation.
This illustrates that compliance is not a document. It is a daily practice. Training, supervision, and consistent enforcement are what translate written procedures into lawful behaviour.
Outsourcing Accountability
The case also highlights an often-ignored dimension, which is contracting. Many businesses outsource their security services to third-party firms. Yet when things go wrong, it is the business itself, not the contractor, that faces constitutional liability.
Constitutional duties cannot be delegated. Companies must ensure that their service providers understand and uphold those duties. Every contract with a security firm should therefore include obligations around privacy and dignity, training requirements for staff, and clear accountability measures.
Embedding these principles into contracts protects both the customer and the brand. It is also a practical step toward risk mitigation.
Building a Culture of Respect
This decision broadens the conversation about privacy in Kenya. It connects the physical and digital, the policy and the person. For corporates, it serves as a reminder that privacy compliance is not just a data issue. It is a culture issue.
Every organisation will face moments that test how it balances suspicion, security, and respect. The Cleanshelf judgment reminds us that privacy is not an abstract legal right. It is a human one. And it begins with how we treat people when power and vulnerability meet.
At Cavendrys, we view this as part of Kenya’s evolving constitutional landscape, where business practices are being held to higher standards of humanity and accountability. Whether in a supermarket or a data centre, the same principle applies. Every system, human or technical, should be designed to protect dignity.
Workplace Privacy
The same principles that govern how businesses treat customers also apply to how they treat their employees. Privacy and dignity do not stop at the shop floor or the checkout counter. They extend into offices, factories, and virtual workplaces where power and vulnerability meet in different forms.
The employment relationship carries an imbalance of power. Employers must handle staff oversight and investigations with care. Processes such as monitoring, performance evaluation, background checks, or disciplinary inquiries may be lawful, but the way they are carried out determines whether they respect or violate an employee’s dignity.
Privacy in the workplace does not prohibit supervision or accountability. It calls for proportionality and respect. Employees should be informed when surveillance systems are in use, when their data is being processed, and when investigations or audits involve them. Meetings concerning disciplinary matters or performance issues should be conducted in private, with clear communication and an opportunity to respond.
As the Court noted in Anampiu, a justified action becomes unlawful when done without dignity. The same reasoning applies here. A lawful HR process conducted in a humiliating or public way may still amount to a violation of Article 28 and Article 31 of the Constitution.
For employers, this means moving beyond policy statements to build real trust. Privacy and dignity should be embedded in recruitment practices, data handling, and daily management. When employees see that respect is consistent, they are more likely to uphold organizational integrity in return.
Workplace privacy is not about limiting oversight. It is about embedding humanity in how oversight is exercised. It recognises that every employee is entitled to the same dignity the Constitution promises to all.
Practical Takeaways for Businesses
Kenya’s courts are reminding businesses that dignity and human treatment are as central to compliance as data protection itself. Some practical takeaways:
Conduct searches in private, with a manager present, and explain the process to the person involved.
Train all employees, not just security staff, on the constitutional rights of customers, colleagues, and contractors.
Review contracts with outsourced service providers to include privacy and dignity obligations, training, and reporting duties.
Treat internal policies as living tools that must be implemented, monitored, and enforced through real accountability.
Overall, businesses need to recognise that compliance, ethics, and respect for people are inseparable, both in customer interactions and in the workplace.
Catherine Kariuki Mulika is a partner at Cavendrys and a renowned Kenyan lawyer who earlier this year alongside fellow TDFI expert Janet Othero established their specialist firm.