Kenya’s Data Protection Act, Guaranteed Data Privacy

Kenya’s Data Protection Act, Guaranteed Data Privacy

Kenya’s Data Protection Act 2019 is a Kenyan data privacy law that was passed in 2019 and enacted in November of 2020. In addition to outlining the measures and safeguards that data controllers within Kenya must develop and maintain as it relates to the processing of personal data, the Data Protection Act 2019 also established the Office of the Data Protection Commissioner, or the Commissioner for short, for the purposes of upholding and enforcing the law. While the Office of the Data Protection Commissioner is still currently in the process of setting up operations as it relates to administering punishment with respect to the law, the Data Protection Act 2019 nonetheless serves to guarantee the data privacy rights of Kenyan citizens.

What is the scope and application of the law?

As it relates to the scope and application of the Data Protection Act 2019, the personal and territorial scope of the law applies to “all processing of personal data by any data controller or data processor established or resident in Kenya and who processes personal data while in Kenya, or not established or residing in Kenya but processing personal data of data subjects located in Kenya”. Conversely, the material scope of the law covers the following actions as it pertains to the processing of personal data:

  • Data collection.
  • The types of data that are to be collected.
  • The security of data that is collected.
  • The disclosure of data.
  • The retention of data.
  • The accuracy of data that is collected.
  • The deletion of data.
  • The updating of data.

What’s more, Kenya’s Data Protection Act, 2019 also contains a unique provision as it relates to COVID19, the Guidance Note on Access to Personal Data During COVID-19 Pandemic, also known as the “COVID-19 Guidelines”. As “the COVID-19 Guidelines were put out for public and stakeholder participation on 12 January 2021, and closed on 9 February 2021”, the implementation of these guidelines are aimed at both providing further regulation on the collection, processing, and disclosure of personal data in the midst of a global pandemic, as well as assisting with research as it relates to this pandemic.

What are the principles that data controllers must abide by when processing personal data?

The data protection principles that data controllers must adhere to in accordance with the Data Protection Act, 2019 are as follows:

  • Lawfulness, fairness, and transparency– Data must be processed in a manner that promotes lawfulness, fairness, and transparency. Additionally, a valid explanation must also be provided whenever a data controller seeks to collect personal data related to family or private affairs.
  • Purpose limitation– Data must be collected for explicit, specified, and legitimate purposes, and must not be processed for any reason outside of these purposes.
  • Minimization– Data must be collected for purposes that are relevant and adequate, as well as limited to what is necessary as it relates to the purpose for which it was collected.
  • Accuracy- All personal data that is collected must be accurate and kept up to date, and reasonable steps must be taken to rectify or erase any personal data that is found to be inaccurate.
  • Storage limitation– Data must be stored in a manner or form that identifies that associated data subject for no period longer than is needed to fulfill the purpose for which said data was collected.
  • Data should not be transferred cross-border– Data is prohibited from being transferred outside of Kenya, unless a country to which personal data is intended to be transferred has can prove they have adequate safeguards to protect said personal data, or the applicable data subject has consented to have their data transferred.
  • Data processing privacy– Data must be processed in accordance with the personal privacy rights of data subjects.

In addition to the data protection principles listed above, the Data Protection Act 2019 also requires that data controllers and processors satisfy a number of common obligations as it relates to data privacy. These obligations include meeting specific conditions as it relates to data transfers outside of Kenya, maintaining data processing records for the purposes of providing sufficient information for audits, and conducting Data Protection Impact Assessments or DPIAs in instances where data processing activities are likely to cause significant risk to the rights and freedoms of data subjects.

Alternatively, the law also mandates that data controllers provide data subjects with data processing notifications as it relates to the processing of their personal data. As such, data controllers are required to register with the Office of the Data Protection Commissioner prior to processing the personal data of data subjects. To this end, the threshold for registration is based on a multitude of factors, including:

  • The nature of the industry a data controller or processor operates within.
  • The volumes of personal data that are processed.
  • Whether a data controller or processor processes sensitive personal data.
  • Any other factors found to be relevant, at the discretion of the Commissioner.

What are the rights of data subjects under the Data Protection Act 2019?

As the Data Protection Act 2019 was passed to provide Kenyan citizens with similar data privacy rights as offered by other international data privacy laws such as the EU’s General Data Protection Regulation or GDPR for short. To this point, the Data Protection Act 2019 gives data subjects the right to informed, the right to access, the right to rectification, the right to erasure, the right to object or opt-out, the right to data portability, and the right to not be subject to automated decision making, including profiling.

In terms of penalties that can be imposed against data controllers and processors who are found to be in violation of the law, the Office of the Data Protection Commissioner has the authority to levy a variety of punishments against parties who are found to be in non-compliance. These punishments include monetary penalties ranging from KES 5 million ($44,425), or up to 1% of a business or organizations the annual turnover of the preceding financial year, whichever is lower. Furthermore, data controllers and processors who are found to be in violation of the law are also subject to a term of imprisonment of up to two years.

With the passing of the Data Protection Act 2019, Kenya joins the ranks of African countries to have passed data privacy laws in recent years, such as Senegal’s Data Protection Act. Moreover, the passing of the Data Protection Act 2019 puts Kenya in league with the growing list of countries around the world that looked to legislative means to guarantee the data privacy rights of their citizens. As such, Kenyan residents will not have to worry about their personal privacy as it pertains to the collecting, processing, and disclosure of their personal data.