In Kenya privacy laws have progressively but steadily gained relevance; especially in this epoch more than ever, mainly due to developments in the Information Communication and Technology sector. However, until 8th November, 2019 when the President of the Republic of Kenya assented to the Data Protection Act 2019 (the Act”), Kenya had lacked a comprehensive legal frame work on data protection. The Act complements and gives effect Article 31 of the Constitution of Kenya 2010 on the right to privacy. The Act mirrors the General Data Protection Regulations (the “GDPR”) enacted by the European Union and also complies with African Union Convention on Cyber Security and Personal Data Protection adopted by the Africa Union. The Act makes provisions for the regulation of processing personal data. It provides for the rights of data subjects, the obligations of data controllers and processors, and also makes provisions for other connected purposes.
Salient Features of the Act
The Act establishes the office of the Data Protection Commissioner to be headed by a Data Commissioner. The office is mandated with the implementation of the Act as well as its enforcement, the establishment and maintenance of a data controllers and processors register, the exercise of oversight on data processing operations, the promotion of international cooperation in matters relating to data protection, carrying out inspections of both private public institutions in order to evaluate the processing of personal data, and also receiving and investigating complaints by any person on infringement of the rights under the subject Act among others.
The Act obligates data controllers and processors to be registered and issued with a Certificate by the Data Protection Commissioner in order to be allowed to operate and handle data. The Data Protection Commissioner in consideration of the nature of industry, the volumes of data processed, the sensitivity of the personal data being processed and any other criteria the commissioner may specify, has powers to prescribe the thresholds required for mandatory registration of data controllers and data processors. Additionally, the Data Commissioner is authorized to perform periodical checks of the practices and systems of the data controllers and processors to confirm compliance with the Act.
The Act in providing users with control over their personal data and online experiences entrenches data protection principles of data security, legitimate collection and processing, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality and accountability. It obligates every data controller and processor whether in Kenya or abroad to strictly adhere to the aforementioned principles as long as they process data of Kenyan subject or any data while in Kenya.
The Act also provides for the rights of a data subject to include but not limited to the right to be informed of the use to which their personal data is to be put; to access their personal data; to object to the processing of all or part of their personal data; to correction of false or misleading data; and to deletion of false or misleading data about them. The Act also allows certain individuals such as guardians to exercise the said rights on behalf of the data subjects who may legally be incapable to enforce them.
Section 28 of the Act provides that personal data in the Act can only be collected directly from the relevant data subject save in; where the data is contained in a public record, the data subject has deliberately made the data public, the data subject has consented to the collection from another source, the data subject has an incapacity, and where the guardian appointed has consented to the collection from another source etc. This therefore calls for a review of data collection structures of organizations owing to the rapid technological advancements. For instance entities dealing with minors such as schools and pediatric hospitals and health care centers should adopt structures that maintain confidentiality of their clients to avoid misuse of data.
In handling and processing data, the Act mandates the data processors and data controllers together with their agents should strictly abide by principles of meaningful user consent, purpose limitation, collection limitation, data minimization, and data security; robust protections for data subjects with the rights to objection to processing of their data, rectification, erasure of inaccurate data, as well as the right to access and to be informed of the use of their data. Although the Act is not couched in mandatory terms requiring entities to appoint data protection officers, we note that it is advisable for all data processors and data controllers to appoint data protection officers to ensure compliance with the Act.
Non-compliance and contravention of the provisions of the Act attracts a general fine of up to Kenya Shillings Three Million (KShs. 3,000,000.00) or imprisonment for a period not exceeding Three (3) years. Additionally, a data subject who suffers financial loss or distress arising from violation of any requirement under the Act, has a right to claim compensation from the data controller or the data processor.
The Act is timely given the growing concerns over use and safety of personal data in the hands of various government institutions and actors, which is attributed to the rapid digitization and increased mobile technology penetration.It is imperative to note that GDPR inescapably requires that all businesses with processing of data forms as an inextricable part of their core activities and with ties to any of the members of the European Union should align their internal policies with the principles of the Act.
Finally, it cannot be gainsaid that the Act is founded on the best International standards of Data Protection. Kenya provides a blue print to many other African governments on data protection framework. However, to achieve the objects of the Act, proper institutional framework should be set up and the Act must be reconciled with other statutes to ensure the good intentions of the Act are not watered down. As we await the appointment of the Data Commissioner and the issuance of the implementing regulations to give life to the Act, data processors and data controllers should in the meantime embrace digital transformation that guarantees the highest standard of protection of data privacy rights at the heart of their businesses.