Kenya: Overview of the Data Protection Act, 2019
On 8 November 2019, President Uhuru Kenyatta signed the Data Protection Bill, 2019 into law ('the Act'), establishing requirements for the protection of personal data. The Act is Kenya's first data protection law, which came into force on 25 November 2019. Francis Monyango, Law and Policy Associate at Kenya ICT Action Network (KICTANet), provides an overview of the privacy law and discusses the conditions set out regarding data transfers, data processing, and data subject rights.
Short overview of the right to privacy in Kenya
The Act was preceded by the Privacy and Data Protection Policy 2018. The Act gives effect to Article 31(c) and (d) of the Constitution of Kenya, 2010 which enshrines the right to privacy.
Despite a lack of data protection law, Kenyans with grievances have not hesitated to use judicial means to get declarations on what they felt were breaches of their right to privacy.
Outside the corridors of justice, privacy concerns among Kenyans include the arbitrary use and misuse of personal information, unsolicited marketing messages by entities, and the need for identification at entrances of buildings. Business entities, on the other hand, have been concerned about how they can comply with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Act borrows heavily from the GDPR, something that eases the compliance burden.
Overview of the text of the Act
The Act's objectives and scope are to regulate the processing of personal data and to ensure that the processing of personal data is guided by the legislated data protection principles. Other objectives are to protect the privacy of individuals and to establish the legal and institutional mechanism to protect personal data by providing data subjects with rights and remedies.
The Act establishes the Data Protection Commissioner ('the Commissioner'). The role of the Commissioner will be to oversee the implementation and the enforcement of the Act. The other role will be to establish and maintain a register of all the data controllers and data processors in Kenya. This seems to be inspired by the UK's Data Protection (Charges and Information) Regulations 2018, which require every organisation or sole trader that controls the processing of personal data to register with the Information Commissioner's Office ('ICO'), unless all the processing they carry out is exempt. While Kenyan data processors and data controllers will be required to register, in the UK only data controllers register with the ICO. This also means that no person is allowed to act as a data controller or data processor unless they have registered with the Commissioner. The Commissioner is expected to prescribe thresholds required for mandatory registration of data controllers and data processors.
The Commissioner will also be able to exercise oversight over all data processing operations in the country, promote self-regulation among data controllers and data processors, and to conduct data processing assessments on its own initiative or upon request. The Commissioner will also be expected to promote international cooperation in data protection issues while ensuring that Kenya complies with data protection obligations under international conventions and agreements.
The Act contains data protection principles that require data processing to be lawful, fair, and transparent. Data collection should be for a specified and legitimate purpose, relevant, and limited to what is necessary. Data should not be kept for longer than is necessary. It should also not be transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
The rights of a data subject are also stated in Section 26 of the Act. A data subject has the right to be informed of the use of their personal data, the right to access their personal data, the right to object to the processing of all or part of their personal data, and the right to correct and even delete false data about them. The recurring message in Sections 26, 27, 29, and 30 of the Act is the need for informed consent before data processing. A data subject will have to be informed that their data is being collected, the purpose for which the data is being collected, and the third parties which the personal data has been or will be transferred to, including details of safeguards adopted before they consent to data processing. The Act also empowers the data subject to request a stop to or a restriction of the data processing.
Regarding children's data, parental consent is required and the processing should be in the best interest of the child.
In terms of automated individual decision making, the Act states that every data subject has the right not to be subject to a decision based solely on automated processing where the decision produces legal effects that affect the data subject. The Act stipulates that processing for direct marketing may not be done unless the data processor or data controller has express consent from a data subject, or is authorised under any other law which the data subject has been informed of. The Act also empowers a data subject to receive, upon request, personal data concerning them in a structured, commonly used, and machine-readable format. The data subject has the right to transmit this data to another data controller or data processor without any hindrance.
Just like the GDPR, the Act has provisions that require the data processor and data controller to practice Privacy by Design. Data processors and data controllers will have to implement technical and organisational measures which will have all the necessary data processing safeguards. Data Protection Impact Assessments ('DPIAs') are also made mandatory prior to commencement of data processing activities. DPIAs should enable entities that process data to determine organisational measures, such as ensuring all those who act under the authority of the data controller or processor, comply with the relevant security measures.
In the event of a data breach, the Act requires a data controller to notify the Commissioner within 72 hours of becoming aware of such a breach. Upon the occurrence of a data breach, he data controller is also required to communicate to the data subject, in writing, within a reasonably practical period. Processing of sensitive personal data is permitted after consent is granted by the data subject and there are appropriate safeguards. Personal data relating to health may be processed under the responsibility of a healthcare provider.
The Act sets the conditions for the transfer of data out of Kenya. The transfer is allowed where the data controller or data processor has given proof to the Commissioner that the destination jurisdiction has similar data protection laws and that the transfer is necessary. Despite all the restrictions on data processing, the Act has exemptions. Some of the exemptions are based on national security, journalism, literature and art, research, history, and statistics. The Commissioner may legislate more exemptions. Other than dealing with complaints, the Commissioner is also empowered to issue enforcement notices, penalty notices, and administrative fines. The Act provides compensation for the data subject in the event that their privacy rights are breached.
The enactment of the Act is a step in the right direction and it provides Kenyans with legal recourse for privacy violations. However, it is too early to draw any final conclusions about its impact as the Act has not yet been implemented.
Francis Monyango Law and Policy Associate
Kenya ICT Action Network (KICTANet), Nairobi