Introduction
Kenya enacted the Data Protection Act, 2019 (hereinafter, the “Act”) in November 2019.[1] It is a comprehensive statute that governs the collection, processing and storage of personal data by government and private actors. It establishes an ecosystem of rights and obligations that operationalises the right to privacy enshrined in the Kenyan Constitution. The immediate context for the Act lies in the legal challenge to the Kenyan government’s Huduma Namba digital identity program. In its interim judgement, the Kenyan High Court had noted the absence of a specific, robust data protection legislation in the country – thus giving rise to the Act.[2]
Scope
The Act regulates the collection, use, storage and sharing of personal data of natural persons. Like the EU General Data Protection Regulation (“GDPR”) and India’s Personal Data Protection Bill, the Act uses the umbrella term ‘processing’. The processing of data by data processors and data controllers through both automated and non-automated means is expressly covered by the Act.[3] Further, the Act is extra-territorial in scope.[4] It applies to both resident and non-resident data processors and controllers, so long as it is a Kenyan data subject’s data that is being processed.[5] As indicated above, the Act governs two kinds of entities – data controllers and processors. Data controllers are defined as natural or legal persons that determine the purpose and means of processing of personal data.[6] Data processors are natural or legal persons that process personal data on behalf of the data controller.[7] While the definitions are quite similar to the GDPR, the Act places several data protection obligations on both controllers and processors equally, unlike the GDPR and other frameworks that only hold data processors responsible for security and other limited requirements. The Act also requires both controllers and processors to register with the Data Protection Commissioner,[8] an office responsible for the implementation and enforcement of the Act.[9]
Data Protection Principles and Obligations
Processing of personal data must be in accordance with the consent of the data subject and the specific purpose for which the data was collected.[10] Any additional purposes will require fresh consent. The Act requires consent to be free, unequivocal, express and informed.[11] Therefore, implicit consent would not qualify. Further, since the burden to prove consent is on the data controller or processor,[12] it creates the incentive to set up accessible frameworks for obtaining such consent. This consent can generally be withdrawn at any time by the data subject.[13] Further, personal data is required to be processed in accordance with the right to privacy,[14] in a lawful, fair and transparent manner.[15] Data controllers and processors can retain data only for as long as reasonably required for the original purpose for which it was collected – with certain exceptions carved out.[16] The purpose for which any personal data is collected is required to be “explicit, specified and legitimate”.[17] The Act requires personal data to be accurate and updated,[18] and not be kept in a form which identifies the data subject for any longer than necessary for the purposes for which it was collected.[19] Finally, data controllers or processors are also required to ensure that personal data is accurate and updated.[20]
Individual Rights
Data subjects enjoy a range of rights under the Act. Data subjects have the right to be informed of the use to which their data is put to,[21] access their data that is in the custody of the data controller or processor,[22] object to the processing of personal data[23] and correct[24] or delete[25] false or misleading data. Data subjects also enjoy the right to request a data controller or processor to rectify data that is inaccurate or misleading[26] and to delete data that has outlived its authorized use or was collected illegally.[27]
Accountability Measures
Where a particular processing operation carries a high risk to the rights of the data subject, the data controller or processor is required to carry out a data protection impact assessment to aid the data commissioner in evaluating the viability of the operation.[28] The Act also requires data controllers and processors to implement ‘data protection by design’ measures with the purpose of integrating data protection safeguards into the processing of data.[29] These measures account for the amount and accessibility of data collected, the period of its storage and extent of its processing.[30] Some security safeguards are also provided for, such as the pseudonymisation and encryption of personal data.[31] While the Act allows for an audit of the processes and systems of data controllers and processors,[32] it neither makes such audit a periodic obligation nor provides any specific grounds for evaluating compliance under the Act.[33]
Transfer of Personal Data Outside Kenya
Personal data cannot be transferred outside Kenya unless there is either consent from the data subject or proof of adequate data protection safeguards in the jurisdiction where such data is proposed to be transferred.[34] Such proof is required to be submitted by the data controller or processor to the Data Commissioner.[35] There is a corresponding obligation imposed on the data controller or processor to inform the data subject of such transfer.[36]
We also note the differential treatment of personal data and sensitive personal data – for one, consent is a necessary pre-requisite for the transfer of sensitive personal data out of Kenya.[37] In relation to personal data, the data controller or processor is required to submit proof of safeguards to protect such personal data[38] and “commensurate data protection laws”.[39] Moreover, transfer may also take place if it is ‘necessary’ for one of several conditions – performance of contract, exercise of a legal claim, protection of vital interests of the data subject, ‘compelling legitimate interests’ or, vitally, “any matter of public interest”.[40] In relation to the processing of sensitive personal data, such processing shall only take place after the additional condition of consent of the data subject is obtained.[41] The Commissioner also appears to have the discretion to impose additional conditions – it is not yet clear what these conditions may be.[42]
Monitoring and Enforcement
The Act creates the office of the Data Protection Commissioner (the “Commissioner”). The Commissioner is responsible for:
- Registration of data controllers and data processors;
- Oversight on data processing operations;
- Assessing whether information is being processed in accordance with the Data Protection Act;
- Receiving and investigating complaints into alleged infringements of the Act;
- Promoting self-regulation among data controllers and data processors.
The Act protects the independenceof the office of the Commissioner.[43] The Commissioner is appointed by the Public Service Commission, an independent Constitutional body, and can only be dismissed on the basis of a limited number of narrow grounds.[44] The Commissioner also enjoys complete discretion to appoint members of her staff.[45]
The Commissioner has the powers to examine interested parties, and require the production of documents and statements in writing.[46] The Commissioner also has the powers to obtain a court warrant for search and entry in exercise of any powers under the Act.[47] The Commissioner should conclude complaints within 90 days.[48] The office of the Commissioner appears to be endowed with the requisite powers and independence to ensure that it is an effective watchdog.
Penalties
The Act provides for a combination of monetary fines and imprisonment depending on the nature of the offence. In cases where a person obstructs the work or refuses to cooperate with the Commissioner, the Act provides for a penalty not exceeding five million shillings (approximately USD 49,000) or imprisonment for a term not exceeding two years, or both.[49] The Commissioner may issue a penalty notice on conclusion of an investigation.[50] The criteria basis which a penalty notice may be issued are exhaustively laid down in the Act and include such factors as the gravity of the offence, intentional character of the action, mitigating actions, track record, categories of personal data affected by the action and whether the penalty would be “effective, proportionate and dissuasive”.[51] The maximum penalty that can be awarded for an offence under the Act is five million shillings or, in the case of a corporation, one per cent of annual turnover of the previous fiscal, whichever is lower.[52]
Separately, the Act also has a general penalty section which provides for a fine not exceeding three million shillings (approximately USD 29,000) or imprisonment not exceeding 10 years, or both.[53] The Act also provides Courts with the power to order the forfeiture of any equipment used in connection with the offence in question.[54]
Exemptions
Processing of personal data is exempt if it relates to a personal or household activity, is in national security or public interest, or of disclosure is required by law.[55] Similar exemptions exist where publication of such personal data is part of a literary or artistic material ir of the data controller believes that compliance is incompatible with these special purposes.[56] Also, the Commissioner is required to prepare a code of practice to guide processing of data for purposes of journalism, literature or art.[57]
Data controllers and processors are also exempt from seeking consent of data subjects in various circumstances including to protect the vital interests of the data subject or any other natural person, in public interest, compliance with a legal obligation or for the performance of any task carried out by a public authority.[58] In particular, concerns have been raised that government authorities will use the public authority exemption to circumvent the obligations of the Act.
The Act has been hailed as an important milestone in privacy and data protection rights in Africa. That the Act bears many similarities to the GDPR also underscores its consistency with international data protection safeguards. However, a few concerns have been raised. While the Act itself is applicable to both private and government entities, there remain concerns that the government would use statutory exemptions to prevent complying with the Act.[59] There have also been calls to strengthen the independence of the office of the Data Commissioner to protect it from executive influence.[60] Currently, stakeholders are waiting for the Act to be implemented to better understand the functioning, mechanics and obligations of the various entities that it regulates.
[This post is authored by Varun Baliga, a
consultant working with Ikigai Law, with inputs from Sreenidhi Srinivasan,
Senior Associate, Ikigai Law.]
[1] Available at http://kenyalaw.org/kl/fileadmin/pdfdownloads/Acts/2019/TheDataProtectionAct__No24of2019.pdf.
[2] Nubian Rights Forum and Ors. v. The Hon. Attorney-General and Ors. Available at http://kenyalaw.org/caselaw/cases/export/172447/pdf, para. 100.
[3] Supra note 1, Section 4(a).
[4] Laura Hoffman, Kenya Data Protection Act of 2019 | Summary, 5th February, 2020, available at https://www.michalsons.com/blog/kenya-data-protection-act-of-2019/41677.
[5] Supra note 1, Section 4(b).
[6] Supra note 1, Section 2.
[7] Ibid.
[8] Supra note 4.
[9] Supra note 1, Section 8(1)(a).
[10] Supra note 1, Section 30(1)(a).
[11] Supra note 1, Section 2.
[12] Supra note 1, Section 32(1).
[13] Supra note 1, Section 32(2).
[14] Supra note 1, Section 25(a).
[15] Supra note 1, Section 25(b).
[16] Supra note 1, Section 39(1); Section 25(c), (d).
[17] Supra note 1, Section 25(c).
[18] Supra note 1, Section 25(f).
[19] Supra note 1, Section 25(g).
[20] Supra note 1, Section 25(f).
[21] Supra note 1, Section 26(a).
[22] Supra note 1, Section 26(b).
[23] Supra note 1, Section 26(c).
[24] Supra note 1, Section 26(d).
[25] Supra note 1, Section 26(e).
[26] Supra note 1, Section 40(1)(a).
[27] Supra note 1, Section 40(1)(b).
[28] Supra note 1, Section 31(1).
[29] Supra note 1, Section 41(1).
[30] Supra note 1, Section 41(3).
[31] Supra note 1, Section 41(4).
[32] Supra note 1, Section 23.
[33] See for instance, Section 29(2), The Personal Data Protection Bill, 2019, available at
[34] Supra note 1, Section 25(h).
[35] Supra note 1, Section 48(a).
[36] Supra note 1, Section 29(d).
[37] Supra note 1, Section 49(1).
[38] Supra note 1, Section 48(a).
[39] Supra note 1, Section 48(b).
[40] Supra note 1, Section 48(d).
[41] Supra note 1, Section 49(1).
[42] Supra note 1, Section 49(3).
[43] Supra note 1, Section 8(3).
[44] Supra note 1, Section 11.
[45] Supra note 1, Section 13.
[46] Supra note 1, Section 57(1).
[47] Supra note 1, Section 60.
[48] Supra note 1, Section 56(5).
[49] Supra note 1, Section 61.
[50] Supra note 1, Section 62(1).
[51] Supra note 1, Section 62(2).
[52] Supra note 1, Section 63.
[53] Supra note 1, Section 73(1).
[54] Supra note 1, Section 73(2).
[55] Supra note 1, Section 51(2).
[56] Supra note 1, Section 52(1).
[57] Supra note 1, Section 52(3).
[58] Supra note 1, Section 30(1)(b).
[59] Dr. Isaac Rutenberg, Expert Commentary: Kenya follows the path of European-style Data Protection, World Privacy Forum, 22 November, 2019, available at https://www.worldprivacyforum.org/2019/11/expert-commentary-kenya-follows-the-path-of-european-style-data-protection/.
[60] Kenya: Protect the data protection framework, Article 19, 25 November, 2019, available at https://www.article19.org/resources/kenya-protect-the-data-protection-framework/.
