Data Protection Act 2019: The good and the bad


Data protection in Kenya has been an area of concern for a long period especially with the advent of technology in governance and commerce. The Data Protection Act No. 24 of 2019 is now law following Presidential ascent of the Bill that had been undergoing deliberations in the Senate and National Assembly for an extended period.

Prior to this, the state had been faulted for failing to provide a reliable data protection framework for shaping Information Communication Technology (ICT) policies in the country, in the wake of the proliferation of ICTs that required a legal framework for their operation so as to temper against data abuses. This prompted a promise by Kenya at the 2015 Universal Periodic Review, of comprehensive data protection laws by 2019, a target that is set to lapse in a month’s time. Consequently, the Data Protection Act, No. 24 of 2019, gives effect to Article 31 of the Constitution; Protection of the Right to Privacy, and in essence is Kenya’s first data protection law.

The law seeks to regulate the processing of personal data and information as the handling of that information will be bound by the principles of data protection that mirror those provided by General Data Protection Regulations (GDPR). In doing this, consent in the processing of personal data has been made mandatory thus should be unequivocal, free, specific and informed. This therefore means that data processors can no longer rely on implied consent as a ground of processing personal data hence, illegal processing of personal data will effectively be punishable. Further, transfer of data is only limited to Kenya unless there is adequate proof of proper protection of the data and consent from the owner of the data that has been obtained. The Act gives the Data Commissioner swooping powers to suspend transfer of data outside the country where the above threshold has not been met.

It expressly defines personal data as including a wide array of information such as property details, marital status and family member details and accords a higher threshold of protection to this personal data collected and thus may call for restructure of the mode of use of personal information collected such as information submitted at security desks when accessing buildings, in the wake of the rise in identity theft.

The Act also covers people who own and control data, as well as third parties managing, storing, and sorting personal data which applies to natural or legal persons, agencies and public authorities. Local and global organizations processing data belonging to locals also fall within the realm of this Act. Further, organizations that own, manage, or control data will be required to register (obtain license) at the data Commissioner. In obtaining the valid license, the business/data processor will be required to indicate among other things the measures put in place to protect the data handled from misuse.

This aims at preventing unlawful use of collected data thus protecting the consumer. It is important to note that the law now gives citizens the right to know how their information is handled. You will also have the right to ask for the deletion or editing of incorrect data, thus in a subtle manner advancing the user’s right to be forgotten. In the case of the ability to move data among different data service providers and data controllers/processors (data portability), Kenyans now have the right to acknowledge or reject their data being transferred to another service. This will come in handy for mobile subscribers and has been a nuisance for a lot of users for a while now.

The Act comes at a pivotal time with Kenya’s rapid digitization and increased mobile technology penetration. With registration of births and persons now online, it accelerates collection and analysis of personal data

Additional benefits include a robust data privacy system for sensitive data and stiff penalties for groups that will contravene the law such as payment of hefty fines of up to Sh3 million or a maximum of 10 years in jail. 

The law will see the setting up of the office of a data commissioner as an independent office, tasked with the duty to promote self-regulation among data controllers/processors, receive and investigate complaints on infringements under the Act, carry out public and private inspections to ensure conformity with the Act, ensure compliance with international obligations on data protection and provide for alternative dispute resolution of disputes that arise under the Act. The structure of the office of the data commissioner is such that there will be an empowered and well resourced data commissioner with a high degree of independence from the government who will enjoy security of tenure through a structured appointment and removal mechanism centralized around the public service commission. 

In performing its functions, the office of the data commissioner is mandated to issue an enforcement notice within a 21 day period to parties in non-conformity with the Act, whose continued breach will attract a fine of Sh500, 000 or imprisonment for 2 years, or both. In essence, the office of the data commissioner will be crucial, as enforcement of the Act will hinge greatly on the effective performance of its functions.

Further there are strong obligations placed on data controllers and processors requiring them to abide by principles of meaningful user consent, collection limitation, purpose limitation, data minimization, and data security; robust protections for data subjects with the rights to rectification, erasure of inaccurate data, objection to processing of their data, as well as the right to access and to be informed of the use of their data, providing users with control over their personal data and online experiences. The Act provides for the liability of data controllers for the conduct of third parties they share information with. Just as mobile money operators bear some responsibility for the conduct of their agents, data controllers now have to properly vet and monitor the conduct of third parties they share customer information with. The risk that allows for third parties to access data subjects’ information without properly informing the data subject has also been eliminated.

In the fast changing age of data analytics, the Act acknowledges the central place of minors and the need for doctor-patient data confidentiality in the health sector. Here, persons processing personal data of children will be required to incorporate appropriate mechanisms for age verification and consent. This provision may call for the review of data collection structures of organizations dealing with minors such as schools and pediatric hospitals to ensure compliance. With regard to health, data must be collected and processed under the responsibility of a health care provider subject to the obligation of professional secrecy, thus maintaining the prescribed confidentiality. 

This Act comes at a pivotal time with Kenya’s rapid digitization and increased mobile technology penetration. With government services such as registration of births and registration of persons now online thus accelerating the collection and analysis of personal data, the presence of a comprehensive data protection law will serve to protect Kenyan citizens against the risks of misuse of their data. 

The Act provides a leeway for data controllers to appoint data protection officers whose functions will include advising data controllers and data processors on the compliance with the Act. Although the appointment is not couched in mandatory terms, such an appointment is advisable to businesses as it will continuously ensure the continued maintenance, and implementation of policy safeguards for quality data protection (the data protection officers will serve as in-house compliance officers)

This proposed law is a welcome opportunity for the government to develop a model data protection framework that upholds individual privacy and safeguards online data of generations of Kenyans including those yet to come. Kenya’s data protection legislation has to a large extent been influenced by the European Union’s General Data Protection Regulations (GDPR), with Kenya striving to be the first country in Africa to receive an “adequacy” determination from the European Commission, a certification that a country has strong privacy laws, and which allows Europeans’ data to be processed in that country and for companies in that jurisdiction to penetrate the European markets. It should be noted that the European Union’s GDPR make it hard for non-compliant countries to trade in Europe as the regulations act in persona and do not depend with a person’s area of domicile, meaning, you cannot trade in Europe without the use of GDPR no matter your country of origin. 

Further, this legislation is also an important step towards providing direction on matters data protection in Africa bearing in mind the very weak African Union Convention on Cyber Security and Personal Data Protection. This new legislation will serve as a call to the member states to adopt stronger legal frameworks for data privacy and cyber security and strengthen the existing African convention.

While a strong data protection law must protect the rights of individuals with meaningful consent at its core, it must also have strong obligations placed on data controllers and processors reflecting the significant responsibilities associated with collecting, storing, using, analyzing, and processing user data and provide for effective enforcement by an empowered, independent, and well-resourced data protection authority. All these values are evident in the Kenyan Data Protection Act.

Unfettered power

It cannot be gainsaid that the Act was developed in open public consultations through a series of public participation forums, a crucial pillar of the Kenyan Constitution. The public participation benefited from wide ranging comments from governments, private sector, academia, civil society, and individuals that contributed to enriching a wholesome Act.

However, even with the onset of the Act, a number of red flags cannot be down played. The Act establishes the office of the data commissioner where upon it confers it with unfettered power over development of thresholds for mandatory registration of data controllers. In doing so, the commissioner stands a risk of ignoring the fact that we are legislating for both the formal and informal economy. Leaving this prerogative entirely to the office of the data commissioner for the formulation of these thresholds may be detrimental bearing in mind the critical players in the information sector and the ever-changing data dynamics.

In establishing the office of data commissioner, the Act should have proposed for the commission to be made an independent constitutional commission under Chapter 15 of the Constitution rather than a body corporate, drawing from the veracity of the subject matter of data protection under the current times. 

Be that as it may, it is laudable that the Act provides safeguards to the office of the data commissioner through provisions of structured and independent mode of appointment and removal from office. The appointment of the data commissioner by the President through recommendation by the Public Service Commission and provision of a non-renewable 6-year term in office crystallizes the much needed security of tenure required for the independence and efficiency of the office. 

The appointment of the data commissioner by the President through recommendation by the PSC and provision of a non-renewable 6-year term in office crystallizes security of tenure required for the independence of the office


The Act is seen as having very overreaching exemptions. The threshold for national security as an exemption under section 51 is very broad. This may make it prone to abuse thus hindering its proper application. In the wake of the fight against tax evasion, this exemption maybe utilized to acquire taxation information which is unnecessary and unconstitutional as elaborated in Robert Ayisi v KRA & Another (2008).Thusin creating exceptions, it would have been prudent for the Legislature to be guided by the necessary and proportionate principles on the application of human rights. 

There is need to create adequate time for the implementation and creation of awareness of the new law. This will provide ample time for the setting up of the office of data commissioner, capacity building and post promulgation awareness. The commencement date of November 25 2019, 21 days after its promulgation is a very short period in the case of an Act of such nobility. 

In the same stride, the Act does not provide for the separation of product acquisition and consent to data sharing with third parties. Blanket provisions allowing data collectors to share consumers’ information with unnamed third parties are often buried in product terms and conditions we often don’t read. Consent to data sharing should not be a requirement of using a product or service. This can be remedied by the restructuring of these terms and conditions in a manner that would make it easier for the consumers to understand so as to prevent cases of alleged “implied duress” in acquisition of consent. This is one area that should be heavily scrutinized. In the wake of this Act, many prior agreements on data will have to be amended to reflect the new changes and the law and thus heavy public education should be conducted on this.

Drawing from the above opinion, the data protection Act could benefit from a substantial revision to better reflect the objectives of giving consumers greater access and control to their digital lives. 

It is worthy commending the Government and Legislature for this thoughtful and thorough regulatory framework. There is however a great need for its reconciliation with other statues, which may contain provisions that threaten the good intentions of this Act. 

It is no doubt that with the enactment of this legislation, Kenya is emerging as a leader in the digital economy and will serve as a positive example to the many other African governments are currently considering data protection frameworks.   

Sign Up