Kenya

In 2019 Kenyan lawmakers passed the Kenya Data Protection Act, a robust legal framework that sought to modernize the countries legislation around the use of personal data. Other related laws include the Data Protection Policy (2019), ICT Policy (2019) and a handful of older legislation governing information, communications, and cybercrimes. Despite the country’s relative success in passing data protection legislation, oversight and enforcement remain weak, and a lack of funding and awareness have hindered implementation.

To learn more about data protection topics and programming in Kenya, take a look at the Bolivia resource page here, or browse resources via specific categories below

Kenya Resources

Unseen Eyes, Unheard Stories: Surveillance, data protection, and freedom of expression in Kenya and Uganda during COVID-19

Tags - Advocacy, Legal Framework, Systems of Data Collection
Kenya
English

KICTANet, 2021

This report by ARTICLE 19 Eastern Africa, the Kenya ICT Action Network (KICTANet), and Pollicy reviews the national legal frameworks and practices that have enabled an extraordinary surveillance environment during the first year of the coronavirus pandemic in Kenya and Uganda. It documents and raises awareness about government and private sector surveillance measures and practices in both countries during this period and their human rights implications.

The role of Kenyan intermediaries in upholding privacy

Tags - Country Context
Kenya
English

KICTANet, 2019

In this report, the Internet intermediaries were ranked based on the comprehensiveness of their policies with respect to digital rights. The Kenyan version of a similar initiative “Who has your back?” from EFF.

Snapshot: Analysis of the Data Protection Act 2019

Tags - Best Practices, Data Protection Laws
Kenya
English

Bowmans Law, 2019

The article presents the main changes that bring the Data Protection Act and explains in detail what the impact these changes will represent, in terms of new responsibilities. It also presents recommendations for improvement and better compliance with the law.

Implementing Huduma Namba: Challenges and Prospects

Tags - Country Context, Legal Framework, Systems of Data Collection
Kenya
English

KICTANet, 2020

This study provides the legal and historical context of Kenya’s national identity management system. It also examines the transition to a digital system, through the Huduma Namba project, and its human rights impact and concerns.These concerns include: the adequacy of public participation, adequacy of data protection, exclusion from access to socio-economic rights and discrimination of existing minority groups. In addition, the study highlights three countries with experience of using digital identity systems as case studies. Finally, the study provides key recommendations to stakeholders.

Looking to understand existing case law to guide advocacy and strategic litigation?
Interested to learn more about the status of data protection in Kenya?
Click below for more resources to inform advocacy, community building, enforcement, and other topics in support of rights-respecting data protections.
What does the legal landscape look like in Kenya?

The following snapshot is intended to help identify and understand the various factors impacting the passage of rights-respecting data protection legal frameworks. This includes the roadblocks to establishing a dedicated law, the key issues being considered within the data privacy conversation, the political circumstances under which these developments take place, and the ongoing advocacy practices that aim to support data privacy regulations.

Exclusive Statute/Bill/Draft

Kenya passed its Data Protection Act and Data Protection Policy in November 2019.

Features of Statute

The Act  gives effect to the Right to Privacy enshrined under Article 31(c) and (d) of the Kenyan Constitution. It allows for the  establishment of the Office of the Data Protection Commissioner, lays down rules for the processing of personal data and defines the rights of data subjects and obligations of data controllers and processors.

Related and Sector-Specific Laws

There exists a constitutional right to privacy and data protection as a fundamental freedom under the Kenyan Bill of Rights. This happened after the Constitution of Kenya, 2010 came into force. Other laws that have thematically relevant ancillary reference to privacy and/or data protection include:

 

Access to Information Act, 2016

Banking Act

The Kenya Information and Communications Act, 2013

The HIV and AIDS Prevention and Control Act, 2006

The Health Act, 2017

The Health Records and Information Managers Act, 2016

The Banking Act, 2012

The Election Offences Act, 2016

The Children Act, 2001

National Payment and Systems Act, 2011

The Registration of Persons Act, 2012

Kenya Information and Communications (Registration of SIM-card Regulations), 2015,

 

The Central Bank of Kenya (Amendment) Bill, 2021, which seeks to regulate mobile money lending in Kenya, is currently pending in Parliament.

The proposed Huduma Bill, 2019 aims to formalise the operation and running of the National Integrated Information Management System, a digital identity system popularly known as the ‘Huduma Namba.’ It was introduced in Kenya through a substantive amendment of The Registration of Persons Act in 2019.

Features of Enforcement 

The Office of the Data Protection Commissioner (ODPC) has developed general principles, a service charter, and a draft Strategic Plan for the year 2021-2023,  a complaints manual to assist data processors and controllers, guidance notes on consent and impact assessment, a guidance note on how to conduct a Data Protection Impact Assessment, and guidance notes for Electoral Purposes

Composition and oversight of the regulatory body

Ms. Immaculate Kassait, MBS was appointed the first Data Protection Commissioner on 12th November 2020 following a competitive recruitment process by the Public Service Commission (PSC) and vetting by the National Assembly. It is a single-Commissioner independent office with six-year non-renewable tenure.

The Kenya Information and Communications Act, 1998 provides that the Minister in consultation with the Commission may make regulations with respect to the privacy of telecommunication. The Communications Authority of Kenya is a crucial institution in the regulation of privacy and human rights protections in the electronic communications environment. The composition of the Board has been the subject of legal scrutiny in recent years. This may affect the discharge of its functions in 2021 and beyond.

Related Draft Legislations

There are currently three sets of Draft regulations under consideration for enactment through the ODPC:

  1. Data Protection (General) Regulations, 2021.
  2. Data Protection (Compliance And Enforcement), Regulations, 2021.
  3. Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021

 

The impact of these regulations on human rights and on the general public will be a main point of focus in the coming months. The registration of data controllers and processors is a greenfield operation in Kenya. A lot of sensitization will need to be carried out. The proof of the legislation’s impact will be borne out on enforcement when breaches occur, as they will.

Another set of pending draft bills formulated by the Ministry of Interior & Coordination for National Government include:

  1. Draft Data Protection (Civil Registration) Regulations, 2020,
  2. Draft Registration of Persons (National Integrated Identity Management System) Rules, 2020
  3. Draft Huduma Namba Bill, (2019)

Exclusive Statute/Bill/Draft

Kenya passed its Data Protection Act and Data Protection Policy in November 2019.

Features of Statute

The Act  gives effect to the Right to Privacy enshrined under Article 31(c) and (d) of the Kenyan Constitution. It allows for the  establishment of the Office of the Data Protection Commissioner, lays down rules for the processing of personal data and defines the rights of data subjects and obligations of data controllers and processors.

Related and Sector-Specific Laws

There exists a constitutional right to privacy and data protection as a fundamental freedom under the Kenyan Bill of Rights. This happened after the Constitution of Kenya, 2010 came into force. Other laws that have thematically relevant ancillary reference to privacy and/or data protection include:

 

Access to Information Act, 2016

Banking Act

The Kenya Information and Communications Act, 2013

The HIV and AIDS Prevention and Control Act, 2006

The Health Act, 2017

The Health Records and Information Managers Act, 2016

The Banking Act, 2012

The Election Offences Act, 2016

The Children Act, 2001

National Payment and Systems Act, 2011

The Registration of Persons Act, 2012

Kenya Information and Communications (Registration of SIM-card Regulations), 2015,

 

The Central Bank of Kenya (Amendment) Bill, 2021, which seeks to regulate mobile money lending in Kenya, is currently pending in Parliament.

The proposed Huduma Bill, 2019 aims to formalise the operation and running of the National Integrated Information Management System, a digital identity system popularly known as the ‘Huduma Namba.’ It was introduced in Kenya through a substantive amendment of The Registration of Persons Act in 2019.

Features of Enforcement 

The Office of the Data Protection Commissioner (ODPC) has developed general principles, a service charter, and a draft Strategic Plan for the year 2021-2023,  a complaints manual to assist data processors and controllers, guidance notes on consent and impact assessment, a guidance note on how to conduct a Data Protection Impact Assessment, and guidance notes for Electoral Purposes

Composition and oversight of the regulatory body

Ms. Immaculate Kassait, MBS was appointed the first Data Protection Commissioner on 12th November 2020 following a competitive recruitment process by the Public Service Commission (PSC) and vetting by the National Assembly. It is a single-Commissioner independent office with six-year non-renewable tenure.

The Kenya Information and Communications Act, 1998 provides that the Minister in consultation with the Commission may make regulations with respect to the privacy of telecommunication. The Communications Authority of Kenya is a crucial institution in the regulation of privacy and human rights protections in the electronic communications environment. The composition of the Board has been the subject of legal scrutiny in recent years. This may affect the discharge of its functions in 2021 and beyond.

Related Draft Legislations

There are currently three sets of Draft regulations under consideration for enactment through the ODPC:

  1. Data Protection (General) Regulations, 2021.
  2. Data Protection (Compliance And Enforcement), Regulations, 2021.
  3. Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021

 

The impact of these regulations on human rights and on the general public will be a main point of focus in the coming months. The registration of data controllers and processors is a greenfield operation in Kenya. A lot of sensitization will need to be carried out. The proof of the legislation’s impact will be borne out on enforcement when breaches occur, as they will.

Another set of pending draft bills formulated by the Ministry of Interior & Coordination for National Government include:

  1. Draft Data Protection (Civil Registration) Regulations, 2020,
  2. Draft Registration of Persons (National Integrated Identity Management System) Rules, 2020
  3. Draft Huduma Namba Bill, (2019)

The ODPC relies heavily on the executive through the Cabinet Secretary, who for the time being is in charge of data protection.

The government launched and is in the process of implementing the Huduma Namba Digital ID programme, which had been challenged in court due to privacy concerns over the collection of biometric data. With the upcoming elections in August 2022, the election management body will collect and process biometric data of almost 20 million voters, which has implications for the protection of the right to privacy.

The government launched and is in the process of implementing the Huduma Namba Digital ID programme, which had been challenged in court due to privacy concerns over the collection of biometric data. With the upcoming elections in August 2022, the election management body will collect and process biometric data of almost 20 million voters, which has implications for the protection of the right to privacy.

There is currently a low level of advocacy with few organizations involved in policy advocacy on data. Public awareness of data privacy and privacy rights remains low, and there are no known surveys that have been done. Research in the area is also limited.

Goals

Current advocacy is focused on increasing general awareness of individuals and organizations on privacy and data protection. This includes implications of surveillance measures, including for security and medical purposes. Advocates also aim to help the ODPC discharge its mandate with relevant research on emerging trends in privacy and data protection.

Challenges

There are budgetary limitations to undertake key activities in advocacy for data protection measures. There is an unwillingness to be engaged among stakeholders and a reluctance to act among politicians, adding to the difficulties.

Hear from KICTANet

ADAPT’s partner KICTANet has been conducting advocacy promoting data privacy in the country since early 2021. Check out their blogs and podcasts that showcase some of the core elements of their work and the issues that they prioritize.

Kenya Podcasts

EPISODE 8

The History of Data & Elections in Kenya: The New Data Protection Act & the Challenges Ahead

EPISODE 3

Pushing Towards Data Protection: An Advocate’s Guide by Privacy is Global

Kenya Blog Posts

5 minutes /
In 2019, the Data Protection Act was enacted into law after over a decade of efforts to bring it to life. It is the operative legislation that governs how personal data is protected in Kenya. It is also backed up by three sets of regulations passed into law in 2021. The Act also established the Office of the Data Protection...
Meshack Masibo

Meshack Masibo

25 minutes /
This report is one of three reports funded through the ADAPT project that explore how data is used and abused by governments and non-state actors alike, and how users can better advocate for their privacy. How does one build resistance to datafication with those already at the front lines of fighting gender inequality? The report, based on research conducted by...
Chenai Chair

Chenai Chair

30 minutes /
Available in English, Portuguese, and Spanish (see links below) Since 2018, over sixty countries around the world have enacted or proposed new data protection laws, with those numbers steadily increasing each year. Data protection regulatory bodies and agencies are entrusted with massive responsibilities to enforce these newly passed laws across all sectors of society- often while significantly under-resourced with small...
ADAPT

ADAPT

20 minutes /
These two separate reports are part of a series funded through the ADAPT project that explore how data is used and abused by governments and non-state actors alike, and how users can better advocate for their privacy. Both reports are based on extensive research conducted by Seyram Avle, an Assistant Professor of Global Digital Media at the University of Massachusetts,...
Seyram Avle

Seyram Avle