In 2019 Kenyan lawmakers passed the Kenya Data Protection Act, a robust legal framework that sought to modernize the countries legislation around the use of personal data. Other related laws include the Data Protection Policy (2019), ICT Policy (2019) and a handful of older legislation governing information, communications, and cybercrimes. Despite the country’s relative success in passing data protection legislation, oversight and enforcement remain weak, and a lack of funding and awareness have hindered implementation.
KICTANet, 2021
This report by ARTICLE 19 Eastern Africa, the Kenya ICT Action Network (KICTANet), and Pollicy reviews the national legal frameworks and practices that have enabled an extraordinary surveillance environment during the first year of the coronavirus pandemic in Kenya and Uganda. It documents and raises awareness about government and private sector surveillance measures and practices in both countries during this period and their human rights implications.
KICTANet, 2019
In this report, the Internet intermediaries were ranked based on the comprehensiveness of their policies with respect to digital rights. The Kenyan version of a similar initiative “Who has your back?” from EFF.
Bowmans Law, 2019
The article presents the main changes that bring the Data Protection Act and explains in detail what the impact these changes will represent, in terms of new responsibilities. It also presents recommendations for improvement and better compliance with the law.
KICTANet, 2020
This study provides the legal and historical context of Kenya’s national identity management system. It also examines the transition to a digital system, through the Huduma Namba project, and its human rights impact and concerns.These concerns include: the adequacy of public participation, adequacy of data protection, exclusion from access to socio-economic rights and discrimination of existing minority groups. In addition, the study highlights three countries with experience of using digital identity systems as case studies. Finally, the study provides key recommendations to stakeholders.
The following snapshot is intended to help identify and understand the various factors impacting the passage of rights-respecting data protection legal frameworks. This includes the roadblocks to establishing a dedicated law, the key issues being considered within the data privacy conversation, the political circumstances under which these developments take place, and the ongoing advocacy practices that aim to support data privacy regulations.
Exclusive Statute/Bill/Draft
Kenya passed its Data Protection Act and Data Protection Policy in November 2019.
Features of Statute
The Act gives effect to the Right to Privacy enshrined under Article 31(c) and (d) of the Kenyan Constitution. It allows for the establishment of the Office of the Data Protection Commissioner, lays down rules for the processing of personal data and defines the rights of data subjects and obligations of data controllers and processors.
Related and Sector-Specific Laws
There exists a constitutional right to privacy and data protection as a fundamental freedom under the Kenyan Bill of Rights. This happened after the Constitution of Kenya, 2010 came into force. Other laws that have thematically relevant ancillary reference to privacy and/or data protection include:
Access to Information Act, 2016
Banking Act
The Kenya Information and Communications Act, 2013
The HIV and AIDS Prevention and Control Act, 2006
The Health Act, 2017
The Health Records and Information Managers Act, 2016
The Banking Act, 2012
The Election Offences Act, 2016
The Children Act, 2001
National Payment and Systems Act, 2011
The Registration of Persons Act, 2012
Kenya Information and Communications (Registration of SIM-card Regulations), 2015,
The Central Bank of Kenya (Amendment) Bill, 2021, which seeks to regulate mobile money lending in Kenya, is currently pending in Parliament.
The proposed Huduma Bill, 2019 aims to formalise the operation and running of the National Integrated Information Management System, a digital identity system popularly known as the ‘Huduma Namba.’ It was introduced in Kenya through a substantive amendment of The Registration of Persons Act in 2019.
Features of Enforcement
The Office of the Data Protection Commissioner (ODPC) has developed general principles, a service charter, and a draft Strategic Plan for the year 2021-2023, a complaints manual to assist data processors and controllers, guidance notes on consent and impact assessment, a guidance note on how to conduct a Data Protection Impact Assessment, and guidance notes for Electoral Purposes
Composition and oversight of the regulatory body
Ms. Immaculate Kassait, MBS was appointed the first Data Protection Commissioner on 12th November 2020 following a competitive recruitment process by the Public Service Commission (PSC) and vetting by the National Assembly. It is a single-Commissioner independent office with six-year non-renewable tenure.
The Kenya Information and Communications Act, 1998 provides that the Minister in consultation with the Commission may make regulations with respect to the privacy of telecommunication. The Communications Authority of Kenya is a crucial institution in the regulation of privacy and human rights protections in the electronic communications environment. The composition of the Board has been the subject of legal scrutiny in recent years. This may affect the discharge of its functions in 2021 and beyond.
Related Draft Legislations
There are currently three sets of Draft regulations under consideration for enactment through the ODPC:
The impact of these regulations on human rights and on the general public will be a main point of focus in the coming months. The registration of data controllers and processors is a greenfield operation in Kenya. A lot of sensitization will need to be carried out. The proof of the legislation’s impact will be borne out on enforcement when breaches occur, as they will.
Another set of pending draft bills formulated by the Ministry of Interior & Coordination for National Government include:
The ODPC relies heavily on the executive through the Cabinet Secretary, who for the time being is in charge of data protection.
The government launched and is in the process of implementing the Huduma Namba Digital ID programme, which had been challenged in court due to privacy concerns over the collection of biometric data. With the upcoming elections in August 2022, the election management body will collect and process biometric data of almost 20 million voters, which has implications for the protection of the right to privacy.
The upcoming general elections in 2022 means that there will be reduced legislative activity in the Parliament, leading to a temporary lull in action.
Nonetheless, there has been political will to develop privacy and data protection policy and legislation since 2018, as evidenced by the passage of the Data Protection Act and Policy 2019, and the various regulations and guidelines enacted thereafter. The ODPC has also been established and is operational.
There is currently a low level of advocacy with few organizations involved in policy advocacy on data. Public awareness of data privacy and privacy rights remains low, and there are no known surveys that have been done. Research in the area is also limited.
Goals
Current advocacy is focused on increasing general awareness of individuals and organizations on privacy and data protection. This includes implications of surveillance measures, including for security and medical purposes. Advocates also aim to help the ODPC discharge its mandate with relevant research on emerging trends in privacy and data protection.
Challenges
There are budgetary limitations to undertake key activities in advocacy for data protection measures. There is an unwillingness to be engaged among stakeholders and a reluctance to act among politicians, adding to the difficulties.
Exclusive Statute/Bill/Draft
Kenya passed its Data Protection Act and Data Protection Policy in November 2019.
Features of Statute
The Act gives effect to the Right to Privacy enshrined under Article 31(c) and (d) of the Kenyan Constitution. It allows for the establishment of the Office of the Data Protection Commissioner, lays down rules for the processing of personal data and defines the rights of data subjects and obligations of data controllers and processors.
Related and Sector-Specific Laws
There exists a constitutional right to privacy and data protection as a fundamental freedom under the Kenyan Bill of Rights. This happened after the Constitution of Kenya, 2010 came into force. Other laws that have thematically relevant ancillary reference to privacy and/or data protection include:
Access to Information Act, 2016
Banking Act
The Kenya Information and Communications Act, 2013
The HIV and AIDS Prevention and Control Act, 2006
The Health Act, 2017
The Health Records and Information Managers Act, 2016
The Banking Act, 2012
The Election Offences Act, 2016
The Children Act, 2001
National Payment and Systems Act, 2011
The Registration of Persons Act, 2012
Kenya Information and Communications (Registration of SIM-card Regulations), 2015,
The Central Bank of Kenya (Amendment) Bill, 2021, which seeks to regulate mobile money lending in Kenya, is currently pending in Parliament.
The proposed Huduma Bill, 2019 aims to formalise the operation and running of the National Integrated Information Management System, a digital identity system popularly known as the ‘Huduma Namba.’ It was introduced in Kenya through a substantive amendment of The Registration of Persons Act in 2019.
Features of Enforcement
The Office of the Data Protection Commissioner (ODPC) has developed general principles, a service charter, and a draft Strategic Plan for the year 2021-2023, a complaints manual to assist data processors and controllers, guidance notes on consent and impact assessment, a guidance note on how to conduct a Data Protection Impact Assessment, and guidance notes for Electoral Purposes
Composition and oversight of the regulatory body
Ms. Immaculate Kassait, MBS was appointed the first Data Protection Commissioner on 12th November 2020 following a competitive recruitment process by the Public Service Commission (PSC) and vetting by the National Assembly. It is a single-Commissioner independent office with six-year non-renewable tenure.
The Kenya Information and Communications Act, 1998 provides that the Minister in consultation with the Commission may make regulations with respect to the privacy of telecommunication. The Communications Authority of Kenya is a crucial institution in the regulation of privacy and human rights protections in the electronic communications environment. The composition of the Board has been the subject of legal scrutiny in recent years. This may affect the discharge of its functions in 2021 and beyond.
Related Draft Legislations
There are currently three sets of Draft regulations under consideration for enactment through the ODPC:
The impact of these regulations on human rights and on the general public will be a main point of focus in the coming months. The registration of data controllers and processors is a greenfield operation in Kenya. A lot of sensitization will need to be carried out. The proof of the legislation’s impact will be borne out on enforcement when breaches occur, as they will.
Another set of pending draft bills formulated by the Ministry of Interior & Coordination for National Government include:
The ODPC relies heavily on the executive through the Cabinet Secretary, who for the time being is in charge of data protection.
The government launched and is in the process of implementing the Huduma Namba Digital ID programme, which had been challenged in court due to privacy concerns over the collection of biometric data. With the upcoming elections in August 2022, the election management body will collect and process biometric data of almost 20 million voters, which has implications for the protection of the right to privacy.
The government launched and is in the process of implementing the Huduma Namba Digital ID programme, which had been challenged in court due to privacy concerns over the collection of biometric data. With the upcoming elections in August 2022, the election management body will collect and process biometric data of almost 20 million voters, which has implications for the protection of the right to privacy.
There is currently a low level of advocacy with few organizations involved in policy advocacy on data. Public awareness of data privacy and privacy rights remains low, and there are no known surveys that have been done. Research in the area is also limited.
Goals
Current advocacy is focused on increasing general awareness of individuals and organizations on privacy and data protection. This includes implications of surveillance measures, including for security and medical purposes. Advocates also aim to help the ODPC discharge its mandate with relevant research on emerging trends in privacy and data protection.
Challenges
There are budgetary limitations to undertake key activities in advocacy for data protection measures. There is an unwillingness to be engaged among stakeholders and a reluctance to act among politicians, adding to the difficulties.
ADAPT’s partner KICTANet has been conducting advocacy promoting data privacy in the country since early 2021. Check out their blogs and podcasts that showcase some of the core elements of their work and the issues that they prioritize.