Kenya

In 2019 Kenyan lawmakers passed the Kenya Data Protection Act, a robust legal framework that sought to modernize the countries legislation around the use of personal data. Other related laws include the Data Protection Policy (2019), ICT Policy (2019) and a handful of older legislation governing information, communications, and cybercrimes. Despite the country’s relative success in passing data protection legislation, oversight and enforcement remain weak, and a lack of funding and awareness have hindered implementation.

To learn more about data protection topics and programming in Kenya, take a look at the Bolivia resource page here, or browse resources via specific categories below

Kenya Resources

Unseen Eyes, Unheard Stories: Surveillance, data protection, and freedom of expression in Kenya and Uganda during COVID-19

Tags - Advocacy, Legal Framework, Systems of Data Collection
Kenya
English

KICTANet, 2021

This report by ARTICLE 19 Eastern Africa, the Kenya ICT Action Network (KICTANet), and Pollicy reviews the national legal frameworks and practices that have enabled an extraordinary surveillance environment during the first year of the coronavirus pandemic in Kenya and Uganda. It documents and raises awareness about government and private sector surveillance measures and practices in both countries during this period and their human rights implications.

The role of Kenyan intermediaries in upholding privacy

Tags - Country Context
Kenya
English

KICTANet, 2019

In this report, the Internet intermediaries were ranked based on the comprehensiveness of their policies with respect to digital rights. The Kenyan version of a similar initiative “Who has your back?” from EFF.

Snapshot: Analysis of the Data Protection Act 2019

Tags - Best Practices, Data Protection Laws
Kenya
English

Bowmans Law, 2019

The article presents the main changes that bring the Data Protection Act and explains in detail what the impact these changes will represent, in terms of new responsibilities. It also presents recommendations for improvement and better compliance with the law.

Implementing Huduma Namba: Challenges and Prospects

Tags - Country Context, Legal Framework, Systems of Data Collection
Kenya
English

KICTANet, 2020

This study provides the legal and historical context of Kenya’s national identity management system. It also examines the transition to a digital system, through the Huduma Namba project, and its human rights impact and concerns.These concerns include: the adequacy of public participation, adequacy of data protection, exclusion from access to socio-economic rights and discrimination of existing minority groups. In addition, the study highlights three countries with experience of using digital identity systems as case studies. Finally, the study provides key recommendations to stakeholders.

Looking to understand existing case law to guide advocacy and strategic litigation?
Interested to learn more about the status of data protection in Kenya?
Click below for more resources to inform advocacy, community building, enforcement, and other topics in support of rights-respecting data protections.
What does the legal landscape look like in Kenya?

The following snapshot is intended to help identify and understand the various factors impacting the passage of rights-respecting data protection legal frameworks. This includes the roadblocks to establishing a dedicated law, the key issues being considered within the data privacy conversation, the political circumstances under which these developments take place, and the ongoing advocacy practices that aim to support data privacy regulations.

Exclusive Statute/Bill/Draft

Kenya passed its Data Protection Act and Data Protection Policy in November 2019.

Features of Statute

The Act  gives effect to the Right to Privacy enshrined under Article 31(c) and (d) of the Kenyan Constitution. It allows for the  establishment of the Office of the Data Protection Commissioner, lays down rules for the processing of personal data and defines the rights of data subjects and obligations of data controllers and processors.

Related and Sector-Specific Laws

There exists a constitutional right to privacy and data protection as a fundamental freedom under the Kenyan Bill of Rights. This happened after the Constitution of Kenya, 2010 came into force. Other laws that have thematically relevant ancillary reference to privacy and/or data protection include:

 

Access to Information Act, 2016

Banking Act

The Kenya Information and Communications Act, 2013

The HIV and AIDS Prevention and Control Act, 2006

The Health Act, 2017

The Health Records and Information Managers Act, 2016

The Banking Act, 2012

The Election Offences Act, 2016

The Children Act, 2001

National Payment and Systems Act, 2011

The Registration of Persons Act, 2012

Kenya Information and Communications (Registration of SIM-card Regulations), 2015,

 

The Central Bank of Kenya (Amendment) Bill, 2021, which seeks to regulate mobile money lending in Kenya, is currently pending in Parliament.

The proposed Huduma Bill, 2019 aims to formalise the operation and running of the National Integrated Information Management System, a digital identity system popularly known as the ‘Huduma Namba.’ It was introduced in Kenya through a substantive amendment of The Registration of Persons Act in 2019.

Features of Enforcement 

The Office of the Data Protection Commissioner (ODPC) has developed general principles, a service charter, and a draft Strategic Plan for the year 2021-2023,  a complaints manual to assist data processors and controllers, guidance notes on consent and impact assessment, a guidance note on how to conduct a Data Protection Impact Assessment, and guidance notes for Electoral Purposes

Composition and oversight of the regulatory body

Ms. Immaculate Kassait, MBS was appointed the first Data Protection Commissioner on 12th November 2020 following a competitive recruitment process by the Public Service Commission (PSC) and vetting by the National Assembly. It is a single-Commissioner independent office with six-year non-renewable tenure.

The Kenya Information and Communications Act, 1998 provides that the Minister in consultation with the Commission may make regulations with respect to the privacy of telecommunication. The Communications Authority of Kenya is a crucial institution in the regulation of privacy and human rights protections in the electronic communications environment. The composition of the Board has been the subject of legal scrutiny in recent years. This may affect the discharge of its functions in 2021 and beyond.

Related Draft Legislations

There are currently three sets of Draft regulations under consideration for enactment through the ODPC:

  1. Data Protection (General) Regulations, 2021.
  2. Data Protection (Compliance And Enforcement), Regulations, 2021.
  3. Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021

 

The impact of these regulations on human rights and on the general public will be a main point of focus in the coming months. The registration of data controllers and processors is a greenfield operation in Kenya. A lot of sensitization will need to be carried out. The proof of the legislation’s impact will be borne out on enforcement when breaches occur, as they will.

Another set of pending draft bills formulated by the Ministry of Interior & Coordination for National Government include:

  1. Draft Data Protection (Civil Registration) Regulations, 2020,
  2. Draft Registration of Persons (National Integrated Identity Management System) Rules, 2020
  3. Draft Huduma Namba Bill, (2019)

Exclusive Statute/Bill/Draft

Kenya passed its Data Protection Act and Data Protection Policy in November 2019.

Features of Statute

The Act  gives effect to the Right to Privacy enshrined under Article 31(c) and (d) of the Kenyan Constitution. It allows for the  establishment of the Office of the Data Protection Commissioner, lays down rules for the processing of personal data and defines the rights of data subjects and obligations of data controllers and processors.

Related and Sector-Specific Laws

There exists a constitutional right to privacy and data protection as a fundamental freedom under the Kenyan Bill of Rights. This happened after the Constitution of Kenya, 2010 came into force. Other laws that have thematically relevant ancillary reference to privacy and/or data protection include:

 

Access to Information Act, 2016

Banking Act

The Kenya Information and Communications Act, 2013

The HIV and AIDS Prevention and Control Act, 2006

The Health Act, 2017

The Health Records and Information Managers Act, 2016

The Banking Act, 2012

The Election Offences Act, 2016

The Children Act, 2001

National Payment and Systems Act, 2011

The Registration of Persons Act, 2012

Kenya Information and Communications (Registration of SIM-card Regulations), 2015,

 

The Central Bank of Kenya (Amendment) Bill, 2021, which seeks to regulate mobile money lending in Kenya, is currently pending in Parliament.

The proposed Huduma Bill, 2019 aims to formalise the operation and running of the National Integrated Information Management System, a digital identity system popularly known as the ‘Huduma Namba.’ It was introduced in Kenya through a substantive amendment of The Registration of Persons Act in 2019.

Features of Enforcement 

The Office of the Data Protection Commissioner (ODPC) has developed general principles, a service charter, and a draft Strategic Plan for the year 2021-2023,  a complaints manual to assist data processors and controllers, guidance notes on consent and impact assessment, a guidance note on how to conduct a Data Protection Impact Assessment, and guidance notes for Electoral Purposes

Composition and oversight of the regulatory body

Ms. Immaculate Kassait, MBS was appointed the first Data Protection Commissioner on 12th November 2020 following a competitive recruitment process by the Public Service Commission (PSC) and vetting by the National Assembly. It is a single-Commissioner independent office with six-year non-renewable tenure.

The Kenya Information and Communications Act, 1998 provides that the Minister in consultation with the Commission may make regulations with respect to the privacy of telecommunication. The Communications Authority of Kenya is a crucial institution in the regulation of privacy and human rights protections in the electronic communications environment. The composition of the Board has been the subject of legal scrutiny in recent years. This may affect the discharge of its functions in 2021 and beyond.

Related Draft Legislations

There are currently three sets of Draft regulations under consideration for enactment through the ODPC:

  1. Data Protection (General) Regulations, 2021.
  2. Data Protection (Compliance And Enforcement), Regulations, 2021.
  3. Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021

 

The impact of these regulations on human rights and on the general public will be a main point of focus in the coming months. The registration of data controllers and processors is a greenfield operation in Kenya. A lot of sensitization will need to be carried out. The proof of the legislation’s impact will be borne out on enforcement when breaches occur, as they will.

Another set of pending draft bills formulated by the Ministry of Interior & Coordination for National Government include:

  1. Draft Data Protection (Civil Registration) Regulations, 2020,
  2. Draft Registration of Persons (National Integrated Identity Management System) Rules, 2020
  3. Draft Huduma Namba Bill, (2019)

The ODPC relies heavily on the executive through the Cabinet Secretary, who for the time being is in charge of data protection.

The government launched and is in the process of implementing the Huduma Namba Digital ID programme, which had been challenged in court due to privacy concerns over the collection of biometric data. With the upcoming elections in August 2022, the election management body will collect and process biometric data of almost 20 million voters, which has implications for the protection of the right to privacy.

The government launched and is in the process of implementing the Huduma Namba Digital ID programme, which had been challenged in court due to privacy concerns over the collection of biometric data. With the upcoming elections in August 2022, the election management body will collect and process biometric data of almost 20 million voters, which has implications for the protection of the right to privacy.

There is currently a low level of advocacy with few organizations involved in policy advocacy on data. Public awareness of data privacy and privacy rights remains low, and there are no known surveys that have been done. Research in the area is also limited.

Goals

Current advocacy is focused on increasing general awareness of individuals and organizations on privacy and data protection. This includes implications of surveillance measures, including for security and medical purposes. Advocates also aim to help the ODPC discharge its mandate with relevant research on emerging trends in privacy and data protection.

Challenges

There are budgetary limitations to undertake key activities in advocacy for data protection measures. There is an unwillingness to be engaged among stakeholders and a reluctance to act among politicians, adding to the difficulties.

Hear from KICTANet

ADAPT’s partner KICTANet has been conducting advocacy promoting data privacy in the country since early 2021. Check out their blogs and podcasts that showcase some of the core elements of their work and the issues that they prioritize.

Kenya Podcasts

EPISODE 3

Pushing Towards Data Protection: An Advocate’s Guide by Privacy is Global

Kenya Blog Posts

5 minutes /
The past few weeks have been abuzz with public outcry over the call to update SIM registration details for all sim card owners by the Communications Authority of Kenya (CAK). The move has been touted as a step towards improving national security by establishing a comprehensive registry of sim cards and their owners. It is the third such attempt by...
Meshack Masibo

Meshack Masibo

12 minutes /
The fourth workshop of the Data Privacy Learning Series took place on March 10th, 2022, and discussed regional coordination among civil society organizations in the Global South to advance data protection. The discussion departed from concrete cases and built on some of the points made in previous workshops, especially regarding advocacy strategies and campaigns carried out by ADAPT partners which...
Data Privacy Brazil

Data Privacy Brazil

15 Minutes /
The election period in Kenya has always been a high stakes and tense atmosphere. Equally, the uptake of technology and the arising issues of data storage, accessibility and transparency have also grown increasingly controversial in recent years. When the two concepts react together it often leads to an explosive mixture of high-octane politics, immersive litigation and even invalidation of the...
Meshack Masibo

Meshack Masibo

10 minutes /
The third workshop of the Data Privacy Learning Series took place on February 1st, 2022, and discussed the challenges in creating and maintaining independent data protection authorities in the ADAPT partner countries, some having passed comprehensive data protection legislation and others currently discussing it. The choice of subject for the workshop was validated by talks conducted with the partners prior...
Data Privacy Brazil

Data Privacy Brazil