This page offers a high-level overview of the data protection landscape in Kenya, including any relevant laws, the challenges in implementing those laws, political willingness, and ongoing advocacy efforts.
Kenya passed its Data Protection Act and Data Protection Policy in November 2019.
Features of Statute
The Act gives effect to the Right to Privacy enshrined under Article 31(c) and (d) of the Kenyan Constitution. It allows for the establishment of the Office of the Data Protection Commissioner, lays down rules for the processing of personal data and defines the rights of data subjects and obligations of data controllers and processors.
Related and Sector-Specific Laws
There exists a constitutional right to privacy and data protection as a fundamental freedom under the Kenyan Bill of Rights. This happened after the Constitution of Kenya, 2010 came into force. Other laws that have thematically relevant ancillary reference to privacy and/or data protection include:
Access to Information Act, 2016
The Kenya Information and Communications Act, 2013
The HIV and AIDS Prevention and Control Act, 2006
The Health Act, 2017
The Health Records and Information Managers Act, 2016
The Banking Act, 2012
The Election Offences Act, 2016
The Children Act, 2001
National Payment and Systems Act, 2011
The Registration of Persons Act, 2012
Kenya Information and Communications (Registration of SIM-card Regulations), 2015,
The Central Bank of Kenya (Amendment) Bill, 2021, which seeks to regulate mobile money lending in Kenya, is currently pending in Parliament.
The proposed Huduma Bill, 2019 aims to formalise the operation and running of the National Integrated Information Management System, a digital identity system popularly known as the ‘Huduma Namba.’ It was introduced in Kenya through a substantive amendment of The Registration of Persons Act in 2019.
Features of Enforcement
The Office of the Data Protection Commissioner (ODPC) has developed general principles, a service charter, and a draft Strategic Plan for the year 2021-2023, a complaints manual to assist data processors and controllers, guidance notes on consent and impact assessment, a guidance note on how to conduct a Data Protection Impact Assessment, and guidance notes for Electoral Purposes
Composition and oversight of the regulatory body
Ms. Immaculate Kassait, MBS was appointed the first Data Protection Commissioner on 12th November 2020 following a competitive recruitment process by the Public Service Commission (PSC) and vetting by the National Assembly. It is a single-Commissioner independent office with six-year non-renewable tenure.
The Kenya Information and Communications Act, 1998 provides that the Minister in consultation with the Commission may make regulations with respect to the privacy of telecommunication. The Communications Authority of Kenya is a crucial institution in the regulation of privacy and human rights protections in the electronic communications environment. The composition of the Board has been the subject of legal scrutiny in recent years. This may affect the discharge of its functions in 2021 and beyond.
Related Draft Legislations
There are currently three sets of Draft regulations under consideration for enactment through the ODPC:
The impact of these regulations on human rights and on the general public will be a main point of focus in the coming months. The registration of data controllers and processors is a greenfield operation in Kenya. A lot of sensitization will need to be carried out. The proof of the legislation’s impact will be borne out on enforcement when breaches occur, as they will.
Another set of pending draft bills formulated by the Ministry of Interior & Coordination for National Government include:
The ODPC relies heavily on the executive through the Cabinet Secretary, who for the time being is in charge of data protection.
The government launched and is in the process of implementing the Huduma Namba Digital ID programme, which had been challenged in court due to privacy concerns over the collection of biometric data. With the upcoming elections in August 2022, the election management body will collect and process biometric data of almost 20 million voters, which has implications for the protection of the right to privacy.
The upcoming general elections in 2022 means that there will be reduced legislative activity in the Parliament, leading to a temporary lull in action.
Nonetheless, there has been political will to develop privacy and data protection policy and legislation since 2018, as evidenced by the passage of the Data Protection Act and Policy 2019, and the various regulations and guidelines enacted thereafter. The ODPC has also been established and is operational.
There is currently a low level of advocacy with few organizations involved in policy advocacy on data. Public awareness of data privacy and privacy rights remains low, and there are no known surveys that have been done. Research in the area is also limited.
Current advocacy is focused on increasing general awareness of individuals and organizations on privacy and data protection. This includes implications of surveillance measures, including for security and medical purposes. Advocates also aim to help the ODPC discharge its mandate with relevant research on emerging trends in privacy and data protection.
There are budgetary limitations to undertake key activities in advocacy for data protection measures. There is an unwillingness to be engaged among stakeholders and a reluctance to act among politicians, adding to the difficulties.