Following a seven-year, windy journey, on 8 November 2019, Kenya got a data protection law. The Data Protection Act, 2019 has various positive elements and can go a long way in addressing the live issues in protecting the privacy of data in Kenya.
The law came at a time of widespread concern about privacy in the country, including the fragmented oversight over privacy and data protection; increased mass data collection programmes by the government; enhanced state surveillance capacity; rampant privacy breaches including by business entities; limited dispute resolution mechanisms and the deficiency of remedies in case of breach of privacy.
The new law provides a comprehensive framework to regulate the processing of personal data and the protection of individuals’ privacy. It consolidates the law on privacy in the country and articulates several principles of personal data protection, as the minimum standard which all data controllers or processors must abide by.
Further, the Act provides for autonomy of the data subject over their data. It defines what constitutes consent, and makes the requirement of consent mandatory. This potentially addresses situations where personal data is collected arbitrarily and without the explicit consent of users. The law also prohibits the use of personal data for commercial purposes without the consent of the data subject. It places the burden of proof for establishing a data subject’s consent on the data controller or processor, while allowing the subject to withdraw consent at any time.
Also key is that the Data Protection Act, 2019 amends other legislation that has an impact on privacy, meaning that institutions responsible for handling the registration of individuals at birth and death, issuance of national identity cards and passports, Huduma Namba registration, registration of students at all levels, and the registration of telecommunication services consumers, will need to review their current policies, practices and procedures to ensure compliance with the principles in the Act.
The law establishes an independent office of the Data Protection Commissioner. Hitherto, the lack of an oversight body and the fragmented oversight over privacy in the country meant that every institution collecting personal data “owned” and used such data as they wished.
However, whereas the Act holds much promise for improved personal data governance in Kenya, state agencies, including the communications regulator, as well private actors and civil society, all have a role to play in its implementation.
This brief recounts Kenya’s journey and efforts to develop a data protection law. It also provides an overview of the implications of the new law to the protection of privacy and data rights in the East African country.