Following a seven-year effort to develop a substantive law on data protection, Kenya enacted the Data Protection Act 2019 (the “Act”) on 25 November 2019. Previously, data protection in Kenya was regulated under various sectoral laws and the Constitution, Articles 31(c) and (d) of which guarantee every person the right to privacy over information relating to their family or private affairs and over their communications. The sectoral laws that contained provisions on data protection included the Access to Information Act, the Kenya Information Communications Act, the Banking Act, the Public Health Act and the HIV Aids and Prevention Control Act.
The Act provides a comprehensive legal framework for data protection in Kenya, giving effect to Articles 31 (c) and (d) of the Constitution. It has also amended several existing laws to include provisions on data protection, some of which shall be discussed in greater detail below. Where sectoral laws have not been amended, they continue to apply to the extent they do not conflict with the Constitution or the Act.
Pursuant to section 71 of the Act, Four sets of regulations were gazetted to give effect to the Act:
The Purpose and Objective of the Act
The preamble to the Act describes its purposes as being “to give effect to Articles 31 (c) and (d) of the Constitution, to establish the Office of the Data Protection Commissioner, to make provision for the regulation of the processing of personal data, to provide for the rights of data subjects and obligations of data controllers and data processors and connected purposes.” Additional purposes and objectives of the Act are set out in Section 3 of the Act. They include
The Scope of Application
The Act applies to both the automated and non-automated processing of personal data. However, non-automated processing only applies to the extent that the record under process forms the whole or a part of a filing system. In addition, the Act has an extra-territorial scope in that it applies not only to data controllers and data processors who are established or ordinarily resident in Kenya and process personal data in Kenya but also to those that are not established or ordinarily resident in Kenya but process the personal data of data subjects located in Kenya. For example, the provisions of the Act apply to a company like Alibaba even if it does not have an established legal presence in Kenya.
Part VII of the Act (Sections 51–55) provides for exemptions from the Act. Section 51 (1) begins by qualifying the applicability of the exemptions, stating that data controllers or processors are not exempt from complying with the data protection principles relating to lawful processing, the minimisation of collection, data quality and adopting security safeguards to protect personal data. This implies that, even where a situation is identified as exempt, the person who processes or collects data in those instances must still abide by the matters outlined in Section 51 (1).
Section 51 (2) describes three situations in which the processing of personal data is exempt under the Act:
Regulations 54–57 of the Data Protection (General) Regulations 2021 provide further guidance on what exemptions for national security or public interest entail.
Apart from the instances described above, the Act also exempts some aspects of the processing of personal data relating to journalistic, art, literature and research purposes.
Exemption on grounds of national security
Under Regulation 54 (1), exemption on the grounds of national security extends to the processing of personal data by the national security organs outlined in Article 239 (1) of the Constitution – ie, the Kenya Defence Forces, the National Intelligence Service, and the National Police Service.
Regulation 54 (2) gives controllers and processors who process personal data for national security the right to apply to the Cabinet Secretary for an exemption on the grounds of national security. In these instances, the Cabinet Secretary has the power to issue a certificate of exemption upon being satisfied that the grounds supporting the application are sufficient. The Cabinet Secretary also has the power to revoke the certificate of exemption at any time if the grounds on which the certificate was issued no longer apply.
Exemption on Grounds of Public Interest
Exemptions on the grounds of public interest are covered in Regulations 55–57, and broadly apply in two situations: (i) general situations and (ii) permitted health situations.
Regulations 55 (a) and 56 relate to permitted general situations. The exemption covers the collection, use or disclosure by a data controller or data processor of personal data about a data subject for:
Permitted health situations are outlined in Regulations 55 (b) and 57. They include uses or disclosures of personal data to provide health services and for research and related purposes, and disclosures of health information for secondary purposes to a person responsible for a data subject. This exemption only applies where a data controller or data processor discloses health data about a data subject and:
Exemptions for Journalism, Literature and Art
According to Section 52 of the Act, the principles of processing personal data do not apply where:
Section 52 (3) gives the Data Commissioner the mandate to prepare a code of practice containing practical guidance in relation to the processing of personal data for journalism, literature and art.
Exemptions for Research, History and Statistics
Section 53 (1) provides that further processing of personal data shall be compatible with the purpose of collection if the data is used for historical, statistical or research purposes. Where personal data is processed pursuant to this provision, the data controller or processor must ensure that:
The Data Commissioner has the power to prepare codes of practice containing practical guidance in relation to the processing of personal data for the purposes of research, history and statistics.
Data Sharing Code
Section 55 gives the Data Commissioner power to issue a Data Sharing Code that gives practical guidance in relation to the sharing of personal data in accordance with the requirements of the data protection legislation and such other guidance as the Data Commissioner considers appropriate to promote good practice in the sharing of personal data. The data sharing code is also expected to specify how the lawful exchange of personal data can occur between government departments or public sector agencies.
Section 54 gives the Data Commissioner the power to prescribe other instances where compliance with the provisions of the Act may be exempted.
At the time of writing (March 2023), the Data Commissioner had not yet published any of the codes outlined in Sections 51–55.
The Data Commissioner
Part II of the Act (Sections 5–17) provides for the establishment of the Office of the Data Protection Commissioner (ODPC) as a body corporate with perpetual succession and a common seal, which can sue and be sued, take, purchase or otherwise acquire, hold, charge or dispose of movable and immovable property and enter into contracts. The Office is comprised of the Data Commissioner as its head, and an accounting officer and other staff appointed by the Data Commissioner. The Data Commissioner is appointed by the President with the approval of Parliament.
Kenya’s first Data Commissioner, Ms Immaculate Kassait, was appointed in November 2020. Under her leadership, the ODPC has established operating structures, launched a portal for the registration of data controllers and processors and commenced enforcement action.
Functions of Data Commissioner
The Data Commissioner is responsible for the implementation and enforcement of the Act, as well as the following:
Data Commissioner Audits
Section 23 of the Act provides that the Data Commissioner may carry out periodical audits of the processes and systems of the data controllers or data processors to ensure compliance with the Act. No further guidance on the conduct of audits is provided in the Act or the Regulations.
Enforcement and Penalties
Section 9 of the Act grants the Data Commissioner the powers to:
Part VII of the Act (Sections 56–66) sets out the enforcement provisions in greater detail. The Complaints Handling and Enforcement Regulations 2021 also contain guidelines on enforcement.
Complaints are regulated under Sections 56–57 of the Act and Regulations 4–15 of the Data Protection (Complaints Handling and Enforcement) Regulations 2021.
Receiving and reviewing complaints
A data subject has the right to lodge a complaint with the Data Commissioner. The complaint may be lodged orally or in writing through electronic means – eg, by email, web posting, complaint management information systems or any other appropriate means. Complaints may be lodged by a complainant, by a person acting on behalf of a complainant or by any other person who is authorised by law to act on behalf of a data subject or anonymously.
Upon the receipt of a complaint, the Data Commissioner must acknowledge receipt and review, admit or decline the complaint. Where necessary, the Data Commissioner may conduct investigations into the complaint, facilitate mediation, conciliation or negotiation, or use any appropriate mechanism to resolve the complaint.
A claim may be discontinued on the basis that it does not merit further consideration or where the complainant refuses, fails or neglects to communicate without justifiable cause. Where it is discontinued, the complainant may reinstate the complaint by providing further grounds for restitution to the Data Commissioner. A complaint may also be withdrawn at any stage during its consideration before a determination is made. A withdrawn complaint may be re-lodged within six months.
In the exercise of its investigative powers, the Data Commissioner may summon witnesses, request witness statements or demand the production of any book, document or record that may be necessary for the investigation. The process of an investigation must abide by the provisions of the Fair Administrative Action Act, 2015, which establishes a legal framework for ensuring that administrative actions are taken expeditiously, efficiently and lawfully.
Failure to comply with the Data Commissioner’s orders in relation to investigations is an offence, as is providing false or misleading information. Upon completion of the investigation, the Data Commissioner must prepare an investigation report outlining the findings, the resulting decision and the reasons for the decision. The report should also state the remedy to which the complainant is entitled, which may include:
Effect of a decision of the Data Commissioner
A decision of the Data Commissioner is deemed to be binding on the parties and is enforced as an order of the court.
Under Section 58 of the Act, The Data Commissioner has power to serve an enforcement notice on any person who has failed or is failing to comply with any of the provisions of the Act. The enforcement notice must specify:
Regulations 16–19 of the Complaints Handling and Enforcement Regulations provide the modalities for the issuance, service and review of an enforcement notice, and appeals against an enforcement notice. In essence, the Data Commissioner has the power to issue an enforcement notice specifying the consequences of failure to comply with the notice. Enforcement notices may be served by email, post or delivery to the registered offices of the concerned person, in the absence of an electronic address. Persons to whom enforcement notices are served have the right to apply for review. The application for review should be made before the end of the period specified in the enforcement notice and on grounds that (i) there is a change of circumstances, where new facts have arisen; or (ii) where one or more of the provisions specified in the notice do not need to be complied with in order to remedy the failure identified therein.
Failure to comply with an enforcement notice is an offence punishable with a fine not exceeding KES5 million or imprisonment for a term not exceeding two years, or both.
Section 62 of the Act gives the Data Commissioner power to issue a penalty notice where she is satisfied that a person has failed or is failing to comply with any provisions of the Act. A penalty notice requires the non-compliant party to pay the Data Commissioner an amount specified therein. The maximum amount of penalty or administrative fine that may be imposed by the Data Commissioner in a penalty notice is KES5 million or up to 1% of an undertaking’s annual turnover for the preceding financial year, whichever is lower. It is worth noting that the Act does not offer any definition for the term “undertaking”, thereby leaving room for debate on what qualifies as an undertaking.
Regulations 20–21 of the Complaints Handling and Enforcement Regulations provide further guidance on the issuance and enforcement of penalty notices. Regulation 20 (4) provides that a penalty notice may impose a daily fine of not more than KES10,000 for each breach identified, until the breach is rectified. In addition, the Data Commissioner can take action to recover a penalty upon the lapse of the period specified in the penalty notice for payment of a penalty, upon the final determination of any appeal against the penalty notice or upon the lapse of any period given to appeal against the notice.
Right of appeal
A person against whom an administrative action is taken by the Data Commissioner, including enforcement notices and penalty notices, may appeal to the High Court.
Additional Enforcement Powers of the Data Commissioner
The Data Commissioner has the following additional powers:
After the mediation, parties must sign a negotiation, mediation or conciliation agreement, which shall be deemed to be the determination of the Data Commissioner on the matter and is enforceable as such. A party to a dispute that is subject to negotiation, mediation or conciliation may withdraw from the proceedings at any stage. The person withdrawing must inform the Data Commissioner and other parties of such withdrawal within seven days of making the decision to do so.
See 1.6 System Characteristics.
The Katiba Institute is an NGO that was established to promote knowledge and understanding of Kenya’s Constitution and constitutionalism, and to defend and facilitate the implementation of the Constitution. The institute filed the first notable litigation on data protection relating to the roll-out of the Huduma number system in Kenya (see 2.5 Enforcement and Litigation).
The Article 19 organisation has been at the forefront of shaping privacy and surveillance developments in Kenya. One of its key areas of influence has been supporting litigation relating to the Huduma Number Case and making submissions on legislation relating to biometric civil registrations, such as the Huduma Bill 2021.
Access Now and Privacy International both regularly monitor and call out privacy-related developments or actions in Kenya. Finally, KICTANet, an ICT policy think tank, has influenced the development of policies and handbooks relating to data protection.
The Act follows the EU omnibus approach to legislation. To a large extent, most of the provisions of the Act are similar to the European General Data Protection Regulation (GDPR), especially in the following areas:
A key difference between the two laws is the fact that the GDPR assigns specific duties to data controllers and processors – the data controller is responsible for implementing appropriate technical and organisational measures to ensure and demonstrate compliance with the GDPR, enabling data subject rights requests, managing consents, conducting DPIAs, etc. Under Kenyan law, a distinction between the role of the data controller and the data processor has only been made in relation to the selection and appointment of data processors and on the notification of data breaches, and on the extent of liability that the data processor bears if a data subject lodges a compensation claim (see 2.1 Omnibus Laws and General Requirements (Data Subject Rights)).
In relation to fines and penalties, the GDPR provides for two tiers of fines where offences are segregated into severe and less severe violations, and different fines are applied to the offences. In contrast, Kenyan law provides for uniform penalties for all offences but gives the Data Commissioner the discretion to determine the severity of the fine based on the circumstances of the case: the higher the incidence of offending circumstances, the higher the fine.
For regulatory developments, see 1.8 Significant Pending Changes, Hot Topics and Issues.
Following the operationalisation of the ODPC, the following key initiatives have taken place.
Registration of Data Controllers and Processors
On 14 July 2022, the Data Commissioner launched an e-platform for the registration of data controllers and data processors. All controllers and processors that meet the registration thresholds must apply for registration. Failure to register attracts a fine of KES3 million and/or a maximum imprisonment term of ten years. As of 31 January 2023, over 1,400 firms had been registered with the Data Commissioner. As part of its mandate, the Data Commissioner has maintained a register of data controllers and data processors operating in Kenya
Between 2022 and January 2023, the ODPC undertook three significant enforcement actions.
On 5 October 2022, the ODPC announced that it was conducting a preliminary documentary assessment and audit against 40 digital lenders. The action was taken following several complaints by data subjects of the digital credit lenders’ unlawful processing of their information. However, the details of the complaints were not made publicly available. In addition, the ODPC issued an enforcement notice against a leading healthcare provider following a complaint raised by one of its customers.
On 21 December 2022, the Data Commissioner issued a fine against Oppo Kenya in the sum of KES5 Million for using a person’s photo on the company’s Instagram page without the person’s consent.
Allen Gichuhi and Charles Wamae v Florence Mathenge and Ambrose Waigwa
On 6 January 2023, the ODPC delivered a decision relating to a complaint lodged by two partners of a law firm (Allen Gichuhi and Charles Wamae v Florence Mathenge and Ambrose Waigwa (2023)). The complainants complained that whilst in employment at the firm, the first respondent sent confidential information from the firm to her personal email address and to the second respondent. It was further alleged that the confidential information comprised personal and sensitive personal data of the firm. The evidence produced in support of this claim was a series of court pleadings shared by the first respondent to the second respondent. After analysing the evidence, the Data Commissioner dismissed the complaint on the basis that the documents did not constitute personal or sensitive personal data.
Data Privacy Week 2023
The ODPC commemorated International Privacy Day (28 January) by hosting a series of privacy awareness initiatives including webinars and masterclasses on data protection. On 26 and 27 January 2023, the ODPC hosted a two-day data privacy conference under the theme “Promoting Data Protection in a Digitally Transformed Economy”. During the conference, the President of Kenya, H.E. William Ruto, pledged to roll out the Huduma Number initiative within the next 12 months (see 2.5 Enforcement and Litigation for further information).
Data Protection Officers
The Act provides that data controllers and data processors may appoint or designate data protection officers (DPOs) on such terms and conditions as the data controller or processor may determine, where:
The DPO is responsible for spearheading a company’s data protection compliance programme, including building capacity among staff, carrying out DPIAs and acting as a liaison between the organisation and the Data Commissioner’s Office.
In terms of appointment, an existing staff member can fulfil the role of the DPO in addition to their day-to-day duties, provided that the existing duties and DPO duties do not result in a conflict of interest. The DPO should have the relevant academic or professional qualifications which may include knowledge and technical skills in matters relating to data protection.
Criteria for Processing Personal Data
The principles of data protection
All personal data in Kenya must be processed in accordance with the principles of data protection, which include:
The rules on the collection of personal data
Personal data may be collected directly or indirectly from data subjects. Indirect collection (or collection from any person other than the data subject) is permissible where:
Where a data controller or data processor collects personal data indirectly, they must inform the data subject of the collection within 14 days. Prior to the collection of personal data, the data controller or data processor must give the data subject adequate information about the intended processing activities, to ensure integrity and confidentiality, the lawful bases for processing and the likely consequences for failing to provide the data.
Lawful bases for processing personal data
There are eight lawful bases for processing personal data in Kenya, as follows:
None of these bases is superior to the others, although there are some instances in which it is mandatory to seek consent to process personal data – eg, for processing children’s data and commercial uses of personal data.
Data protection impact assessments
Where a data processing operation is likely to result in a high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context and purpose, a data controller or data processor must carry out a DPIA prior to the processing.
The General Regulations outline the types of processing operations that may result in high risks to the rights and freedoms of the data subject. Examples include automated decision-making with legal or similar significant effect, the use of personal data on a large scale for a purpose other than that for which it was initially collected, the innovative use or application of new technological organisational solutions, or where processing prevents a data subject from exercising a right. The Regulations also provide a standard template for carrying out DPIAs. If a DPIA confirms or shows high risks to individuals, the Data Commissioner must be consulted prior to the implementation of the proposed protected activity.
Data Subject Rights
Right to information
Individuals must be given information about how their personal data shall be processed. The General Regulations stipulate that this information should be provided through a Data Protection Policy, prior to collection or within 14 days where the collection is indirect.
Right to access
Data subjects can request access to their personal data that is in the custody of a data controller or processor. Access must be provided within seven days of the request, at no cost to the data subject.
Right of objection
The right to object applies as an absolute right where the processing is for direct marketing, including profiling that relates to direct marketing. Apart from that, the data subject’s right to object may be overridden if the data controller demonstrates compelling legitimate interests for processing that override the data subject’s interests or for the establishment, exercise or defence of a legal claim. Where a data subject objects to direct marketing, their personal data must not be processed further for those purposes. An objection request must be complied with within 14 days, and it must be done at no cost to the data subject.
Right of rectification
A data subject can request the rectification or correction of any false, inaccurate, outdated, incomplete or misleading data processed about them. Where a data controller or processor is satisfied that rectification is necessary, it must action the request within 14 days, at no cost to the data subject. If the request is declined, the data subject should be notified of such within seven days.
Right of erasure
The right to erase or destroy personal data arises if:
However, this right does not apply where processing is done to:
If the information is required for evidence, the data controller or processor may restrict its processing instead of deleting or rectifying it, and inform the data subject within a reasonable time. An erasure request must be responded to within 14 days, at no cost to the data subject.
Right to restriction
This right arises in the following circumstances:
Restriction requests must be actioned within 14 days of receipt.
Right to data portability
An individual can request access to their personal data in a commonly used machine-readable format. They can also ask for the transmission of the data from one data controller or processor to another. Portability requests do not apply where processing is necessary for a task performed in the public interest or the exercise of official authority, or where they may adversely affect the rights and freedoms of others. Requests must be responded to within 30 days. The data controller or processor may charge a cost for acceding to the request, but such cost should not exceed the actual cost incurred in actualising the request.
Rights related to profiling and automated decision-making
A data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affecting the data subject. This right does not apply where the decision is necessary for entering into a contract, where it is authorised by law, or where it is based on the data subject’s request.
Where an automated decision is taken, the data controller or processor must notify the data subject in writing of its decision and provide information about the logic involved and the consequences of the processing. In addition, the data subject is entitled to request a review of an automated decision or to request a decision that is not based solely on automated processing. Where a data controller or processor receives such a request, they must comply by ensuring that the data subject can obtain human intervention and express their point of view.
Right to lodge a complaint
A data subject who is aggrieved by a decision under the Act has the right to lodge a complaint with the Data Commissioner.
Right to compensation
Any person who suffers damage by reason of contravention of a requirement of the Act is entitled to compensation for that damage from the data controller or the data processor. The Act describes “damage” as including both financial loss and damage not involving financial loss, including distress. A data controller involved in the processing of personal data is liable for any damage caused by said processing, and a data processor involved in the processing of personal data is liable for damage caused by said processing only if the processor has not complied with an obligation under the Act specifically directed at data processors or has acted outside or contrary to the data controller’s lawful instructions.
Privacy by Design and by Default
According to Sections 41 and 42 of the Act, data controllers or processors must have appropriate technical and organisational safeguards in place to implement the data protection principles effectively and to integrate the necessary safeguards for that processing. The elements necessary to implement the data protection principles are set out in Regulations 29–36 of the General Regulations.
When integrating/adopting safeguards to achieve data protection by design and by default, a data controller or processor must consider the amount of data collected, the extent of processing, the period of storage, accessibility, the cost of processing data and the technologies used. Where information is conveyed through an information communication network, the data controller should consider the state of technology available, the cost of implementation, the risks of processing and the nature of the data being processed.
Selecting and Using Data Processors
Data controllers can only select and use the services of data processors that provide sufficient guarantees in respect of technical and organisational measures to safeguard personal data and to enter into a written agreement that provides that the data processor shall only act on instructions received from the data controller and shall be bound by the obligations of the data controller. Where a processor acts outside the instructions of the data controller, it shall be deemed to be a data controller in respect of that processing activity.
The Data Protection Act amends the Capital Markets Act by giving the Capital Markets Authority the power to ensure the processing of personal data in capital markets operations is in accordance with the principles set out under the Act. The Act also requires the Authority to collect and process personal data in accordance with the Act.
Section 40 (2) of the Proceeds of Crime and Anti-Money Laundering Act provides that the sharing of personal data with the Financial Reporting Centre must adhere to the data protection principles set out in the Data Protection Act.
The Prudential Guidelines issued by the Central Bank of Kenya also stipulate that consumers’ financial and personal information should be protected through appropriate control and protection mechanisms. Such mechanisms should define the purposes for which the data may be collected, processed, held, used or disclosed and the rights of consumers to be informed about data sharing, access and the correction and deletion of inaccurate or unlawfully collected or processed personal data.
Increased collaboration between the Data Commissioner and regulators in the financial sector is expected, alongside the development of elaborate guidelines on personal data protection within these industries.
Section 46 (1) of the Act provides that personal data relating to the health of a data subject may only be processed under the responsibility of a healthcare provider or by a person who is subject to the obligation of secrecy under any law. Section 46 (2) provides that conditions are met if the processing is necessary for reasons of public interest in the area of public health, or if it is carried out by another person who in the circumstances owes a duty of confidentiality under any law. The Data Protection Act does not apply to processing carried out pursuant to permitted general and permitted health situations (see 1.1 Laws).
The Data Protection Act amends the Kenya Information and Communications Act by giving the Communications Commission of Kenya the power to ensure that the processing of subscribers’ personal data is in accordance with the principles set out under the Data Protection Act. It also imposes an obligation on licensees to ensure that the necessary steps are taken to secure the integrity of personal data under their possession or control through the adoption of appropriate and reasonable technical and organisational measures to prevent damage to or the unauthorised destruction of personal data, and to prevent any unlawful access to the unauthorised processing of personal data.
Children’s or Student Data
Children’s data is classified as sensitive personal data in the Act, Section 33 of which prohibits controllers and processors from processing personal data relating to a child unless consent is given by the child’s parent or guardian and the processing is done in such a manner that protects and advances the rights and best interests of the child. However, parental consent is not required where a data controller or processor provides counselling and child protection services to a child.
The conditions for compliant consent are set out in Sections 2 and 32 of the Act and in Regulation 4 of the General Regulations. Controllers and processors must also incorporate appropriate mechanisms for age verification and consent.
Under Section 37 of the Act, a person cannot process personal data for commercial use unless they have sought and obtained the express consent of a data subject, or unless they are authorised to do so under any written law and the data subject was informed of the use when the data was collected.
The General Regulations define “commercial use of data” as uses that advance the commercial or economic interests of data controllers or processors, including actions such as inducing a person to buy, rent, lease, join, subscribe to, provide or exchange products, property, information or services, or effecting a commercial transaction directly or indirectly. Direct marketing is regarded as a commercial use of data if:
Under the General Regulations, direct marketing is permissible where:
Direct marketing messages must incorporate mechanisms for data subjects to opt out of the service. The features of compliant opt-out messages are set out in the General Regulations. Once an opt-out request is received, the data controller or processor cannot use or disclose personal data for direct marketing.
The Data Protection Act amended the Employment Act by making it a requirement for employers who employ children to keep and maintain registers in accordance with the principles of data protection set out in the Act. Apart from that, the Act and its attendant regulations do not contain any specific provisions relating to workplace privacy, so the expectation is that all employee data must be processed in accordance with the Act and the Constitutional right to privacy.
See 1.3 Administration and Enforcement Process.
The Huduma Number Case
A landmark personal data protection and privacy case was determined by the High Court of Kenya in October 2021: Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others; Institute & another (Ex parte); Immaculate Kasait, Data Commissioner (Interested party) (Judicial Review Application E1138 of 2020)  KEHC 122 (KLR) (Judicial Review) (14 October 2021) (Judgment).
The Kenyan government’s introduction of a new system for the registration of Kenyans and foreigners residing within its jurisdiction was challenged before the court for failing to meet the threshold of privacy under Article 31 of the Constitution and requirements regarding the collection of personal data under the Act. While making its determination, the court faulted the government of Kenya for collecting personal data from Kenyans without first making the determination of how it would protect that data, and for failing to appreciate the importance and extent of the application of the Act with respect to the collection and processing of personal data under the National Integrated Identity Management System. The court quashed the government directive to roll out Huduma Cards, noting that the directive was ultra vires contrary to Section 31 of the Act. The court further compelled the government to complete a DPIA, as required by the Act, prior to the processing of data or the rolling out of Huduma Cards.
Mwangi & another v Naivasha County Hotel t/a Sawela Lodges (Petition E003 of 2021)  KEHC 10975 (KLR) (19 July 2022)
The petitioners filed a constitutional petition alleging that the respondents took photographs of them during a team-building activity at the respondent’s premises and proceeded to make posts on various social media platforms using the said pictures to market the respondent’s products. The petitioners further alleged that the respondent violated their right to privacy as they did not consent to have their photos taken. The respondent raised a preliminary objection on the basis that (i) the court did not have jurisdiction to entertain the claim as the petitioners had not exhausted all available avenues for addressing grievances before approaching the court, and (ii) the matter was a civil claim under the law of tort and not a constitutional one. On the issue of jurisdiction, the court found that the petitioner anchored his petition on the use of personal data without consent, an issue wherein the remedies for breach were extensively covered in the Act. Therefore, the court found that the petition was not exempted from the doctrine of exhaustion. The court also found that the nature of the grievances did not constitute a constitutional issue but was rather a dispute between private individuals.
Under the Computer Misuse and Cybercrimes Act, police officers have the power to search and seize data stored in a computer or a data storage medium if they have reason to believe that said data is required for a criminal investigation or if it has been acquired for the commission of an offence. To execute a search, the police officer must obtain a warrant from the court.
In addition, courts have the power to issue orders that permit police offers to:
The police officer must state their reason for believing the data is in possession of the person in control of the computer system, the type of content in the system and the measures to be taken to ensure that the collection or recording maintains the privacy of other users, customer and third parties and to ensure that the information and data of any party is not part of the investigation.
The provisions of the Data Protection Act and the attendant regulations do not apply to the Kenya Defence Forces, the National Intelligence Service or the National Police Service.
Section 36 of the National Intelligence Service Act No 28 of 2012 stipulates that the right to privacy under the Constitution may be limited in respect of a person who is subject to investigation by the Service or who is suspected to have committed an offence against national security to the extent of investigation and monitoring of the person’s right to communication. However, to invoke this provision, the authorities must obtain a warrant from the High Court before initiating any investigations.
Section 35 of the Prevention of Terrorism Act No 30 of 2012 gives a limitation on privacy to the extent of ensuring that the investigation of terrorism, the detection and prevention of terrorism activities or the enjoyment of fundamental rights by an individual do not prejudice the fundamental rights of others. The limitation of rights to privacy relate to the person, home or property to be searched, the possessions to be seized and the communications to be investigated, intercepted or interfered with. Section 36A gives national security authorities the power to intercept communications to detect, deter and disrupt terrorism, including where this limits the right to privacy.
An organisation may not invoke a foreign government access request as a legitimate basis to collect and transfer personal data.
Kenya does not participate in a CLOUD Act agreement with the USA.
The largest privacy debate to date is on the use of biometric systems for civil registrations (see 2.5 Enforcement and Litigation). In December 2021, the government introduced the Huduma Bill, seeking to provide a law on civil registration and legal identification management and to establish the National Integrated Information Management System (NIIMS) as Kenya’s digital identity system.
Civil society organisations such as Article 19 have since raised concerns about the bill, stating that it bears provisions that negatively impact the right to privacy and data protection. They have called for public participation in the bill as well as a governance and institutional framework for NIIMS.
More debates are expected on emerging issues with continued implementation and enforcement activities.
The transfer limitation principle provides that personal data should not be transferred outside Kenya unless there is sufficient proof of adequate data protection safeguards or consent from the data subject. Sections 48–50 of the Act and Regulations 26 and 39–48 of the General Regulations provide further guidance on international transfers in Kenya.
The Act and the General Regulations set out four bases for the transfer of personal data outside Kenya.
Appropriate Data Protection Safeguards
A transfer on the basis of appropriate data protection safeguards is effective if the intended recipient is bound by a legal instrument containing appropriate safeguards for the protection of personal data that is essentially equivalent to the protection under the Act and the Regulations. It also applies where the data controller, having assessed all the circumstances surrounding transfers of that type of personal data to another country or relevant international organisation, concludes that appropriate safeguards exist to protect the data.
Transfers based on appropriate safeguards must be documented in the prescribed format. The documentation must be available to the Data Commissioner on request.
A country is deemed to have appropriate safeguards if:
Binding corporate rules are only binding in the following circumstances:
Transfers based on adequacy decisions arise where the Data Commissioner decides that the other country or territory of one or more specified sectors within the country or the international organisation ensures an adequate level of protection of personal data. The Data Commissioner has the power to publish on its website a list of countries, territories and specified sectors within that other country and relevant international organisations for which the Data Commissioner has decided that an adequate level of protection is ensured. The Data Commissioner has not issued any adequacy decisions.
Transfers Based on Necessity
Necessity applies if a transfer is necessary for:
Transfers Based on Consent
In the absence of an adequacy decision, appropriate safeguards or prerequisites for a transfer as a necessity, a transfer or set of transfers of personal data to another country may take place if the data subject has explicitly consented to the proposed transfer and has been informed of the possible risks of the transfer. Notwithstanding the foregoing, if the data being transferred is sensitive personal data, a data controller or data processor must seek the consent of the data subject before transferring the personal data and provide proof of the existence of sufficient safeguards.
Under Section 48 of the Act, a data controller or processor may transfer personal data to another country only if they have given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of the personal data. In addition, where the processing relates to sensitive personal data, the Data Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the security safeguards or the existence of compelling legitimate interests. The Data Commissioner has the power to prohibit or suspend the transfer, or to subject it to such conditions as may be determined.
Regulation 41(2(b))(2) of the General Regulations provides that documentation relating to the transfer should be provided to the Data Commissioner on request.
Regulation 26 of the General Regulations states that data controllers and processors who process personal data in the strategic interests of the state shall only do so through a server and data centre located in Kenya, or if they store at least one serving a copy of the personal data concerned in a data centre located in Kenya. The strategic interests of the state include:
Protected computer systems include systems that are necessary for:
Other systems may also be designated as protected computer systems, such as those relating to the security, defence or international relations of Kenya, critical information, communications, business or transport infrastructure and the protection of public safety and public services, as may be designated by the Cabinet Secretary responsible for matters relating to information, communication and technology.
No software code, algorithms or similar technical details are required to be shared with the government. However, the Official Secrets Act (Cap 187) gives the Cabinet Secretary for the Ministry of Interior and Coordination of National Government powers to access data from any phone or computer and introduces hefty penalties for non-compliance.
This is not relevant in Kenya.
This is not relevant in Kenya.
Drones are regulated under the Civil Aviation (Unmanned Aircraft Systems) Regulations, 2020, under which an unmanned aircraft system (UAS) operator shall not use a system equipped with an imaging device to conduct surveillance nor take an image of a person without that person’s written consent. Therefore, such systems cannot be used to record images of the privately owned or leased property of an owner, tenant, invitee or licensee with the intent of conducting surveillance on said individual or property in violation of such person’s reasonable expectation of privacy without their written consent. A person is presumed to have a reasonable expectation of privacy on their privately owned, licensed or leased property if they are not observable by persons located at ground level in a place where they have a legal right to be. UAS operators must comply with laws relating to the protection or privacy or data.
However, with the Approval of the Kenya Civil Aviation Authority, a UAS equipped with imaging devices may be used to map and evaluate the earth’s surface, including terrain and surface water bodies, to investigate forests and forest management, for search and rescue procedures or to investigate vegetation or wildlife.
Disinformation, Deepfakes or Other Online Harms
The Computer Misuse and Cybercrimes Act provides penalties for cybercrimes and other computer-related offences. It is an offence to publish false information in print or broadcast, or over a computer system, that is calculated to result in panic, chaos or violence among citizens in the Republic or that is likely to discredit the reputation of a person. It is also an offence to send out communications that are likely to cause apprehension or fear of violence to a person or persons, or that detrimentally affect a person, or that are in whole or part grossly offensive.
Organisations in Kenya do not have to establish protocols for digital governance or fair data practice review boards or committees to address the risks of emerging or disruptive digital technologies.
See 2.5 Enforcement and Litigation.
There is no specific law setting standards for due diligence within the framework of data protection in corporate transactions. That notwithstanding, buyers must clearly understand the seller’s privacy risk profile before completing the transaction. The seller will need to ensure that the transaction does not result in privacy-related risks or concerns. Therefore, the transaction documents must contemplate and fully cover privacy concerns. For example, prior to due diligence, the confidentiality agreements should be robust enough to ensure confidentiality and appropriate safeguards for personal data. During due diligence, the buyer should consider the target’s personal data processing practices by reviewing personal data maps/inventories. They should also consider the extent of compliance in relation to the principles of data protection, the facilitation of data subjects’ rights, the notification of personal data breaches, third-party vendor processing and international transfers, and should seek appropriate indemnities or warranties to protect against any claims or risks prior to sale. Post-deal, the DPO should be well-versed with the data protection issues, and put measures in place to address them.
The Computer Misuse and Cybercrimes Act No 5 of 2018 requires operators of computer systems or networks to inform the National Computer and Cybercrime Co-ordination Committee of any disruptions or intrusions to the functioning of a computer system within 24 hours of such an attack. The report should include information about the breach, including a summary of how the breach occurred (as far as is known by the agency), an estimate of the number of people affected by the breach, the risk of harm to the affected individuals and an explanation of the circumstances that would delay or prevent affected persons from being informed of the breach.
The Central Bank of Kenya (CBK) provides guidance on cybersecurity that requires banks to submit their Cybersecurity Policy, strategies and frameworks to the CBK. Additionally, reporting institutions must notify the CBK within 24 hours of any cybersecurity incidents that could have a significant and adverse impact on an institution’s ability to provide adequate services to its customers, its reputation or its financial condition. Reporting institutions must also provide a quarterly report to the CBK on the occurrence and handling of cybersecurity incidents.
The Central Bank of Kenya passed the Central Bank of Kenya (Digital Credit Providers) Regulations 2021 seeking to regulate and license digital credit providers. This was in response to increasing concerns about the predatory lending tactics and privacy violations employed by some digital lenders in the country.
A digital credit provider is defined in the Regulations as “a person licensed by the Bank to carry on digital credit business.” The regulations do not apply to licensed banks, microfinance institutions, savings and credit co-operative societies (SACCOS), the Kenya Post Office Bank, credit arrangements involving the provision of credit by a person that is merely incidental to the sale of goods or provision of services by the person or any other entity approved by the Bank. Regulation 12 obliges digital credit providers to:
Further, digital credit providers are restricted from:
Digital lenders must take steps to safeguard the security of information provided to them by a credit reference bureau, or by it to a credit reference bureau. Notably, the regulations provide that no suit, prosecution or other legal proceedings shall lie against the Central Bank of Kenya; a credit reference bureau; a digital credit provider; or chairperson, director, member, auditor, adviser, officer or other employee or agent of the Bank, credit reference bureau or digital credit provider for any loss or damage caused or likely to be caused by anything which is done or intended to be done in good faith in pursuance of these Regulations.
Notification and Communication of Personal Data Breaches
Where personal data has been accessed or acquired and there is a real risk of harm to the data subject whose personal data has been subjected to unauthorised access, a data controller must inform the Data Commissioner within 72 hours of becoming aware of the breach and must inform the affected data subjects without unreasonable delay.
A data processor must also report a data breach to a data controller within 48 hours of becoming aware of the breach. The tight timelines for reporting imply that organisations must be well prepared to respond to breaches and to make timely reports. Failure to comply with the reporting requirements is a contravention that may attract administrative fines, general penalties and criminal sanctions.
AEA Plaza 6th Floor
+254 20 271 email@example.com www.mmkadv.co.ke