Data Protection & Privacy 2022 Comparisons

Introduction

Following a seven-year effort to develop a substantive law on data protection, Kenya enacted the Data Protection Act 2019 (the Act) on 25 November 2019. Previously, data protection in Kenya was regulated under various sectoral laws and the Constitution, Articles 31(c) and (d) of which guarantee every person a right to privacy over information relating to their family or private affairs and over their communications. The sectoral laws that contained provisions on data protection included the Access to Information Act, the Kenya Information Communications Act, the Banking Act, the Public Health Act and the HIV Aids and Prevention Control Act.

The Act provides a comprehensive legal framework on data protection in Kenya, giving effect to Articles 31 (c) and (d) of the Constitution. It has also amended several existing laws to include provisions on data protection, some of which shall be discussed in greater detail below. Where sectoral laws have not been amended, they continue to apply to the extent they do not conflict with the Constitution or the Act.

Four sets of regulations have been published to provide guidelines on some provisions of the Act:

• the Data Protection (Civil Registrations) Regulations 2020 came into force in October 2020 and regulate the processing of personal data by civil registries, including births, deaths, adoptions and marriage;
• the Data Protection (General) Regulations 2021 (the General Regulations) provide guidelines on some of the processing requirements or obligations set out under the Data Protection Act, and came into force in February 2022;
• the Data Protection (Complaints Handling and Enforcement Procedures) Regulations 2021 were published to facilitate fair, impartial and expeditious investigations and hearings of complaints lodged with the Data Commissioner, and to provide for the issuance of penalty and enforcement notices; they also came into force in February 2022; and
• the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021 provide the procedure for the registration of data controllers and data processors in Kenya, and will come into force in August 2022.

The Purpose and Objective of the Act

The preamble to the Act describes its purposes as being “to give effect to Articles 31 (c) and (d) of the Constitution, to establish the Office of the Data Protection Commissioner, to make provision for the regulation of processing of personal data, to provide for the rights of data subjects and obligations of data controllers and data processors and connected purposes.” Additional purposes and objectives of the Act include the regulation of personal data processing and ensuring that the processing of a data subject's personal data is guided by the data protection principles set out in Section 25 of the Act.

The Scope of Application

The Act applies to both the automated and non-automated processing of personal data. However, for non-automated processing, it only applies to the extent that the record under process forms the whole or a part of a filing system. In addition, the Act has an extra-territorial scope in that it applies not only to data controllers and data processors who are established or ordinarily resident in Kenya and process personal data in Kenya but also to those that are not established or ordinarily resident in Kenya but process the personal data of data subjects located in Kenya. For example, the provisions of the Act apply to a company like Amazon even if it does not have an established legal presence in Kenya.

Exemptions

Part VII of the Act (Sections 51–55) provides for exemptions from the Act. Section 51 (1) begins by qualifying the applicability of the exemptions, stating that data controllers or processors are not exempt from complying with the data protection principles relating to lawful processing, the minimisation of collection, data quality and adopting security safeguards to protect personal data. This implies that, even where a situation is identified as exempt, the person who processes or collects data in those instances must still abide by the matters outlined in Section 51 (1).

Section 51 (2) describes three situations in which the processing of personal data is exempt under the Act:

• where it relates to the processing of personal data by an individual during a purely household activity;
• if it is necessary for national security or the public interest; or
• if disclosure is required by or under any written law, or by order of the court.

Regulations 54–57 of the Data Protection (General) Regulations 2021 provide further clarity on what exemptions for national security or public interest entail.

Apart from the instances described above, the Act also exempts some aspects of the processing of personal data relating to journalistic, art, literature and research purposes.

Exemption on Grounds of National Security

Under Regulation 54 (1), exemption on the grounds of national security extends to the processing of personal data by the national security organs outlined in Article 239 (1) of the Constitution – ie, the Kenya Defence Forces, the National Intelligence Service and the National Police Service.

Regulation 54 (2) gives controllers and processors who process personal data for national security the right to apply to the Cabinet Secretary for an exemption on the grounds of national security. In these instances, the Cabinet Secretary has power to revoke the certificate of exemption at any time if the grounds on which the certificate was issued no longer apply.

Exemption on Grounds of Public Interest

Exemptions on the grounds of public interest are covered in Regulations 55–57, and broadly apply in two situations: general situations and permitted health situations.

Regulations 55 (a) and 56 relate to permitted general situations. The exemption covers the collection, use or disclosure by a data controller or data processor of personal data about a data subject for:

• lessening or prevent a serious threat to the life, health or safety of the data subject;
• acting in relation to suspected unlawful activity or serious misconduct;
• locating a missing person;
• asserting a legal or equitable claim;
• conducting alternative dispute resolution; or
• performing diplomatic and consular duties.

Permitted health situations (Regulations 55 (b) and 57) include uses or disclosures of personal data for the purpose of providing health services and for research and related purposes, and disclosures of health information for secondary purposes to a person responsible for a data subject. This exemption only applies where a data controller or data processor discloses health data about a data subject and:

• they provide a health service to the data subject;
• the recipient of the data is responsible for the data subject;
• a data subject is either physically or legally incapable of giving consent to the disclosure, or physically cannot communicate the disclosure;
• the disclosure is necessary to provide appropriate care or treatment for a data subject;
• the disclosure is not contrary to any wish expressed by the data subject before the data subject became unable to give or communicate consent of which the carer is aware or of which the carer could be reasonably expected to be aware; and
• the disclosure is limited to the extent reasonable and necessary to provide appropriate care or treatment for the individual or to fulfil the purpose of making a disclosure for compassionate reasons. 

Exemptions for Journalism, Literature and Art

According to Section 52 of the Act, the principles of processing personal data do not apply where:

• the processing is undertaken by a person for the publication of a literary or artistic material;
• the data controller reasonably believes that publication would be in the public interest, provided the processing follows a self-regulatory or issued code of ethics in practice and relevant to the publication in question; and
• the data controller reasonably believes that, in all circumstances, compliance with the provision is incompatible with the special circumstances.

Section 52 (3) gives the Data Commissioner the mandate to prepare a code of practice containing practical guidance in relation to the processing of personal data for the purposes of journalism, literature and art.

Exemptions for Research, History and Statistics

Section 53 (1) provides that further processing of personal data shall be compatible with the purpose of collection if the data is used for historical, statistical or research purposes. Where personal data is processed pursuant to this provision, the data controller or processor must ensure that:

• further processing is carried out solely for such purpose;
• the data is not published in an identifiable form;
• measures and appropriate safeguards exist to secure against the records being used for any other purpose;
• the data is processed in compliance with the relevant conditions; and
• the results of the research or resulting statistics are not available in a form that identifies the data subject.

The Data Commissioner can prepare codes of practice containing practical guidance in relation to the processing of personal data for the purposes of research, history and statistics.

Data Sharing Code

Section 55 gives the Data Commissioner power to issue a Data Sharing Code that gives practical guidance in relation to the sharing of personal data in accordance with the requirements of the data protection legislation and such other guidance as the Data Commissioner considers appropriate to promote good practice in the sharing of personal data. The data sharing code is also expected to specify how the lawful exchange of personal data can occur between government departments or public sector agencies.

Section 54 gives the Data Commissioner the power to prescribe other instances where compliance with the provisions of the Act may be exempted.

At the time of writing, the Data Commissioner has not yet published any of the codes outlined in Sections 51–55.

The Data Commissioner

Part II of the Act (Sections 5–17) provides for the establishment of the Office of the Data Protection Commissioner as a body corporate with perpetual succession and a common seal, which can sue and be sued, take, purchase or otherwise acquire, hold, charge or dispose of movable and immovable property and enter into contracts. The Office is comprised of the Data Commissioner as its head, and an accounting officer and other staff appointed by the Data Commissioner. The Data Commissioner is appointed by the President with the approval of Parliament.

Kenya’s first Data Commissioner, Ms Immaculate Kassait, was appointed in November 2020. Since taking office, Ms Kassait has embarked on the development and publication of the Data Protection Regulations, as well as setting up structures and mobilising resources for the operationalisation of the office.

Data Commissioner Functions

The Data Commissioner is responsible for the implementation and enforcement of the Act, as well as the following:

• providing oversight on data processing operations;
• promoting self-regulation among data controllers and processors;
• investigating complaints;
• conducting audits and inspections;
• promoting international co-operation in matters relating to data protection; and
• undertaking research on developments in personal data processing to ensure that no development has a significant or adverse effect on the privacy of individuals.

Data Commissioner Audits

Section 23 of the Act provides that the Data Commissioner may carry out periodical audits of the processes and systems of the data controllers or data processors to ensure compliance with the Act. No further guidance on the conduct of audits is provided in the Act or the Regulations.

Enforcement and Penalties

Section 9 of the Act grants the Data Commissioner the following powers:

• to conduct investigations on its own initiative or based on a complaint made by a data subject;
• to facilitate conciliation mediation and the negotiation of disputes arising from the Act;
• to issue summons to witnesses for the purpose of investigation;
• to require persons subject to the Act to provide explanations, information and assistance in person and in writing; and
• to impose administrative fines for failures to comply with the Act.

Part VII of the Act (Sections 56–66) sets out the enforcement provisions in greater detail. The Complaints Handling and Enforcement Regulations 2021 also contain guidelines on enforcement.

Complaints Handling

Complaints are regulated under Sections 56–57 of the Act and Regulations 4–15 of the Data Protection (Complaints Handling and Enforcement) Regulations 2021.

Receiving and reviewing complaints

A data subject has the right to lodge a complaint with the Data Commissioner. The complaint may be lodged orally or through electronic means – eg, by email, web posting, complaint management information systems or any other appropriate means. It may be lodged by a complainant, by a person acting on behalf of a complainant or by any other person who is authorised by law to act on behalf of a data subject or anonymously.

Upon the receipt of a complaint, the Data Commissioner must acknowledge receipt and review, admit or decline the complaint. Where necessary, the Data Commissioner may conduct investigations into the complaint, facilitate mediation, conciliation or negotiation, or use any appropriate mechanism to resolve the complaint.

A claim may be discontinued on the basis that it does not merit further consideration or where the complainant refuses, fails or neglects to communicate without justifiable cause. Where it is discontinued, the complainant may reinstate the complaint by providing further grounds for restitution to the Data Commissioner. A complaint may also be withdrawn at any stage during its consideration before a determination is made. A withdrawn complaint may be re-lodged within six months.

Investigations

In the exercise of her investigative powers, the Data Commissioner may summon witnesses, request witness statements or demand the production of any book, document or record that may be necessary for the investigation. The process of an investigation must abide by the provisions of the Fair Administrative Action Act, 2015, which establishes a legal framework for ensuring that administrative actions are taken expeditiously, efficiently and lawfully.

Failure to comply with the Data Commissioner’s orders in relation to investigations is an offence, as is providing false or misleading information. Upon completion of the investigation, the Data Commissioner must prepare an investigation report outlining the findings, the resulting decision and the reasons for the decision. The report should also state the remedy to which the complainant is entitled, which may include:

• the issuance of an Enforcement Notice to the respondent;
• the issuance of a Penalty Notice imposing an administrative fine;
• dismissal of the complaint where it lacks merit;
• a recommendation for prosecution; or
• an order for compensation to be paid to the data subject by the respondent.

Effect of a decision of the Data Commissioner

A decision of the Data Commissioner is deemed to be binding on the parties and is enforced as an order of the court.

Enforcement Notices

The Data Commissioner has power to serve an Enforcement Notice on any person who has failed or is failing to comply with any of the provisions of the Act. The Enforcement Notice must specify:

• the provision of the Act that has been contravened;
• the measures that shall be taken to remedy or eliminate the situation;
• the period, not less than 21 days, within which the measures should be implemented; and
• whether the person has a right of appeal.

Regulations 16–19 of the Complaints Handling and Enforcement Regulations provide the modalities for the issuance, service and review of an Enforcement Notice, and for appeals against an Enforcement Notice. A right to review is granted to any person served with an Enforcement Notice, but only where there is a change of circumstances, where new facts have emerged or where some steps specified in the Notice do not need to be complied with in order to remedy the failure identified therein.

Failure to comply with an Enforcement Notice is an offence punishable with a fine not exceeding KES5 million or imprisonment for a term not exceeding two years, or both.

Penalty Notices

Section 60 of the Act gives the Data Commissioner power to issue a Penalty Notice where she is satisfied that a person has failed or is failing to comply with any provisions of the Act. A Penalty Notice requires the non-complaint party to pay the Data Commissioner an amount specified therein. The maximum amount of penalty or administrative fine that may be imposed by the Data Commissioner in a Penalty Notice is KES5 million or up to 1% of an undertaking's annual turnover for the preceding financial year, whichever is lower. It is worth noting that the Act does not offer any definition for the term "undertaking", thereby leaving room for debate on what qualifies as an undertaking.

Regulations 20–21 of the Complaints Handling and Enforcement Regulations provide further guidance on the issuance and enforcement of Penalty Notices. Regulation 20 (4) provides that a Penalty Notice may impose a daily fine of not more than KES10,000 for each breach identified, until the breach is rectified. In addition, the Data Commissioner can recover a penalty upon the lapse of the period specified in the Penalty Notice for payment of a penalty, upon the final determination of any appeal against the Penalty Notice or upon the lapse of any period given to appeal against the Notice.

Right of appeal

A person against whom an administrative action is taken by the Data Commissioner, including Enforcement Notices and Penalty Notices, may appeal to the High Court.

Additional Enforcement Powers of the Data Commissioner

The Data Commissioner has the following additional powers:

• power to seek assistance – the Data Commissioner’s office can seek the assistance of such person or authority as may be appropriate for the discharge of its functions;
• power of entry and search – upon obtaining a warrant from a court, the Data Commissioner may enter and search any premises for the purposes of discharging any function or exercising any of her powers under the Act;
• power to request preservation orders – the Data Commissioner may apply to court for a preservation order to guarantee the expeditious preservation of personal data, including traffic data, where there are reasonable grounds to believe that the data is vulnerable to loss or modification; and
• the power to facilitate negotiations, mediations and conciliations – where the parties to a complaint agree to negotiation, mediation or conciliation, the Data Commissioner may, in consultation with the parties, facilitate the process by applying such procedures as she deems appropriate and in the best interests of the parties. At the conclusion of the mediation, parties must sign a negotiation, mediation or conciliation agreement, which shall be deemed to be the determination of the Data Commissioner on the matter and is enforceable as such. A party to a dispute that is subject to negotiation, mediation or conciliation may withdraw from the proceedings at any stage. The person withdrawing must inform the Data Commissioner and other parties of such withdrawal within seven days of making the decision to do so.

See 1.6 System Characteristics.

The Katiba Institute is an NGO that was established to promote knowledge and understanding of Kenya’s Constitution and constitutionalisms, and to defend and facilitate the implementation of the Constitution. The institute filed the first notable litigation on data protection relating to the roll-out of the Huduma number system in Kenya (see 2.5 Enforcement and Litigation).

The Article 19 organisation has been at the forefront of shaping privacy and surveillance developments in Kenya. One of its key areas of influence has been supporting litigation relating to the Huduma Number Case and making submissions on legislation relating to biometric civil registrations, such as the Huduma Bill 2021.

Access Now and Privacy International both regularly monitor and call out privacy-related developments or actions in Kenya.

The Act follows the EU omnibus approach to legislation. To a large extent, most of the provisions of the Act are similar to the European General Data Protection Regulation (GDPR), especially in the following areas:

• the definition of key terms such as "data controller", "data processor", "personal data”, “sensitive personal data”, "data subject" and “processing”;
• personal data processing must abide by the principles of data protection;
• individuals have rights over their data, including the rights to information, access, rectification, erasure, data portability, restriction and objection;
• processing must be done on a lawful basis;
• where the processing results in a real risk of harm to data subjects, a data protection impact assessment (DPIA) must be done prior to processing;
• regulatory authorities must be notified whenever personal data breaches occur;
• controllers and processors must implement data protection by design and by default;
• controllers must have a contractual framework in place to manage data processors; and
• there are pre-conditions for international data transfers.

A key difference between the two laws is the fact that the GDPR assigns specific duties to data controllers and processors – the data controller is responsible for implementing appropriate technical and organisational measures to ensure and demonstrate compliance with the GDPR, enabling data subject rights requests, managing consents, conducting DPIAs, etc. Under Kenyan law, a distinction between the role of the data controller and the data processor has only been made in relation to the selection and appointment of data processors and on the notification of data breaches, and on the extent of liability that the data processor bears if a data subject lodges a claim for compensation (see 2.1 Omnibus Laws and General Requirements (Data Subject Rights)). 

In relation to fines and penalties, the GDPR provides for two tiers of fines where offences are segregated into severe and less severe violations, and different fines are applied to the offences. In contrast, the Kenyan law provides for uniform penalties for all offences but gives the Data Commissioner the discretion to determine the severity of fine based on the circumstances of the case: the higher the incidence of offending circumstances, the higher the fine.

For regulatory developments, see 1.8 Significant Pending Changes, Hot Topics and Issues.

In the past two years, enforcement activity has been limited by delays in the appointment of the Data Commissioner and the enactment of supporting Regulations. In 2020, the focus was on appointing a Data Commissioner but the process was temporarily derailed by litigation relating to the recruitment process, which was later resolved by mutual consensus. In 2021, the focus was on publishing and obtaining consensus on the draft Regulations and on securing the necessary monetary resources to operationalise the Act.

Based on recent activity, 2022 seems to be a more promising year on the regulatory and enforcement front. For instance, in January 2022, three sets of data protection regulations were published in the Kenya Gazette: the Data Protection (General) Regulations 2021 and the Data Protection (Complaints Handling and Enforcement Procedures) Regulations became law in February 2022, while the Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021 shall come into force in August 2022.

Also in January, the Office of the Data Commissioner published its five-year strategic plan (accessible at www.odpc.go.ke), which sets out its vision and outlines its key result or focus areas, notably including institutional and capacity development, the provision of regulatory services and the creation of awareness. Enforcement activity is also expected to increase significantly within the year, especially once the registration of data controllers and data processors begins.

Data Protection Officers

The Act creates a requirement for data controllers and data processors to appoint or designate a person within their organisation as a Data Protection Officer (DPO) in the following circumstances:

• where they process personal data as a public or private body (except courts acting in their judicial capacity);
• where their core activities consist of processing operations which, by virtue of their nature, scope or purpose, require the systematic monitoring of data subjects; or
• where their core activities consist of processing sensitive categories of personal data.

The DPO is responsible for spearheading a company’s data protection compliance programme, including building capacity among staff, carrying out DPIAs and acting as a liaison between the organisation and the Data Commissioner’s Office.

In terms of appointment, an existing staff member can fulfil the role of the DPO in addition to their day-to-day duties, provided that the existing duties and DPO duties do not result in a conflict of interest. The DPO should have the relevant academic knowledge and technical skills in matters relating to data protection.

Criteria for Processing Personal Data

The principles of data protection

All personal data in Kenya must be processed in accordance with the principles of data protection, which include:

• respect for individual privacy – this supports the right to privacy entrenched in the Constitution;
• lawfulness, fairness and transparency – personal data must be processed lawfully, fairly and in a transparent manner in relation to any data subject;
• purpose limitation – personal data must be collected for explicit, specified and legitimate purposes, and must not be further processed in a manner that is incompatible with those purposes;
• data minimisation – personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
• respect for family privacy – whenever information relating to family or private affairs is required, personal data must be collected only where a valid explanation is provided;
• accuracy – personal data must be accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
• storage limitation – personal data must be kept in a form that identifies the data subjects for no longer than is necessary for the purposes for which it was collected; and
• transfer limitation – personal data must not be transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.

The rules on the collection of personal data

Personal data may be collected directly or indirectly from data subjects. Indirect collection (or collection from any person other than the data subject) is permissible where:

• the data is contained in a public record, publication, database or footage from surveillance cameras (provided an individual is identifiable or reasonably identifiable);
• the data subject deliberately makes the data public or consents to the collection of the data from another source;
• collection from another source would not prejudice the data subject;
• the information is associated with web browsing or biometric technology, including voice and facial recognition; and
• it is necessary for the prevention, detection, investigation, prosecution or punishment of crime, for the enforcement of a law or for the protection of the interests of the data subject or another person.

Where a data controller or data processor collects personal data indirectly, they must inform the data subject of the collection within 14 days. Prior to the collection of personal data, the data controller or data processor must give the data subject adequate information about the intended processing activities, to ensure integrity and confidentiality, the lawful bases for processing and the likely consequences for failing to provide the data.

Lawful bases for processing personal data

There are eight lawful bases for processing personal data in Kenya, as follows:

• consent;
• contract;
• legal obligation;
• vital interests;
• public interest;
• performance of a task as a public authority;
• legitimate interests; and
• historical, journalistic, literature and art, or scientific research.

None of these bases is superior to the others, although there are some instances in which it is mandatory to seek consent to process personal data – eg, for processing children’s data and marketing data.

Data protection impact assessments

Where a data processing operation is likely to result in high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context and purpose, a data controller or data processor must carry out a DPIA prior to the processing.

The General Regulations outline the types of processing operations that may result in high risks to the rights and freedoms of the data subject. Examples include automated decision-making with legal or similar significant effect, the use of personal data on a large scale for a purpose other than that for which it was initially collected, the innovative use or application of new technological organisational solutions, or where processing prevents a data subject from exercising a right. The Regulations also provide a standard template for carrying out DPIAs. If a DPIA confirms or shows high risks to individuals, the Data Commissioner must be consulted prior to the implementation of the proposed protecting activity.

Data Subject Rights

Right to information

Individuals must be given information about how their personal data shall be processed. The General Regulations stipulate that this information should be provided through a Data Protection Policy, prior to collection or within 14 days where the collection is indirect.

Right to access

Data subjects can request access to their personal data that is in the custody of a data controller or processor. Access must be provided within seven days of the request, at no cost to the data subject.

Right of objection

The right to object applies as an absolute right where the processing is for direct marketing, including profiling that relates to direct marketing. Apart from that, the data subject’s right to object may be overridden if the data controller demonstrates compelling legitimate interests for processing that override the data subject’s interests or for the establishment, exercise or defence of a legal claim. Where a data subject objects to direct marketing, their personal data must not be processed further for those purposes. An objection request must be complied with within 14 days, and it must be done at no cost to the data subject.

Right of rectification

A data subject can request to rectify or correct any false, inaccurate, out-dated, incomplete or misleading data processed about them. Where a data controller or processor is satisfied that a rectification is necessary, it must action the request within 14 days, at no cost to the data subject. If the request is declined, the data subject should be notified of such within seven days.

Right of erasure

The right to erase or destroy personal data arises if:

• the data controller or processor is no longer authorised to retain the information because it is irrelevant, excessive or no longer necessary for the purpose for which it was collected;
• consent was the lawful basis for processing and the data subject withdraws their consent;
• the data subject objects to the processing of their data and there is no overriding legitimate interest to continue the processing;
• the processing relates to direct marketing and the individual objects to that processing; or
• the processing is unlawful, including where the data controller or processor is in breach of the lawfulness requirement.

However, this right does not apply where processing is done to:

• establish, exercise or defend a legal claim;
• exercise the right of freedom of expression and information;
• comply with a legal obligation;
• perform a task in the public interest or in the exercise of official authority;
• create an archive in the public interest; or
• pursue scientific research, historical research or statistical purposes if the erasure is likely to seriously impair the achievement of that processing.

If the information is required for the purposes of evidence, the data controller or processor may restrict its processing instead of deleting or rectifying it, and inform the data subject within a reasonable time. A request for erasure must be responded to within 14 days, at no cost to the data subject.

Right to restriction

This right arises in the following circumstances:

• where the data subject contests the accuracy of the data;
• if the personal data is no longer required for the purposes of processing;
• if the processing is unlawful but the data subject opts for restriction instead of deletion; or
• if the data subject wants to verify the legitimate interests asserted by the data controller.

Restriction requests must be actioned within 14 days of receipt.

Right to data portability

An individual can request access to their personal data in a commonly used machine-readable format. They can also ask for transmission of the data from one data controller or processor to another. Portability requests do not apply where processing is necessary for a task performed in the public interest or in the exercise of an official authority, or where they may adversely affect the rights and freedoms of others. Requests must be responded to within 30 days. The data controller or processor may charge a cost for acceding to the request, but such cost should not exceed the actual cost incurred in actualising the request.

Rights related to profiling and automated decision-making

A data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affecting the data subject. This right does not apply where the decision is necessary for entering into a contract, where it is authorised by a law, or where it is based on the data subject’s request.

Where an automated decision is taken, the data controller or processor must notify the data subject in writing of its decision and provide information about the logic involved and the consequences of the processing. In addition, the data subject is entitled to request a review of an automated decision or to request a decision that is not based solely on automated processing. Where a data controller or processor receives such a request, they must comply by ensuring that the data subject can obtain human intervention and express their point of view.

Right to lodge a complaint

A data subject who is aggrieved by a decision under the Act has the right to lodge a complaint with the Data Commissioner.

Right to compensation

Any person who suffers damage by reason of contravention of a requirement of the Act is entitled to compensation for that damage from the data controller or the data processor. The Act describes "damage" as including both financial loss and damage not involving financial loss, including distress. A data controller involved in the processing of personal data is liable for any damage caused by said processing, and a data processor involved in the processing of personal data is liable for damage caused by said processing only if the processor has not complied with an obligation under the Act specifically directed at data processors or has acted outside or contrary to the data controller’s lawful instructions.

Privacy by Design and by Default

According to Sections 41 and 42 of the Act, data controllers or processors must have appropriate technical and organisational safeguards in place to implement the data protection principles in an effective manner, and to integrate the necessary safeguards for that processing. The elements necessary to implement the data protection principles are set out in Regulations 29–36 of the General Regulations.

When integrating/adopting safeguards to achieve data protection by design and by default, a data controller or processor must consider the amount of data collected, the extent of processing, the period of storage, accessibility, the cost of processing data and the technologies used. Where information is conveyed through an information communication network, the data controller should consider the state of technology available, the cost of implementation, the risks of processing and the nature of the data being processed.

Selecting and Using Data Processors

Data controllers can only select and use the services of data processors that provide sufficient guarantees in respect of technical and organisational measures to safeguard personal data and to enter into a written agreement which provides that the data processor shall only act on instructions received from the data controller and shall be bound by the obligations of the data controller. Where a processor acts outside the instructions of the data controller, they shall be deemed to be a data controller in respect of that processing activity.

Financial Data

The Data Protection Act amends the Capital Markets Act by giving the Capital Markets Authority the power to ensure the processing of personal data in capital markets operations is in accordance with the principles set out under the Act. The Act also requires the Authority to collect and process personal data in accordance with the Act.

Section 40 (2) of the Proceeds of Crime and Anti-Money Laundering Act provides that the sharing of personal data with the Financial Reporting Centre must adhere to the data protection principles set out in the Data Protection Act.

The Prudential Guidelines issued by the Central Bank of Kenya also stipulate that consumers’ financial and personal information should be protected through appropriate control and protection mechanisms. Such mechanisms should define the purposes for which the data may be collected, processed, held, used or disclosed and the rights of consumers to be informed about data sharing, access and the correction and deletion of inaccurate or unlawfully collected or processed personal data.

Increased collaboration between the Data Commissioner and regulators in the financial sector is expected, alongside the development of elaborate guidelines on personal data protection within these industries.

Health Data

Section 46 (1) of the Act provides that personal data relating to the health of a data subject may only be processed under the responsibility of a healthcare provider or by a person who is subject to the obligation of secrecy under any law. Section 46 (2) provides that conditions are met if the processing is necessary for reasons of public interest in the area of public health, or if it is carried out by another person who in the circumstances owes a duty of confidentiality under any law. The Data Protection Act does not apply to processing carried out pursuant to permitted general and permitted health situations (see 1.1 Laws).

Communications Data

The Data Protection Act amends the Kenya Information and Communications Act by giving the Communications Commission of Kenya the power to ensure that the processing of subscribers' personal data is in accordance with the principles set out under the Data Protection Act. It also imposes an obligation on licensees to ensure that the necessary steps are taken to secure the integrity of personal data under their possession or control through the adoption of appropriate and reasonable technical and organisational measures to prevent damage to or the unauthorised destruction of personal data, and to prevent any unlawful access to the unauthorised processing of personal data.

Children’s or Student Data

Children’s data is classified as sensitive personal data in the Act, Section 33 of which prohibits controllers and processors from processing personal data relating to a child unless consent is given by the child’s parent or guardian and the processing is done in such a manner that protects and advances the rights and best interests of the child. However, parental consent is not required where a data controller or processor provides counselling and child protection services to a child.

The conditions for compliant consent are set out in Sections 2 and 32 of the Act and in Regulation 4 of the General Regulations. Controllers and processors must also incorporate appropriate mechanisms for age verification and consent.

Under Section 37 of the Act, a person cannot process personal data for commercial use unless they have sought and obtained express consent from a data subject, or unless they are authorised to do so under any written law and the data subject was informed of the use when the data was collected.

The General Regulations define "commercial use of data" as uses that advance the commercial or economic interests of data controllers or processors, including actions such as inducing a person to buy, rent, lease, join, subscribe to, provide or exchange products, property, information or services, or effecting a commercial transaction directly or indirectly. Direct marketing is regarded as a commercial use of data if:

• it is used to send a catalogue through any medium addressed to a data subject;
• it involves displaying an advertisement on an online media site to which a data subject has logged on using their personal data; or
• it involves sending an electronic message to a data subject about a sale, or other advertising material relating to a sale, using personal data provided by that data subject.

Under the General Regulations, direct marketing is permissible where:

• the data controller or processor has collected the personal data from the data subject;
• the data subject has been notified and consented to the use of their personal data for direct marketing purposes;
• the data controller or processor has provided a simplified opt-out mechanism for the data subject to request not to receive direct marketing communications; and
• the data subject has not opted out.

Direct marketing messages must incorporate mechanisms for data subjects to opt out of the service. The features of compliant opt-out messages are set out in the General Regulations. Once an opt-out request is received, the data controller or processor cannot use or disclose personal data for the purposes of direct marketing.

The Data Protection Act amended the Employment Act by making it a requirement for employers who employ children to keep and maintain registers in accordance with the principles of data protection set out in the Act. Apart from that, the Act and its attendant regulations do not contain any specific provisions relating to workplace privacy, so the expectation is that all employee data must be processed in accordance with the Act and the Constitutional right to privacy.

See 1.3 Administration and Enforcement Process.

The Huduma Number Case

A landmark personal data protection and privacy case was determined by the High Court of Kenya in October 2021: Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others; Institute & another (Ex parte); Immaculate Kasait, Data Commissioner (Interested party) (Judicial Review Application E1138 of 2020) [2021] KEHC 122 (KLR) (Judicial Review) (14 October 2021) (Judgment).

The Kenyan government's introduction of a new system for the registration of Kenyans and foreigners residing within its jurisdiction was challenged before the court for failing to meet the threshold of privacy under Article 31 of the Constitution and requirements regarding the collection of personal data under the Data Protection Act. While making its determination, the court faulted the government of Kenya for collecting personal data from Kenyans without first making determination of how it would protect that data, and for failing to appreciate the importance and extent of the application of the Act with respect to the collection and processing of personal data under the National Integrated Identity Management System. The court quashed the government directive to roll out Huduma Cards, noting that the directive was ultra vires contrary to Section 31 of the Act. The court further compelled the government to complete a DPIA, as required by the Act, prior to the processing of data or the rolling out of Huduma Cards.

Gulf Energy Limited v Rubis Energy Kenya Plc

Rubis Energy Kenya entered into an agreement to purchase Gulf Energy’s marketing, storage, distribution, retail and aviation business and related assets (“Specific Business and Assets”). A key term of the agreement was that information relating to the Specific Business and Assets was to be shared by Gulf Energy through a designated server. Gulf Energy also handed over relevant hardware, including reformatted laptops. Upon handover, Rubis worked with data recovery specialists to recover information relating to the entire business of Gulf Energy from the server and reformatted laptops, and used the findings to make a warranty claim of KES41 million. Gulf Energy filed a Constitutional Petition against Rubis on the basis that the information recovered by Rubis by advanced data mining formed part of its private and confidential information, and that its right to privacy under the Constitution had been breached. The Petition was struck out by the court due to lack of jurisdiction. In particular, the parties were required to submit the matter to arbitration as per their purchase agreement.

Under the Computer Misuse and Cybercrimes Act, police officers have the power to search and seize data stored in a computer or a data storage medium if they have reason to believe that said data is required for the purposes of a criminal investigation or if it has been acquired for the commission of an offence. To execute a search, the police officer must obtain a warrant from the court.

In addition, courts have the power to issue orders that permit police offers to:

• demand specified data and subscriber information stored in a computer system or device, for the purposes of investigation;
• collect or seek the preservation of real-time traffic data where there are reasonable grounds to believe that traffic data is associated with specified communications and is related to the person under investigation; and
• intercept content data contained in an identified electronic device for investigation purposes. The police officer must state their reason for believing the data is in possession of the person in control of the computer system, the type of content in the system and the measures to be taken to ensure that the collection or recording maintains the privacy of other users, customer and third parties and to ensure that the information and data of any party is not part of the investigation.

The provisions of the Data Protection Act and the attendant regulations do not apply to the Kenya Defence Forces, the National Intelligence Service or the National Police Service.

Section 36 of the National Intelligence Service Act No 28 of 2012 stipulates that the right to privacy under the Constitution may be limited in respect of a person who is subject to investigation by the Service or who is suspected to have committed an offence against national security to the extent of investigation and monitoring of the person’s right to communication. However, to invoke this provision, the authorities must obtain a warrant from the High Court before initiating any investigations.

Section 35 of the Prevention of Terrorism Act No 30 of 2012 gives a limitation on privacy to the extent of ensuring that the investigation of terrorism, the detection and prevention of terrorism activities or the enjoyment of fundamental rights by an individual do not prejudice the fundamental rights of others. The limitation of rights to privacy relate to the person, home or property to be searched, the possessions to be seized and the communications to be investigated, intercepted or interfered with. Section 36A gives national security authorities the power to intercept communications for the purpose of detecting, deterring and disrupting terrorism, including limiting the right to privacy.

An organisation may not invoke a foreign government access request as a legitimate basis to collect and transfer personal data.

Kenya does not participate in a CLOUD Act agreement with the USA.

The largest privacy debate to date is on the use of biometric systems for civil registrations (see 2.5 Enforcement and Litigation). In December 2021, the government introduced the Huduma Bill, seeking to provide a law on civil registration and legal identification management, and to establish the National Integrated Information Management System (NIIMS) as Kenya’s digital identity system.

Civil society organisations such as Article 19 have since raised concerns about the bill, stating that it bears provisions that negatively impact on the right to privacy and data protection. They have called for public participation on the bill as well as a governance and institutional framework for NIIMS.

More debates are expected on emerging issues with continued implementation and enforcement activities.

The transfer limitation principle provides that personal data should not be transferred outside Kenya unless there is sufficient proof of adequate data protection safeguards or consent from the data subject. Sections 48–50 of the Act and Regulations 26 and 39–48 of the General Regulations provide further guidance on international transfers in Kenya.

The Act and the General Regulations set out four bases for the transfer of personal data outside Kenya.

Appropriate Data Protection Safeguards

A transfer on the basis of appropriate data protection safeguards is effective if the intended recipient is bound by a legal instrument containing appropriate safeguards for the protection of personal data that is essentially equivalent to the protection under the Act and the Regulations. It also applies where the data controller, having assessed all the circumstances surrounding transfers of that type of personal data to another country or relevant international organisation, concludes that appropriate safeguards exist to protect the data.

Transfers based on appropriate safeguards must be documented in the prescribed format. The documentation must be available to the Data Commissioner on request.

A country is deemed to have appropriate safeguards if:

• it has ratified the African Union Convention on Cyber Security and Personal Data Protection;
• it has a reciprocal agreement with Kenya; or
• it has contractual binding corporate rules among the group of undertakings or enterprises concerned.

Binding corporate rules are only binding in the following circumstances:

• if they are legally binding to and enforced by every member of the group of undertakings or group of enterprises engaged in a joint economic activity, including employees;
• if they expressly confer rights on data subjects regarding the processing of their personal data;
• if they contain the structure and contact details of the group of undertaking or group of enterprises engaged in a joint economic activity;
• if they are legally binding internally and externally;
• if they apply the general data protection principles;
• if they provide for the rights of data subjects and a means to exercise those rights;
• if they provide complaints procedures; and
• if there are mechanisms in place within the group of undertakings or enterprises for ensuring the verification of compliance with binding corporate rules.

Adequacy Decision

Transfers based on adequacy decisions arise where the Data Commissioner decides that the other country or a territory of one or more specified sectors within the country or the international organisation ensures an adequate level of protection of personal data. The Data Commissioner has power to publish on its website a list of countries, territories and specified sectors within that other country and relevant international organisations for which the Data Commissioner has decided that an adequate level of protection is ensured.

Transfers Based on Necessity

Necessity applies if a transfer is necessary for:

• the performance of a contract between the data subject and the data controller or processor, or for the implementation of pre-contractual measures taken at the data subject’s request;
• the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another person;
• any matter of public interest, if the data subject concerned has no fundamental rights and freedoms that override the public interest necessitating the transfer;
• the establishment, exercise or defence of a legal claim;
• protecting the vital interests of the data subject or of other persons, where the data subject is incapable of giving consent; or
• the purpose of compelling legitimate interests pursued by the data controller or data processor that are not overridden by the interests, rights and freedoms of the data subjects.

Transfers Based on Consent

In the absence of an adequacy decision, appropriate safeguards or prerequisites for a transfer as a necessity, a transfer or set of transfers of personal data to another country may take place if the data subject has explicitly consented to the proposed transfer and has been informed of the possible risks of the transfer. Notwithstanding the foregoing, if the data being transferred is sensitive personal data, a data controller or data processor must seek the consent of the data subject before transferring the personal data and provide proof of the existence of sufficient safeguards.

Under Section 48 of the Act, a data controller or processor may transfer personal data to another country only if they have given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of the personal data. In addition, where processing relates to sensitive personal data, the Data Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the security safeguards or the existence of compelling legitimate interests. The Data Commissioner has the power to prohibit or suspend the transfer, or to subject it to such conditions as may be determined.

Regulation 46 (2) of the General Regulations provides that documentation relating to the transfer should be provided to the Data Commissioner on request.

Regulation 26 of the General Regulations states that data controllers and processors who process personal data in the strategic interests of the state shall only do so through a server and data centre located in Kenya, or if they store at least one serving copy of the personal data concerned in a data centre located in Kenya. The strategic interests of the state include:

• administering the civil registration and legal identity management systems;
• facilitating the conduct of elections for the representation of the people under the Constitution;
• overseeing any system for administering public finances by any state organ;
• running any system designated as a protected computer system in terms of Section 20 of the Computer Misuse and Cybercrimes Act, 2018;
• offering any form of early childhood education and basic education under the Basic Education Act, 2013; and
• providing primary or secondary healthcare for a data subject in the country.

Protected computer systems include systems that are necessary for:

• the security, defence or international relations of Kenya;
• verifying the existence or identity of a confidential source of information relating to the enforcement of a criminal law;
• the provision of services related directly to communications, infrastructure, banking and financial services, payment and payment settlement systems and instruments, public utilities or public transportation, including government services delivered electronically;
• the protection of public safety, including systems related to essential emergency services such as police officers, civil defence and medical services; and
• the provision of national registration systems.

Other systems may also be designated as protected computer systems, such as those relating to the security, defence or international relations of Kenya, critical information, communications, business or transport infrastructure and the protection of public safety and public services, as may be designated by the Cabinet Secretary responsible for matters relating to information, communication and technology.

No software code, algorithms or similar technical details are required to be shared with the government. However, the Official Secrets Act (Cap 187) gives the Cabinet Secretary for the Ministry of Interior and Coordination of National Government powers to access data from any phone or computer, and introduces hefty penalties for non-compliance.

This is not relevant in Kenya.

This is not relevant in Kenya.

Drones

Drones are regulated under the Civil Aviation (Unmanned Aircraft Systems) Regulations, 2020, under which an unmanned aircraft system (UAS) operator shall not use a system equipped with an imaging device to conduct surveillance on nor take an image of a person without that person’s written consent. Therefore, such systems cannot be used to record images of the privately owned or leased property of an owner, tenant, invitee or licensee with the intent of conducting surveillance on said individual or property in violation of such person’s reasonable expectation of privacy without their written consent. A person is presumed to have a reasonable expectation of privacy on their privately owned, licensed or leased property if they are not observable by persons located at ground level in a place where they have a legal right to be. UAS operators must comply with laws relating to the protection or privacy or data.

However, with the Approval of the Kenya Civil Aviation Authority, a UAS equipped with imaging devices may be used to map and evaluate the earth’s surface, including terrain and surface water bodies, to investigate forests and forest management, for search and rescue procedures or to investigate vegetation or wildlife.

Disinformation, Deepfakes or Other Online Harms

The Computer Misuse and Cybercrimes Act provides penalties for cybercrimes and other computer-related offences. It is an offence to publish false information in print or broadcast, or over a computer system, that is calculated to result in panic, chaos or violence among citizens in the Republic or that is likely to discredit the reputation of a person. It is also an offence to send out communications that are likely to cause apprehension or fear of violence to a person or persons, or that detrimentally affect a person, or that are in whole or part grossly offensive.

Organisations in Kenya do not have to establish protocols for digital governance or fair data practice review boards or committees to address the risks of emerging or disruptive digital technologies.

See 2.5 Enforcement and Litigation.

There is no specific law setting standards for due diligence within the framework of data protection in corporate transactions. That notwithstanding, buyers must clearly understand the seller’s privacy risk profile before completing the transaction. The seller will need to ensure that the transaction does not result in privacy-related risks or concerns. Therefore, the transaction documents must contemplate and fully cover privacy concerns. For example, prior to due diligence, the confidentiality agreements should be robust enough to ensure confidentiality and appropriate safeguards for personal data. During due diligence, the buyer should consider the target’s personal data processing practices through reviewing personal data maps/inventories. They should also consider the extent of compliance in relation to the principles of data protection, the facilitation of data subjects' rights, the notification of personal data breaches, third party vendor processing and international transfers, and should seek appropriate indemnities or warranties to protect against any claims or risks prior to sale. Post-deal, the DPO should be well versed with the data protection issues, and put measures in place to address them.

The Computer Misuse and Cybercrimes Act No 5 of 2018 requires operators of computer systems or networks to inform the National Computer and Cybercrime Co-ordination Committee of any disruptions or intrusions to the functioning of a computer system within 24 hours of such an attack. The report should include information about the breach, including a summary of how the breach occurred (as far as is known by the agency), an estimate of the number of people affected by the breach, the risk of harm to the affected individuals and an explanation of the circumstances that would delay or prevent affected persons from being informed of the breach.

The Central Bank of Kenya (CBK) provides guidance on cybersecurity that requires banks to submit their Cybersecurity Policy, strategies and frameworks to the CBK. Additionally, reporting institutions must notify the CBK within 24 hours of any cybersecurity incidents that could have a significant and adverse impact on an institution's ability to provide adequate services to its customers, its reputation or its financial condition. Reporting institutions must also provide a quarterly report to the CBK on the occurrence and handling of cybersecurity incidents.

Notification and Communication of Personal Data Breaches

Where personal data has been accessed or acquired and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access, a data controller must inform the Data Commissioner within 72 hours of becoming aware of the breach, and must inform the affected data subjects without unreasonable delay.

A data processor must also report a data breach, but within 48 hours of becoming aware of the breach. The tight timelines for reporting imply that organisations must be well prepared to respond to breaches and to make timely reports. Failure to comply with the reporting requirements is a contravention that may attract administrative fines, general penalties and criminal sanctions.