This archive report was first published on 2 December 2019.
Kenya's New Data Protection Act: A Major Milestone ¶
On November 8, 2019, President Uhuru Kenyatta signed the Data Protection Bill, 2019, into law, marking a significant milestone in Kenya's data handling and processing.
The Act, which comes into effect on December 2, 2019, introduces elaborate obligations to persons who collect and process data in Kenya. It outlines the principles of data protection, including the right to be informed, access, correction, and deletion of personal data.
According to Robert Nyamu, Digital Solutions, Financial Services and Risk Advisor Leader in East Africa at Ernst and Young, the Act is a robust and extraterritorial application in a law as it applies to data controllers and processors, within or outside Kenya in so far as they process personal data while in Kenya or of data subjects located in Kenya.
"The Act establishes the office of a Data Protection Commissioner which is to be headed by a Data Commissioner," Nyamu points out. "The Data Protection Commissioner is obligated to implement the Act, establish and maintain a register of data controllers and data processors, exercising oversight on data processing operations and receiving/ investigating any complaint by any person on infringement of the rights under the Act."
The Act also outlines the conditions for the transfer of personal data outside of Kenya and stipulates that a person's data shall not be used for commercial purposes, unless with obtainment of consent from the person whose data is to be used.
"Companies that operate regionally may have to adopt to the Kenyan law as it is the most superior regionally so as to avoid potential fines in the future," Nyamu advises.
With the signing of the Act, Kenya has taken a significant step towards protecting the rights of its citizens and ensuring that data is handled and processed in a transparent and secure manner.