A review of Kenya’s 2019 Data Protection Act: Insights for Data Controllers in Africa

2020-07-03 blog informs learns
A review of Kenya’s 2019 Data Protection Act:  Insights for Data Controllers in Africa


The future of the world is littered in zeros and ones. Many commentators have rightfully claimed that “data is the new oil”. Without a doubt, personal data is quickly becoming the most sought after commodity in the market. The increasing profitability in the data economy has seen companies win a fortune in revenue by collecting, sharing, and using data. The world has become more astute in the acquisition analysis and utilization of data, resulting in a problem of data safety and use. While the problem of data safety and protection dates back to the 1980s, during days of Ralf Berger and the Chaos Computer Club, the first solid, comprehensive regulation of global magnitude was not seen until May 25th, 2018 when the European Union passed the General Data Protection Rule (GDPR).

While regulations have existed in many countries, none has been as elaborate and comprehensive as the 2018 GDPR. According to the United Nations Conference on Trade and Development (UNCTAD), out of the 194 countries in the world, 132 have at least some sort of regulation on the acquisition, use, and safety of data. Africa too has made commendable progress, with 25 out of 55 countries having passed data protection laws. Fourteen out 55 African Union (AU) member states have also ratified the Malabo Convention, otherwise known as the African Union Convention on Cyber Security and Personal Data Protection. Other regional organizations in Africa such as the Southern African Development Community (SADC) and the Economic Community of West African States (ECOWAS) have developed models for data protection laws for their member-states.

Kenya is yet to sign the AU’s Malabo Convention but with the Data Protection Act (DPA) 2019, the country’s policy has finally caught up with the quickly evolving technology. While policy and legal analysts have pointed out a number of shortcomings on the DPA  such as the failure to mention and recognize all international data protection principles in section 25, the Act still provides the country with a foundation from which a stronger legal framework on data protection can be built. The DPA was assented on November 8th and it came into force on November 25th, 2019. It seeks to create an institutional framework and legal guidelines for the processing of personal data in Kenya and belonging to Kenyans. It sets procedures for data controllers to follow in the processing of personal data.

The 2019 DPA borrows heavily from the European Union’s GDPR, which since 2016 has continuously gained traction as the global benchmark for data protection policies and regulations. Just like the GDPR, the DPA is extraterritorial in nature such that while a data controller or processor might not be acting within their jurisdiction, both laws still apply in as long as the processor or the controller acts upon data of any natural or legal person that is within their jurisdiction. Both Article 4 of the GDPR and PART I of the DPA define ‘personal data’ as any information relating to an identified or identifiable natural person. The DPA addresses the relationship between three major parties whose definitions are exactly the same as those in the GDPR.

  1. Data controller; - a person who alone or jointly with others, determines the purpose and means of the processing of personal data.
  2. Data processor: - a person who processes personal data on behalf of the data controller.
  3. Data subject; - is an identified or identifiable natural person who is the subject of personal data.

The DPA requires data controllers and data processors to be registered with the Data Commissioner in Kenya. However, PART VII exempts data processing for historical, statistical, and research purposes from the administrative demands of the Act. This must not be interpreted as an exemption from complying with the data protection principles as highlighted in the three “Data Ethics Principles” namely;

Registration and Consent

The beauty of DPA and all other data protection principles is that it does not stray far from the principles of protection of research participants.  It requires consenting to be clear and concise to the data subject. For research institutions, this reinforces the regulations of U.S. Department of Health and Human Services on Human Research Protections, namely the HHS regulations (45 CFR 46.116) which require investigators to obtain informed consent in a way that allows them to decide whether to participate and without coercion. In both instances, individuals are free to withdraw consent at any given time. For the DPA, this does not stop the processing of data collected prior to the consent. However, this is not consistent with Article 17 of the GDPR which provides for individuals the right to have personal data about them erased. This has popularly been referred to as the ‘right to be forgotten’ as presented in the case with the Lithuanian news source.

Principles of data protection

In spite of the lack of harmony between the DPA and GDPR as mentioned above, the principles of data protection in the DPA are a model replica of the GDPR. An important part of the DPA is the notification and communication of breach. That in case of a breach involving personal data, the individual and the regulating body have to be informed.

Data sharing and transfer

The DPA, similar to the GDPR, also stipulates the circumstances in which data shall be transferred outside Kenya and the safeguards to be considered. Such include data encryption and anonymization through the removal of personal identifying information (PII).

As the Data Protection Commission is yet to be established, research institutions and ‘Data Agents’ in Kenya have ample time to conduct self-assessments in readiness for compliance with both the DPA and GDPR. Businesses are going to be greatly affected by this Act, especially because the application of this law will be unique to different business models and the purpose for which the data is collected, one size fits all might not apply. The Act further encourages data controllers and processors to appoint a Data Protection Officer who will provide advisory on data safety and use as stipulated in the Act.

The views expressed in published blog posts, as well as any errors or omissions, are the sole responsibility of the author/s and do not represent the views of the Africa Evidence Network, its secretariat, advisory or reference groups, or its funders; nor does it imply endorsement by the afore-mentioned parties.