Does Kenya have a Data Protection Law?

In November 2019 Kenyian President Kenyatta signed the Data Protection Act 2019 (the Act) into law. The law is the first of its kind in Kenya and brings the country in line with the European General Data Protection Regulation (GDPR). 

Section 5 of the Act establishes the Data Protection Commissioner as a regulatory body who shall be responsible for overseeing the implementation and enforcement of the Act as well as oversee all data processing operations of its own accord or referred to it by a data subject. A full list of the Commissioners powers and duties are provided for under Section 7.

Section 18 of the Act provides that no party may perform the functions of a data controller or a data processor without first having been registered with the Data Commissioner. The requirements for a prospective data processor or controller to register with the Commissioner are provided for in Section 19. 

In terms of Section 24 the Act makes it discretionary for a data processor or data controller to appoint a Data Protection Officer. The Act establishes 8 principles for lawful processing which are covered in Section 26. The 8 conditions are as follows:

  1. Personal Data must be processed in accordance with the right to privacy;

  2. Personal Data must be processed in a lawful and transparent manner;

  3. Personal Data must only be processed in terms of explicit specified purposes;

  4. Processing must be adequate limited and relevant;

  5. Personal data may only be collected where a valid explanation is given;

  6. Collected personal data must be accurate, kept up to date and inaccurate data must be removed;

  7. Personal data shall only be kept in an identifiable form for as long as is required for a legitimate purpose; and

  8. Personal data shall not be transferred outside of Kenya unless consent is given or proof of adequate safeguards is provided.

Section 44 establishes additional safeguards for the processing of sensitive personal data. 

Part 7 of the Act provides exemptions under the following categories:

  • General exemptions, which includes personal household processing, national security and public interest and any disclosure required in terms of law;

  • Journalism, literature and art, which includes where a journalist believes the processing will be in the public's interest;

  • Processing for historical, statistical or research purposes;

  • Processing in terms of the Commissioner's data-sharing code, which the Commissioner may issue from time to time.

Before the passing of the Act, the processing of personal data in Kenya was completely unregulated. The law algins Kenya with global best practices and marks and important step for the country.