The Data Protection Act, 2019 serves to give effect to Article 31(c) and (d) of the Constitution.
It aims to establish the Office of the Data Protection Commissioner, regulate the processing of personal data, define the rights of data subjects, outline the obligations of data controllers and processors, and address all related matters.
The long-debated Act was officially signed into law on November 25th, 2019, by the president.
The Data Protection Bill of 2019 mirrors the approach of the European Union’s General Data Protection Regulation (GDPR), implemented in May 2018. This legislation positions Kenya as the third East African country to have specific laws governing data protection.
Interpretation
Kenya’s Data Protection Act is one of the most significant data privacy laws globally. This Act grants individuals’ rights over their personal data and offers clear instructions for companies to follow in handling user data responsibly. The key definitions include:
Anonymisation: This means the removal of personal identifiers from personal data so that the data subject is no longer identifiable.
Biometric data: This is personal data resulting from specific technical processing based on physical, physiological, or behavioral characterization, including blood typing, fingerprinting, deoxyribonucleic acid analysis, earlobe geometry, retinal scanning, and voice recognition.
Personal data: This means any information relating to an identified or identifiable natural person.
Data: This is information which is:
- processed by equipment following given instructions,
- recorded with the purpose of processing it automatically,
- part of a specific filing system,
- not covered in (a), (b), or (c), but is part of an accessible record,
- recorded data held by a public entity that does not fit into (a) to (d) categories.
Data controller: This is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purpose and means of processing personal data.
Data processor: This is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.
Sensitive personal data: This is data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex, or the sexual orientation of the data subject.
Data subject: This is an identified or identifiable natural person who is the subject of personal data.
Consent: This means any manifestation of express, unequivocal, free, specific, and informed indication of the data subject’s wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.
Objective and Purposes of this Act
- To regulate the processing of personal data.
- To ensure that the processing of personal data of a data subject is guided by the principles set out in section 25 of the Act.
- To protect the privacy of individuals.
- To establish the legal and institutional mechanism to protect personal data.
- To provide data subjects with rights and remedies to protect their personal data from processing that is not in accordance with this Act.
Roles of the Data Controller and Data Processor
Under section 25 of the Data Protection Act, the duties of the data controller are outlined.
Every data controller or data processor shall ensure that personal data is:
- processed in accordance with the right to privacy of the data subject,
- processed lawfully, fairly, and in a transparent manner in relation to any data subject,
- collected for explicit, specified, and legitimate purposes and not further processed in a manner incompatible with those purposes,
- adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed,
- collected only where a valid explanation is provided whenever information relating to family or private affairs is required,
- accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay,
- kept in a form that identifies the data subjects for no longer than is necessary for the purposes for which it was collected,
- not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
The Act highlights that any data controller or data processor who, without lawful excuse, discloses personal data in any manner that is incompatible with the purpose for which such data has been collected, commits an offence.
The Act specifies that data controllers or processors must register with the Data Protection Commissioner’s office. The Commissioner will maintain a record of registered individuals and issue them certificates.
Additionally, periodic audits will be conducted to verify compliance with the act by data processors and controllers.
The Data Protection Act in Kenya applies to data controllers or processors handling personal data from data subjects within Kenya, regardless of whether they are based inside or outside the country.
This indicates that Kenya’s Data Protection Act has a broad reach, similar to the EU’s GDPR, encompassing both territorial and extra-territorial aspects.
Rights of the Data Subject
The Act protects the data subject by giving them the right to:
- be informed of the use to which their personal data is to be put.
- access their personal data in the custody of data controller or data processor.
- object to the processing of all or part of their personal data.
- the correction of false or misleading data.
- the deletion of false or misleading data about them.
A right conferred on a data subject may be exercised where:
- the data subject is a minor, by a person who has parental authority or by a guardian,
- the data subject has a mental or other disability, by a person duly authorized to act as their guardian or administrator,
- in any other case, by a person duly authorized by the data subject.
Further, a data subject has a right to object to the processing of their personal data, unless the data controller or data processor demonstrates compelling legitimate interest for the processing which overrides the data subject’s interests, or for the establishment, exercise, or defence of a legal claim.
The withdrawal of consent shall not affect the lawfulness of processing based on prior consent before its withdrawal.
Collection of Personal Data
A data controller or data processor shall collect personal data directly from the data subject.
The controller or data processor shall collect, store, or use personal data for a purpose that is lawful, specific, and explicitly defined.
Despite the general rule on direct data collection, the Act allows for the indirect collection of personal data where:
- the data is contained in a public record.
- the data subject has deliberately made the data public.
- the data subject has consented to the collection from another source.
the data subject has an incapacity, the guardian appointed has consented to the collection from another source. - the collection from another source would not prejudice the interests of the data subject.
collection of data from another source is necessary for the prevention, detection, investigation, prosecution, and punishment of a crime. Also, for the enforcement of a law that imposes a pecuniary penalty or for the protection of the interests of the data subject or another person.
Processing of Personal Data Relating to Children
Every data controller or data processor shall not process personal data relating to a child unless —
- consent is given by the child’s parent or guardian
- the processing is in such a manner that protects and advances the rights and best interests of the child.
A data controller or data processor shall incorporate appropriate mechanisms for age verification and consent in order to process personal data of a child. Mechanisms shall be determined on the basis of—
- available technology
- volume of personal data processed
- proportion of such personal data likely to be that of a child
- possibility of harm to a child arising out of processing of personal data
- such other factors as may be specified by the Data Commissioner.
A data controller or data processor that exclusively provides counselling or child protection services to a child may not be required to obtain parental consent.
Exemptions
This Act does not excuse data controllers or processors from following data protection principles such as lawful processing, minimizing data collection, ensuring data quality, and implementing security measures to safeguard personal data. The processing of personal data is exempt from the Act if it’s for personal or household activities, national security or public interest, or required by law or court order.
Enforcement
The Data Protection Act in Kenya distinguishes between sanctions for companies and for individuals.
For companies, an infringement of a provision of this Act, the maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to 5 million shillings, or in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower.
Individuals who commit an offence under this Act for which no specific penalty is provided or who otherwise contravenes this Act shall, on conviction, be liable to a fine not exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both.
A person who suffers damage by reason of a contravention of a requirement of this Act is entitled to compensation for that damage from the data controller or the data processor.
Conclusion
In conclusion, the Data Protection Act of 2019 provides a framework for the protection of personal data in Kenya.
It establishes the rights of data subjects and the obligations of data controllers and processors, and creates the office of the Data Protection Commissioner to oversee compliance.
While the Act strengthens data privacy and security, its implementation poses challenges such as ensuring compliance and managing enforcement effectively.
— Compiled by Wanjiku Hilda