Expert Commentary: Kenya follows the path of European-style Data Protection

Guest Post

By Dr. Isaac Rutenberg, Director and Senior Lecturer, Centre for Intellectual Property and Information Technology Law, Strathmore University, Nairobi, Kenya  @StrathCIPIT

On the 8th of November, the President of Kenya signed into law the Data Protection Act 2019. This action completed a process that spanned more than a decade, and allows Kenya to enter a new phase with respect to the evolving centricity and treatment of data in society. This article looks at the content of the Act, highlights important and interesting provisions, and concludes with predictions as to the implementation.

Viewed from a high level, Kenya’s Data Protection Act (DPA) has many similarities with the General Data Protection Regulation (GDPR) in the EU, but also some notable features that have been localized for the Kenyan context. Without question, the DPA will satisfy Kenya’s obligations with respect to data protection under the African Union Convention on Cyber Security and Personal Data Protection, to which Kenya is a signatory. Also without question, the DPA is a major development that will require significant changes to the operations of private and public entities.

The similarities with GDPR are very clear. Section 25 of the DPA lists the principles of data protection that apply to data controllers and processors:

  • Respect of the right of privacy;
  • Data is collected for explicit, specified, and legitimate purposes (purpose limitation);
  • Data is processed lawfully, fairly, and transparently;
  • Data is adequate, relevant, and limited (data minimization);
  • Data is accurate and kept up to date;
  • Data processing is explained to the data subject;
  • Data is kept not longer than necessary for the purposes for which it is collected; and
  • No transfers outside Kenya without proof of data protection safeguards, or consent.

Each of the above principles is supported by additional provisions throughout the Act, with some more effectively supported than others. A thorough analysis of these provisions is provided in a series of blog posts at

Data processing must generally be done in compliance with the above principles. There are, however, numerous exceptions, and one exception in particular will require attention as the Act is implemented. Section 30 states that personal data shall not be processed unless the processing is necessary “for the performance of any task carried out by a public authority.” This appears to be a blanket authorization for any and all activities by the government. The provision is greatly worrying, even though such activities may still be limited by other provisions of the DPA (such as the need for a risk assessment as described below).

A few other provisions of the DPA are worth discussion.

Companies may choose to have a Data Protection Officer, but unlike the GDPR, the DPA never requires such an officer. Given the complexities of data protection in the global context, it is inconceivable that any large company would elect not to have a Data Protection Officer, and it is advisable that many smaller companies (particularly tech companies) should also seek the services of a full or part-time Data Protection Officer.

An intriguing aspect of the DPA is found in Section 31, which states that any data processing that is “likely to result in high risk to the rights and freedoms of a data subject” must undergo a data protection impact assessment. The requirement appears to apply to both private and public activities; government projects as well as private sector projects involving data will require impact assessments. The highly controversial “Huduma Namba” digital ID program currently being introduced in Kenya seems to be exactly the type of project that would require an impact assessment under this provision. Much like all major construction projects now routinely undergo environmental impact assessments, it is hoped that the data protection impact assessment will become a normal part of project planning. As a side note, it is unclear whether the skills and experience for carrying out data protection impact assessments are widely present in Kenya.

Another intriguing provision is found in Section 35: “Every data subject has a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affects the data subject.” Many telecom companies and startup companies in Kenya are making microloans to consumers based on various credit scoring methods (some of which, incidentally, involve algorithms using artificial intelligence). It appears that, with some exceptions (such as when the data subject consents), such products are no longer legal unless a human is involved in the final decision as whether to grant a loan.

Now that the process of enacting data protection legislation is over, the details of implementation are now center stage, and will ultimately be just as influential in Kenya’s commitment to data protection.

Favorably, the law provides for an Office of the Data Commissioner that is a state office. This means that the Data Commissioner will be relatively independent of the executive branch of government. Most importantly, funding for the Data Commissioner will be provided directly through Parliament. The Data Commissioner will be appointed by the President from three candidates selected by the Public Service Commission, so the executive will still have a large influence over the philosophy of the Office of the DC. The Data Commissioner receives a six-year term, and the selection of the inaugural Commissioner is a critical step that will determine much about the implementation and impact of the law.

There is, however, a more pressing concern. Recently a private individual brought a lawsuit in the High Court to halt implementation of the Data Protection Act. The petitioner argues that the DPA resulted from the merger of two bills, one of which originated in the Kenyan Senate. Since the DPA itself was never sent to the Senate for approval, the lawmaking process was improper. Bypassing the Senate is a method that has been used by the government to shorten the lawmaking process in other pieces of legislation, and this lawsuit tests the very fundamental question of when such a method is consistent with Kenyan constitutional democracy. The DPA merely appears to be the battlefield upon which this issue may finally be decided.

Implementation of any aspect of the DPA requires appointment of the Data Commissioner. In view of the pending litigation, this appointment may be substantially delayed, and data protection for Kenyans will have to wait.

One final thought: when Europe implemented the GDPR, which was more favorable to data subjects than any other legal framework existing at the time, some American tech companies modified their activities. It was reported that Facebook, for example, moved non-European data to servers located outside the EU. But, due to the size of the market, most major tech companies continued to engage with Europe and Europeans. Considering the vastly smaller market in Kenya, it will be interesting to see whether the similarly strict provisions of the DPA will result in some global tech companies deciding that the Kenyan market is not worth engaging.

Dr. Isaac Rutenberg,

Centre for Intellectual Property and Information Technology Law, Strathmore University


Publication information:

Posted 22 November, 2019