Background

In November 2019, the Data Protection Act (the DPA) was rolled out to Kenyans with the aim of giving effect to Article 31(c) and (d) of the Constitution on the fundamental right to privacy. These two provisions guarantee every Kenyan Citizen the right to privacy regarding their personal information as well as that of their families. Additionally, the DPA makes provisions for the obligations that accrue to data controllers and processors as well as the foundational principles of data protection they are required to adhere to when collecting and processing personal data or information. The principles are modelled on those outlined in the EU General Data Protection Regulations (GDPR) with examples being that data should be processed in accordance with the right to privacy of the data subject; processed lawfully, fairly and in a transparent manner; collected for a legitimate purpose among others.

Whereas the DPA became law in 2019, it did not begin to take effect until November 2020 when Immaculate Kassait was appointed as Data Commissioner. This was an important step in the journey to operationalize the Act. The Data Commissioner is in charge of the Office of the Data Commissioner (ODPC) whose main function is to oversee the implementation of the DPA. To further ensure its implementation and enforcement, Section 71 of the DPA empowers the Cabinet Secretary for Information, Communication, Technology, Innovation and Youth Affairs to make regulations that give its provisions effect. In line with this mandate, draft guidelines were published on 20th April 2021. They include:

The Draft Data Protection (General) Regulations, 2021

These Regulations set out the procedures for enforcement of the rights of the data subjects in the collection and
processing of their personal data. You can find the General Regulations here.

The Draft Data Protection (Compliance & Enforcement) Regulations, 2021

These Regulations put in place avenues for data subjects to lodge complaints and seek redress when their data is used without consent or terms of use of their personal data are violated. You can find the Compliance Regulations here.

The Draft Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021

These Regulations have been proposed to define the procedure that will be adopted by the ODPC in registering data controllers and data processors as per the Data Protection Act. You can find the Registration Regulations here.

A huge concern has been how much time the affected entities will be given to comply with these regulations. According to the ODPC, this is a matter that will be dealt with once the regulations have gone through public participation and approved by Parliament. After approval, the ODPC will set timelines for compliance on the various provisions that bind these entities. In our view however, the timeline for compliance should be embedded in law.

In the meantime, members of the public have been invited to submit any representations that they may have on the draft regulations. The submissions may be made orally or by written memoranda through Email at dataprotectionregulations@odpc.go.ke not later than Tuesday, 11th May 2021 at 12:00 noon.

We have analysed and given our views on the General Regulations, Compliance Regulations and Registration Regulations. Click the links to review our analysis. For detailed advice on data protection matters, please contact us at disrupt@law3sixty.com