5 Years of The Data Protection Act in Kenya 2019 - 2024
5 Years of The Data Protection Act in Kenya 2019 - 2024
5 Years of The Data Protection Act in Kenya 2019 - 2024
Lead Researcher:
Sigi Waigumo Mwanzia
Research Assistant:
Linda Gichohi
Editors:
Dr. Grace Githaiga
Victor Kapiyo
Acknowledgements:
KICTANet is grateful to our funders and the following for providing invaluable contributions to this
publication: the Commission on Administrative Justice, Sarah Wesonga, Ivy Kinuthia, Florence Ogonjo,
Barrack Otieno, Benard Matu, Benson Muite, John Gathii, Kamochi Ombiro, Levine Njau, Mildred Achoch,
Ochieng’ Odaro, Wambui Wamunyu, among others.
Year of publication:
Policy Brief No. 19, May 2024
Photo (Title):
www.freepik.com
Copyright:
2
Table of Contents
Executive Summary 4
1.0 Introduction and Background 7
1.1 Overview of Key Concepts 7
1.1.1 Data Protection 7
1.1.2 Digital Sovereignty 7
1.1.3 Data Flows 8
1.2 Overview of Policy and Legal Framework 10
1.2.1 Data Protection Act, 2019 10
1.2.2 Regulations and Guidelines 11
1.2.3 ODPC Strategy 12
2.0 Analysis of the Implementation and Enforcement of the Data Protection Act, 2019 13
2.1 Registration of Data Processors and Controllers 13
2.1.1 Low Registration of Data Handlers 13
2.1.2 Collaboration of ODPC with Sector Regulators in Licensing is Essential 14
2.2 DPA Impact on Data Protection Practices by Data Handlers 14
2.2.1 Effective Enforcement Incentivises Compliance 14
2.2.2 Compliance Is Costly for Small Organizations 15
2.2.3 Business Practices are Changing 15
2.3 Awareness Raising 16
2.4 Data Breaches and Enforcement by ODPC 17
2.4.1 Financial Services Sector is Notorious for DPA violations 18
2.4.2 Failure to Obtain Consent Remains a Central Complaint 18
2.4.3 Consent and the Commercial Use of Data 19
2.4.4 Collection of Sensitive Personal Data 20
2.4.5 Emphasis on Data Subjects’ Rights 22
3.0 Challenges and Opportunities in Data Protection Implementation 24
3.1 SWOT of ODPC/Data Protection in Kenya 24
3.2 Opportunities in DPA Implementation 25
3.2.1 Adequacy Framework and Cross-Border Data Transfers 25
3.2.2 Integrate and Monitor Impact of Emerging Technologies 26
3.2.3 Promoting Cross-Border Collaboration 26
3.2.4 Promoting Innovation and Investment in Data Protection Technologies
and Services 26
3.2.5 Data Protection as an Intersectional Gateway Requiring Multistakeholder
Collaboration 27
3.2.6 Strict Enforcement of Unregulated Data Handlers 28
3.2.7 Internalisation of Data Protection by Design/Default by Data Handlers 28
3.2.8 Legislative Clarity to Address Overlapping Mandates 28
4.0 Conclusion and Key Considerations for the Future 30
3
Executive Summary
K 3
enya is on the cusp of celebrating five Increasing public awareness and stake-
years since the enactment of the Data holder engagement interventions by
Protection Act, (DPA) on 25th November ODPC and key stakeholders on privacy
2019. The enactment of this law represents and data protection.
15 years of domestic and international advo-
4
cacy efforts towards establishing a compre- Increasing compliance by non-state
hensive privacy and data protection frame- entities evidenced through registra-
work for the country. tion, appointment of Data Protection
Officers (DPOs), updating/publication of data
The objective of this policy brief is to review protection policies, change of internal prac-
the robustness of Kenya’s policy and legal tices e.g., data minimisation, accountability
framework for the protection of privacy and principle, consent for marketing operations.
personal data. It also presents an opportuni-
5
ty to reflect on Kenya’s progress, challenges Existence of a robust dispute resolution
and opportunities in its journey towards the mechanism that integrates voluntary
implementation of the DPA, and also identify Alternative Dispute Resolution (ADR)
areas for enhancement and reform. mechanism and evolving jurisprudence by
ODPC and courts that are reinforcing data
The methodology for this brief included desk subject rights, promoting data protection
review of relevant literature, online focus principles, and clarifying the roles of data col-
group discussions on the KICTANet mailing1 lectors and processors.
list, and key informant interviews.
6
Willingness by other jurisdictions to of-
The key findings in the report include: fer Kenya equivalency status which can
enhance trade and cooperation.
Progressive Trends:
Problematic Trends:
1
Broad policy and regulatory framework
1
to promote privacy and data protection, Threats to the independence of the
such as the establishment of the Office ODPC due to limited funding, low staff-
of the Data Protection Commissioner (ODPC) ing, legal structure, political interfer-
and enactment of policies, laws, regulations ence, recommendations for a Board appoint-
and guidelines. ment, and the existence of competing data
protection roles/responsibilities with other
2
. Commendable steps by the ODPC to sector regulators.
implement and enforce the DPA, 2019,
2
enhance its capacity to discharge its Poor enforcement of the DPA against
mandate through staff recruitment, increase state actors, entities in the financial sec-
its funding and budgetary allocations, uti- tor, and Big Tech giants who continue
lise technology, decentralise its functions to to process vast amounts of personal data.
regional offices, and collaborate with stake-
holders.
1. These discussions were held between 22nd May and 2nd of April 2024.
4
3 2
Lack of a holistic national data gover- ICT Cabinet Secretary to formulate a
nance framework. Low registration lev- comprehensive national data gover-
els of data handlers, with at least 90% of nance framework to holistically address
potentially registrable business or corporate complimentary data protection issues, in-
entities remaining unregistered. cluding interoperability, data classification,
and data security.
4
Legislative gaps include the lack of a
data-sharing framework for state enti-
3
ties, guidelines on the commercial use ICT Cabinet Secretary/ODPC should
of data, a data protection code of practice for issue relevant guidelines, codes, and
journalism, literature and art, and an adequa- frameworks to fully operationalize the
cy framework for cross-border data transfers. DPA, including publishing guidance for law-
ful data-sharing between state agencies, and
5
Low public awareness and poor com- adequacy rules to facilitate lawful cross-bor-
pliance levels among registrable small der data transfers.
and medium-sized (SMEs) organisa-
4
tions. ODPC should obtain equivalency sta-
tus with other jurisdictions and collab-
6
Weak inter-agency coordination and orate with other government agencies
cooperation amongst sector regulators to reap economic benefits.
and ministries (e.g., the Communica-
5
tions Authority of Kenya, the Central Bank of ODPC should intensify efforts to regu-
Kenya, the Ministry of Health, the Ministry of late and oversee the data processing
Trade and Industry, the Companies Registry, operations of all data handlers, espe-
the Competition Authority of Kenya, the Ken- cially state entities, Big Tech, and the financial
ya Revenue Authority) leading to oversight sector. Further, it should engage, coordinate
and enforcement gaps. and cooperate with relevant sector regula-
tors/ministries to address the emerging com-
7
Pressure from other jurisdictions for al- pliance, oversight and enforcement gaps.
ternative data protection regimes (e.g.,
6
the Cross Border Privacy Rules (CBPR)) ODPC should build its internal capac-
which could affect the sovereignty of ODPC ity to understand and respond to the
and the effectiveness of the DPA. potential risks and impact of emerging
technologies, such as artificial intelligence
8
Entities are deploying and harnessing (AI), blockchain, the Internet of Things (IoTs),
emerging and automated technolo- digital asset management, robotics, fintech,
gies, such as AI, to process personal cloud computing, virtual reality, big data ana-
data without effective intervention or over- lytics, genomics and biometric technologies,
sight from the ODPC. amongst others.
7
Recommendations to Kenyan Stakehold- ODPC should enhance greater transpar-
ers: ency and accountability in their compli-
ance, complaints and risk management
1
Parliament should strengthen the in- systems by publishing all decisions, enforce-
dependence of the ODPC by amending ment and penalty notices. Further, the ODPC
the DPA to make the ODPC autonomous should publish all pending registers, includ-
and separate it from the ICT Ministry, and in- ing an updated register of noncompliance,
crease the ODPCs budgetary allocation to an updated register of complaints, a register
enable it to effectively discharge its mandate
across the country.
5
3
of suspended/deregistered data handlers, Review and assess data localisation re-
and a data protection risk register. quirements in national data protection
legal frameworks and consider these
Recommendation to African Data Protec- against human rights implications, domestic
tion Authorities (ADPAs): digital agenda and economy priorities, and
citizens’ privacy and security concerns about
1
Prioritise critical issues within their juris- data residency.
diction to ensure a strategic, consistent,
4
responsive, and tailored response to Be proactive in adopting adequacy de-
data protection concerns. Governments are cisions as part of the operationalisation
encouraged to provide ADPAs with the req- of legal frameworks on cross-border
uisite resources to effectively exercise their data transfers and establish proof of appro-
mandate. priate safeguards from data handlers prior to
personal data transfers to other jurisdictions.
2
Develop sector- and issue-specific Publish guidance notes on Cross Border Pri-
guidelines to facilitate the conduct of vacy Rules (CBPR) and other international
impact assessments, due diligence and mechanisms to determine if they are com-
compliance by data controllers and proces- patible with their national data protection
sors in critical sectors including education, legal frameworks.
elections, emerging technologies, finance,
5
identity management, health, national secu- Promote transparency in regulatory ac-
rity, transport, and telecommunications. tivities, given the mutually-reinforcing
relationship between data protection,
access to information, transparency, and
open data and the need to maintain trust in
data ecosystems.
6
1.0 Introduction and Background
1.1 Overview of Key Concepts data are also protected under data protec-
tion laws.
T
he term ‘data protection’ refers to the application of data protection legal frame-
holistic “combination of legal, adminis- works.5
trative and technical safeguards,”2 e.g.,
practices, measures, laws, and policies, aimed However, the distinction between person-
at safeguarding personal data from various al and non-personal data (e.g., anonymous
risks, threats, or unauthorised access, ensur- data) is extremely difficult to maintain in
ing its availability, integrity, and confidenti- practice given the risk of re-identification.
ality.
This is attributed to the emerging and sophis-
The term ‘data protection’ comprises two ticated technologies, such as data analysis al-
constituent parts, namely gorithms, that enable the use of varied data
(1) Data, and sets to re-identify an individual through “in-
(2) Protection. Data protection laws exclu- ferences, singling out and linkability.”6
sively deal with ‘personal data’, to the exclu-
sion of ‘non-personal data.’3 In jurisdictions The ‘protection’ element of data protection
that have internalised the European Union’s refers to the strategic act of safeguarding,
(EU) GDPR definition, personal data is found- securing, or preserving personal information
ed on four (4) building blocks. from unauthorised access, damage, loss, or
harm.7
These include “
(i) any information 1.1.2 Digital Sovereignty
(ii) relating to
(iii) an identified or identifiable The term ‘digital sovereignty’ refers to the
(iv) natural person.4 need for state control and ownership of key
technology assets, including data and infra-
Sensitive personal data and pseudonymous structure.8
7
Digital sovereignty intersects with data pro- GUIDING NOTE: DIGITAL SOVEREIGNTY AND CROSS-BOR-
tection as a critical component of any coun- DER DATA TRANSFERS
try’s evolving digital transformation and dig-
ital governance landscapes, and in response Digital sovereignty is, at its core, a timeless
to an escalating geopolitical battle for digital jurisdiction question invoking the concept
dominance.9 of the sovereign nation state. It requires Af-
rican Data Protection Authorities (ADPAs) to
Nation states exert their digital sovereignty in collaboratively establish holistic data gover-
the data protection sphere through the de- nance mechanisms, and address specific data
velopment and implementation of legal and protection queries such as cross-border data
policy frameworks that specify how personal flows, data ownership, and data localisation.
data can be processed and transferred by lo-
cal and foreign entities. Domestically and regionally, ADPAs are en-
couraged to work collaboratively with other
1.1.3 Data Flows regulatory agencies to ascertain the impact
of cross-cutting issues such as trade, com-
The term ‘data flows’ in relation to data pro- petition, taxation, and consumer protection.
tection refers to the movement or transfer of The African Union’s (AU) Digital Transforma-
personal data from one location or entity to tion Strategy for Africa (2020 - 2030) and the
another, using automated or non-automated AU’s Data Protection Framework provide
means. ADPAs with guiding frameworks.11
The regulated flow of personal data is inte- A Global CBPR Forum has been established
gral given technological advancements that to “promote interoperability and help bridge
have magnified the increased value of per- different regulatory approaches to data pro-
sonal data and the associated privacy and tection and privacy”, implementing the Cross
security risks of unregulated data flows. Border Privacy Rules (CBPR) and Privacy Rec-
ognition for Processors (PRP) Systems.12
The inclusion of localisation provisions in
data protection legal frameworks is designed However some stakeholders have raised
to domesticate data and encourage invest- concerns about CBPR’s impact on the sover-
ments in local data infrastructure as part of eignty of a government’s laws and regulators
data protectionism efforts by nation states.10 for varied reasons. First, the CBPR takes away
the power of rule-setting from national gov-
These localisation provisions have been the ernments to other bodies, such as industry
topic of debate given their impact on trade bodies.
and digital economies.
Secondly, the CBPR takes away DPAs regula-
tory powers and proposes to bestow them
upon Accountability Agents, and lastly takes
away the power of a government to imple-
8
ment enforcement mechanisms.13 Kenya has a robust legal, policy and insti-
In April 2024, the US Department of Com- tutional framework for privacy and data
merce and the Kenyan Ministry of ICT issued protection. This framework comprises the
a statement indicating that Kenya will en- Constitution of Kenya, 2010, the DPA, vari-
gage with the Global CBPR Forum whilst also ous sector-specific legislation,16 three (3) reg-
recognizing “the need to incorporate African ulations, eight (8) guidelines, case law (from
countries’ perspectives in the development the Kenyan courts and determinations by the
of international mechanisms.” ODPC), and the Privacy and Data Protection
Policy, 2018.17
13. US Department of Commerce (2024) Joint Statement on Harnessing Artificial Intelligence, Facilitating Data Flows and Em-
powering Digital Upskilling Between the United States Department of Commerce and the Kenyan Ministry of Information, 14.
14. Communication and the Digital Economy.
KICTANet (2021) Public participation: An Assessment of Recent ICT Policy Making Processes in Kenya.
15. Nubian Rights Forum & 2 others v Attorney General & 6 others; Child Welfare Society & 9 others (Interested Parties) [2020]
eKLR.
16. Examples include the National Payment System Act (2011), the Consumer Protection Act (2012), the Kenya Information and
Communications Act (KICA) (2012), the Access to Information Act (2016), the Computer Misuse and Cybercrimes Act (2018), HIV
Prevention and Control Act, among others.
17. The PDPP, 2018 is a policy document that lays the foundation for enforcing Article 31 of the CoK, 2010, informed by global
practices in data protection. This policy informed the development of the DPA, 2019, and supports the ODPC’s effective applica-
tion of, and compliance with, the DPA, 2019 to guard against personal data misuse. Commendably, the PDPP, 2018 highlighted
the need to safeguard the rights of data subjects, underscoring the special protection that should be provided to children and
vulnerable groups.
18. Under Article 31 of the CoK, 2010, individuals have the right not to have: (a) “their person, home or property searched; (b)
their possessions seized; (c) information relating to their family or private affairs unnecessarily required or revealed; (d) or the
privacy of their communications infringed.” See: The Constitution of Kenya, 2010.
9
1.2.1 Data Protection Act, 2019 OBJECTIVES OF THE DPA
The DPA largely mirrors the evolving stan- The DPA, 2019 regulates personal and sensi-
dard of data protection legislation influenced tive personal data processing by natural or
by the European Union’s General Data Protec- legal persons, referred to as ‘data controllers’
tion Regulation (GDPR), with a few notable and ‘data processors’ (data handlers) in the
framing differences. The notable deviations public and private sectors, guided by five ob-
in the DPA include jectives.
19. Kenya Law. Kenya Law Treaties and Agreements Database. See: Chatham House (2024) The AU took important action on
cybersecurity at its 2024 summit – but more is needed.
20. Section 3 of the DPA, 2019.
21. Sections 2 and 4 of the DPA, 2019.
22. Examples of such operations include collection, storage, retrieval, disclosure by transmission, erasure, destruction, amongst
others. See: Section 4 of the DPA, 2019.
10
of the DPA. In 2024, the ODPC reaffirmed this tures, with implications for Kenya’s ability to
exemption by dismissing a complaint regard- obtain an EU adequacy decision as part of
ing the processing of personal data using ongoing discussions between Kenya and the
CCTV cameras within the private setting of EU.25
one’s premises.23 Secondly, any personal data
processed by non-automated means must
form whole or part of a filing system.
1.2.2 Regulations and Guidelines
Section 71 of the DPA grants the ICT Cabi-
In terms of territorial scope, the DPA applies
net Secretary delegated legislative powers,
to all natural or legal persons processing per-
which have borne three (3) data protection
sonal data, irrespective of establishment or
regulations.
local residency in Kenya. Similar to the GDPR,
the DPA introduced extra-territorial scope
These regulations provided much-needed
for data controllers or processors outside of
legal clarity to various aspects of the data
Kenya processing the personal data of data
protection legal framework. They also aid
subjects in Kenya.
compliance efforts by data handlers and em-
power data subjects with tools to control and
The effectiveness of the ODPCs governance
assert ownership over their personal data.
structure in the DPA has come under scrutiny
by stakeholders in the recent past especially
The Data Protection (General Regulations),
after the Worldcoin project, yet opinion re-
2021 elaborate on the provisions in the DPA26
mains divided on the best approach to en-
by expounding on data subjects’ rights, data
sure the independence and effectiveness of
handlers’ obligations, restrictions on the
the ODPC.
commercial use of personal data, and ele-
ments of implementing data protection by
For example, there are proponents for the
design or default.
ODPC to remain as currently structured al-
Additionally, it clarifies the categories of no-
beit with enhancements to its enforcement
tifiable breaches and the legal basis for data
capacity and independence from its parent
transfers, introducing Binding Corporate
ministry.
Rules as a mechanism for data transfers with-
in groups (e.g., parent-subsidiary undertak-
However, an Ad hoc Committee of Parlia-
ings) and multinational entities.
ment recently recommended the establish-
ment of a Board to oversee the ODPCs daily
Lastly, it also elaborates on the processing
functions.24 Stakeholders observed that if
activities that require Data Protection Impact
this proposal was adopted, then it needs to
Assessments (DPIAs) and the exemptions un-
be composed of multi-stakeholder represen-
der the DPA on national security and public
tatives.
interest. Notably, civil registration entities are
exempt from these regulations, by virtue of
A government-only board would risk further
the Data Protection (Civil Registration) Regu-
weakening the ODPCs governance struc-
11
lations, 2021, a move criticised by civil society data controllers and processors, and opera-
organisations.27 tionalising the ADR mechanisms.
12
2.0 Analysis of the Implementation and Enforce-
ment of the Data Protection Act, 2019
K
enya’s implementation of the DPA number of data controllers vis-a-vis data pro-
commenced in earnest in November cessors with active registration certificates,
2020, following the appointment of and the key counties where data processing
Kenya’s inaugural data protection com- activities are being undertaken.
missioner and the subsequent establish-
ment of the office. Thereafter, it devel- 2.1.1 Low Registration of Data
oped and issued three (3) regulations in
2021. Handlers
This intervening period granted data con- As of April 2024, the ODPC had issued
trollers and processors an implicit grace pe- “5,195 registration certificates to entities.36
riod of one (1) year to integrate the data pro- According to the register, there are 5,312
tection principles delineated in Section 25 registered entities in Kenya which is
of the DPA into their operational processes, commendable given that registration
frameworks, products and services. officially commenced less than two years
ago.39 Out of these 5,312 entities, KICTANet
Additionally, it enabled the operationali- was able to map out 34 registered state
sation of the functions, roles and respon- entities on the publicly accessible register,
sibilities of the ODPC, while affording data although accordi ng to the ODPC, there are
subjects an opportunity to understand the “over 85 registered state entities.”38
implications of the DPA on their personal
data. These figures are concerning for various
reasons. Firstly, the Registrar of Companies
2.1 Registration of Data Processors has registered 105,531 business/corporate
entities between 2023/2024.39 Consequently,
and Controllers at least 90% of potentially registrable
business or corporate entities remain
The DPA mandates the ODPC to keep and unregistered, which demonstrates the need
maintain an updated public register of all for continued efforts to promote awareness
data handlers in Kenya which can be ac- and compliance by data handlers.40
cessed on the ODPCs website.35 ODPC (2024)
Registered data handlers. Secondly, whereas some state agencies are
exempted from the DPA, the registration
This register enables stakeholders, such as of 85 state entities out of an estimated
researchers and data subjects, to identify the “526 state corporations”.41 underscores
35. Ibid.
36. ODPC (2024) Registered data handlers.
37. Ibid, n.33.
38. Respondent, ODPC, 07 May 2024
39. These include the Tana Water Works Development Agency, the Anti-Doping Agency of Kenya, and the County Governments
40. BRS (Registrar of Companies) (2024) Summary of Registered Entities - In 2023/2024.
Leeway has been given here noting the registration threshold in the Registration Regulations.
41. Business Daily (2024) President Ruto goes for State corporations’ cash surpluses in fresh mop-up.
13
the government’s lackadaisical approach evidence of compliance with registration re-
towards compliance with the data protection quirements only.
legal framework. This serves as evidence that
despite the efforts of the ODPC, there are still Additionally, it underscored the principle of
implementation and compliance challenges accountability in data protection, affirming
reigning in state-led data processing that data handlers bear the primary responsi-
operations. bility for ensuring that their data processing
activities adhere to prescribed legal obliga-
Moreover, the ODPC is yet to implement tions.
Section 55 of the DPA, which requires
the development of a data-sharing code Lastly, it clarified the ODPC’s regulatory role
specifying the lawful exchange of data as being one of compliance rather than sanc-
between government departments or tioning data handlers operations through
public sector agencies.42 Additionally, the operational licences, which mandate vests
absence of approved Guidance Notes for with other state entities.
County Governments perpetuates the lack of
regulation among state entities at the county While this latter point has been disputed by
level. some respondents, it buttresses the pressing
need for inter-entity collaboration to create
an effective privacy and data protection im-
plementation and compliance environment.
2.1.2 Collaboration of ODPC with
Sector Regulators in Licensing is 2.2 DPA Impact on Data Protec-
Essential tion Practices by Data Handlers
During the Worldcoin saga (explored below),
the ODPC clarified that registration does 2.2.1 Effective Enforcement Incen-
not amount to licensing, i.e., that it does not
have the mandate to grant data handlers
tivises Compliance
permission to operate in Kenya.43
The DPA has had a demonstrable impact
on non-state data handlers’ data protection
This clarification between registration and
practices. This brief concludes that two fac-
licensing has introduced a novel distinction
tors have incentivised registrable and reg-
in Kenya’s data protection regulatory frame-
istered non-state data handlers in Kenya to
work with implications for data handlers.
internalise compliance as a “continuous obli-
gation” into their business operations.46
It reinforces the notion that compliance with
the DPA is an ‘ongoing obligation’ imposed
The first is the material risk of non-compli-
on data handlers, as magnified in KICTA-
ance on entities’ business operations, and
Net’s submissions to the National Assembly
particularly the negative impact of penalties,
Ad-Hoc Committee,44 With a certificate of
enforcement notices, and deregistration on
registration merely serving as prima facie
profit and reputational considerations.
42. Key informant interview (Anon), 03 May 2024. 43. MMS Advocates (2023) Lessons on Data Privacy from the Worldcoin Project
in Kenya.
44. KICTANet (2023) Technical Brief on the ODPC registration process and independence of data protection authorities.
45. Bowmans (2022) Kenya: Data Protection – Let’s Talk Compliance, Enforcement and Penalties.
46. ODPC. Directorates. See also: Bowmans (2022) Kenya: Data Protection – Let’s Talk Compliance, Enforcement and Penalties.
14
In comparison, a similar impact was not ob- cost of compliance rises where an entity falls
served in the data protection practices of a within the threshold of processing activities
majority of state entities who still consider where DPIAs are mandated.
themselves ‘custodians of personal data,’
with the exception of the seven (7) state data Conversely, registrable/registered local en-
handlers who have registered with the ODPC tities inevitably face a relatively higher cost,
(see above). Their compliance with the DPA given the introduction of a new regulatory
was not assessed in this brief. requirement mandating an alignment of
their data processing operations with the
The second factor that is driving compliant data protection legal framework.
data protection practices by non-state en-
tities is the operationalisation of the ODPCs
Compliance and Complaints, Investigations,
2.2.3 Business Practices are
and Enforcement directorates, coupled with Changing
the ODPCs shift from voluntary compliance
to strict enforcement.
2.2.3.1 Marketing Operations
This has been facilitated by the provision of
monetary and staffing resources to the di- Two key informants working for multination-
rectorates and the taking effect of the Com- al entities commented that the implementa-
plaints Handling and Enforcement Proce- tion of the DPA has materially altered their
dures Regulations in February 2022.47 marketing operations, with anonymisation
carrying significant risks from a cost and a
Moreover, the implementation of the DPA re-identification perspective.
has specifically impacted private entities’
adherence to (1) the data minimisation and These alterations sought to align business
accountability principles, (2) the integration operations with the provisions on lawful pro-
of consent into business operations where cessing, consent, the commercial use of data,
this is used as the legal basis for processing and domestic and cross-border data trans-
or data transfers,48 and (3) the promotion of fers.
data subjects’ accuracy and erasure rights un-
der Section 40 of the DPA. One key challenge that was reported is the
ongoing failure by the ICT Cabinet Secretary
to prescribe practical guidelines for commer-
2.2.2 Compliance Is Costly for cial personal data use, as encouraged under
Small Organizations Section 37 (3) of the DPA.
The implementation of the law has had a dif- 2.2.3.2 Internal/External Changes
ferentiated Impact on multinational and local
entities. Large multinational corporations re- The study found that both multinational and
ported a lower financial compliance burden local entities reported taking steps to update
in comparison to smaller entities with mone-
tary constraints.
47. This has enabled the practical implementation of various provisions, including Sections 25, 28, 30, 32, 33, 37, 39, 45, 48, and
49 of the DPA, 2019.
48. Key informant interviews, 30 April 2024.
15
or develop existing/new data protection in- Locally based organisations which did not
ternal and external procedures. have prior engagement with the EU GDPR,
have had to put in place various measures to
Multinational corporations reported mate- ensure compliance with the DPA.
rial alterations in contractual agreements
governing employer-employee, busi-
ness-to-business relationships, the deletion
2.2.3.3 Data Storage and Data Mini-
of unnecessary personal data contained in misation
internal databases, and data-sharing agree-
ments with third-parties.49 Entities have also Local entities reported material changes to
recruited data protection officers (DPO), out- their data storage processes, particularly the
sourced the DPO role, or integrated the priva- storage of sensitive personal data. Further,
cy and data protection functions within their local entities observed an active integration
legal, audit and risk departments. of data minimisation into business practices,
and reported taking steps to delete or erase
Notably, the demand for privacy and data unnecessary personal data.
protection services by entities has spurred
the creation of employment opportunities 2.3 Awareness Raising
and the development of an industry and
community of researchers, auditors, lawyers,
public policy personnel, innovators and ICT The implementation of the DPA has led to a
practitioners offering various services in the notable increase in awareness levels on pri-
field of privacy and data protection. vacy rights and data protection among indi-
viduals and organisations in Kenya.
Due to ongoing cross-jurisdictional compli-
ance efforts of multinational entities with This heightened awareness is crucial for fos-
data protection laws, such as the EU’s GDPR, tering a culture of data protection and ensur-
respondents from these entities noted that ing that stakeholders understand their rights
the DPA did not have a material impact on and obligations under the law.
their existing data protection policies.
In March 2021, the ODPC embarked on a spir-
This was attributed to established efforts ited campaign targeting key stakeholders to
to comply with the GDPR, consequently al- protect personal data by instituting “appro-
lowing these entities to simply update their priate privacy awareness50 The ODPC priori-
policies to reflect the provisions of the DPA. tised capacity building before embarking on
Additionally, positions or roles such as in- capacity strengthening for significantly im-
house data protection officers were already pacted stakeholders.
mandated and established roles required in This approach considered the varying stake-
other jurisdictions making DPA compliance holder capacities and prioritised their con-
at this level comparatively easier. tinuing improvement to facilitate implemen-
This is because they were able to simply tation efforts.
update them to reflect the DPA provisions
while positions or roles such as in-house data
protection officers were already established
roles required in other jurisdictions.
16
trainings/forums,53
Central to these awareness-raising
• The publication of guiding material
efforts is the ODPCs provision
both clarifying and simplifying the DPA
of information and knowledge for data handlers in the private and pub-
to stakeholders for purposes of lic sectors and data subjects.54
providing legal clarity on compliance
requirements and enforcement • The sensitisation and training of state
procedures, and safeguarding data entities through an ongoing multi-agen-
subjects’ privacy rights. cy awareness campaign in partnership
with the Kenya School of Government,55
To achieve this, the ODPC has used a com- • The sensitisation of the public and data
bination of digital (print, online, website, so- handlers at the grassroots level through
cial media) and physical awareness-creation the launch of a country-wide awareness
measures. campaign, commencing in Machakos,
Tana River, Garissa and Nyeri counties,56
Few notable examples of these include:
• The establishment of six (6) regional of-
• The establishment of various online por- fices in Nakuru, Mombasa, Kisumu, Ga-
tals digitising rissa, Eldoret, Kisumu, and Nyeri coun-
• (a) the registration process for data han- ties, including at Huduma Centres,57 to
dlers, cascade ODPC operations and access to
• (b) the reporting of data breaches, and ODPC services to the county level.58
(c) the filing/lodging of complaints,51
Strategically, the ODPC is supported in its
• The provision of regular external com- awareness-raising and capacity building ef-
munication on ongoing regulatory ac- forts with financial and non-financial support
tivities on its online platforms,[ These from stakeholders, such as civil society, busi-
include the ODPC website and social nesses and development partners.
media platforms,52
This support has accelerated the operational-
• The hosting of multiple, in-person, isation of the office and enabled the ODPC’s
awareness creation and consultation ongoing countrywide public outreach and
education campaigns.
51.These include the ODPC website and social media platforms, including LinkedIn, Facebook, Twitter and YouTube.
52.In April 2024, the ODPC partnered with Mastercard Foundation and Amnesty International to provide training to 120 Data
Protection Officers on Data Protection Impact Assessments. This training supports the practical dissemination of the ODPCs
Guidance Note on Data Protection Impact Assessments. See: ODPC (2024) Data Commissioner Inaugurates Training For Data
Protection Officers On Data Protection Impact Assessment.
53. ODPC. Guidelines. ODPC (2023) Data Protection Handbook. ODPC. Data Protection Z Card. ODPC Newsletters. ODPC and
Kenya School of Government (2023). Data Protection Curriculum.
54. Kenya News Agency (2023) ODPC Unveils Data Protection Act 2019 Curriculum. This curriculum is not publicly accessible.
55. ODPC (2024) ODPC Launches Country-Wide Awareness Campaign. ODPC (2024). Data Protection Awareness Campaign.
Kenya News Agency (2024) Kenyans Told To Be Wary Of Personal Data Protection.
56. These are public service delivery centres deployed under the Huduma Kenya Service Delivery Programme (HKSDP), a Kenya
Vision 2030 Flagship Project established vide the Kenya Gazette Notice No. 2177 of 4th April, 2014. See: Huduma Kenya, About
Us.
57. ODPC (2024) ODPC’s Regional Offices (Nakuru, Mombasa)
58. See: Federal Ministry for Economic Cooperation and Development (BMZ) (2024) Digital Transformation Center Kenya.
17
Illustratively, the ODPC has successfully part-
nered with a number of non-profit and de-
2.4 Data Breaches and Enforcement
velopment partners, such as the KICTANet, by ODPC
Amnesty International, the Open Institute
and the Deutsche Gesellschaft für Interna- This section outlines essential ODPC determi-
tionale Zusammenarbeit (GIZ)59 to enhance nations, offering African DPAs valuable juris-
stakeholder awareness and capacity building prudential guidance for shaping their regu-
efforts. latory authority concerning determinations.
59. Examples of this support include: awareness raising based on the ODPCs requests; the operationalisation of the ODPC stra-
tegic plan and development of standard operating procedures; connecting ODPC with other DPAs at the international level to
provide implementation guidance; the provision of ICT equipment to capacitate the ODPCs office; support to develop the AI
Chatbot; support to the ODPC regarding its case management system (internal structuring); support to acquire observer status
for Convention 108 (pending), amongst others.
60. Despite a reporting requirement under the DPA, 2019, only one (1) Annual Report to the National Assembly is publicly
accessible online. This report does not detail the ODPCs receipt of non-state funding. See: ODPC (2021) First Annual Report for
the 2021/21 Financial Year.
61. ODPC (2024) ODPC Hosts Media Breakfast Meeting As Kenya Gears Up For NADPA AGM & Conference.
18
2.4.1 Financial Services Sector is As part of the study, 72 out of the 106 deter-
minations issued by the ODPC were analysed
Notorious for DPA violations with the majority of the determinations pit-
ting private individuals against private com-
As of April 2024, the ODPC had received
panies.63
“5,315 complaints [and issued] 106 determi-
nations, 60 enforcement notices, and 9 pen-
alty notices.”62
19
As shown in the chart above, the financial (private and public institutions), entertain-
sector, particularly digital credit providers, ment, healthcare services (private and pub-
were the single-largest category of persons lic) and private individuals.66 The sectors with
complained against by data subjects with 40 the least number of determinations were
determinations made. Local and foreign dig- agri-business, advertisement and marketing,
ital credit providers (DCPs) have earned the cleaning services, hair and beauty services,
reputation of being repeat violators of the IT solutions, legal services, immigration and
provisions of the DPA. resettlement, employment, taxation, and
travel.
In response to the 1,030 complaints received
by September 2022, the ODPC instituted an
audit of digital lenders in line with Section 23
2.4.2 Failure to Obtain Consent
of the DPA.64 Remains a Central Complaint
The findings of this audit process have not As shown in the table below, out of the 72 de-
yet been released for public consumption. terminations sampled, more than 70% were
However, a key interviewee observed that complaints related to consent violations.
the audit is viewed by DCPs as an ‘ongo- Other complaints related to erasure, rectifica-
ing compliance process’ that informed the tion and updating of personal data, requests
ODPCs Guidance Note for DCPs.65 for personal data, data relating to minors,
and processing in the course of personal ac-
The next category was on sectors with 3-5 tivities.
determinations which included education
The unlawful disclosure of a minor’s sensitive personal data (name and address) 1
Processing of personal data through use of CCTV (video & sound) in the course of 1
personal / household activity
Total 72
1
20
This illustrates that consent is one of the agency, liable for using the images of Mercy
most frequently relied on legal bases for the Wambua and her two children, N.R and K.W,
processing of personal data but is also the for commercial gain without her consent
most common reason for the violation of or knowledge, thereby violating her and
data subjects rights under the DPA. her children’s rights under the DPA. In her
complaint, Ms. Wambua stated that she came
Under the DPA, consent is defined as “any across images of herself and her two children
manifestation of express, unequivocal, free, in a pamphlet bearing the logo of Equity
specific and informed indication of the data Afia, the 2nd Respondent, at one of the 2nd
subject’s wishes by a statement or by a clear Respondent’s branches. Ms. Wambua noted
affirmative action, signifying agreement to that she has posted these images on her
the processing of personal data relating to social media page.
the data subject.”67
BDDL claimed that the document was a
This demonstrates that during the transition proposal document presented during a
period (2019 - 2021), data handlers who private pitch to Equity Afia. BDDL further
had not implemented appropriate consent claimed that this document was not meant
protocols in accordance with the DPA are for public consumption nor intended to be
increasingly facing the consequence of their used for marketing purposes.
non-compliance.
In this instance, BDDL was ordered to
compensate the complainants a sum
2.4.3 Consent and the Commercial totalling Kenya Shillings one million and
Use of Data68 nine hundred thousand (KShs. 1,900,000/=),
computed as follows: 1st Complainant (KES
This case study explores the non-consensual 500,000), 2nd Complainant (KES 700,000),
publishing of data subject’s publicly available and 3rd Complainant (KES 700,000).
images (including two minors) on social
media for commercial purposes. The key developments from this case
study are that:
It raises various data protection issues
relating to consent for personal data a) Consent is still required for collection of
obtained indirectly for marketing purposes, personal data whether directly or indirectly
transparency in data processing, and the collected even where the information is in
need for data handlers to incorporate the public domain or social media.
appropriate technical and organisational
measures. b) Data handlers must obtain consent prior
to the processing of a child’s personal data
ODPC DETERMINATION 1973 OF 2023 from a person who has parental authority or
On 6th January 2024, the ODPC found Bold by a guardian.69
Decisive Digital Lab (BDDL), a marketing
21
c) Data handlers bear the burden of proving DETERMINATION ON THE SUO MOTU
that consent was obtained from the data INVESTIGATION BY THE ODPC ON THE
subject, including for personal data in the OPERATIONS OF THE WORLDCOIN
public domain.70 PROJECT IN KENYA BY TFH, THG, AND
WH.71
d) Organisations should prioritise transparent
data collection practices, including for The Worldcoin project by Tools for Humanity
publicly available data, and put in place Corporation (THF), Tools for Humanity GmbH
appropriate and consistent technical and (THG) and Worldcoin Foundation (WF) (also,
organisational measures for the processing ‘Worldcoin entities’) has generated immense
of personal data. global interest.71
On or about the 21st of May 2021, TFH
e)Specific damages must be pleaded in collected and processed personal data
complaints for compensation to be awarded. in Kenya for purposes of developing a
Comparatively, the ODPC has declined machine learning algorithm to establish a
to make orders for compensation where “Proof of Personhood” protocol. In 2022, the
a complainant failed to pray for specific ODPC contacted Worldcoin for additional
damages. information on the lawfulness of their
activities in Kenya.
This brief highlights that before December
2023, the ODPC allowed certain data The ODPC and TFH exchanged various
handlers to internalise the data protection correspondence, including a review of a
by design/default principles as means of Data Protection Impact Assessment (DPIA)
addressing complaints instead of granting between 17 June 2022 and 15 July 2023.
compensation to complainants, even where Certificates of registration as data controllers
these were pleaded. were issued to THG and THF on 15 September
2022 and 18 April 2023, respectively.
2.4.4 Collection of Sensitive Personal TFH continued collecting sensitive personal
Data data until 30 May 2023, when the ODPC
raised concerns on the processing of
This case study explores the impact of sensitive personal data by TFH and directed
biometric and emerging technologies TFH to cease the processing of personal data.
used in the unlawful collection, processing,
and cross-border transfer of personal and TFH clarified the ODPC concerns and
sensitive personal data. confirmed that they suspended the collection
of facial and iris images from Kenyans for 14
It also highlights the use of economic days. TFH subsequently transferred controller
incentives to obtain consent, underscored responsibilities to Worldcoin Foundation.
the need for an approved DPIA prior to the
processing of personal data, and magnified In July 2023, the Worldcoin Token WLD (ECR-
the gaps in the ODPC enforcement 20) on Ethereum Mainnet was launched
mechanism. resulting in an upsurge in the Worldcoin
70. Out of these entities, only THC and THG were registered by the ODPC as data controllers. WF was unregistered.
71. ODPC (2023) Determination on the Suo Motu Investigation by the ODPC on the Operations of the Worldcoin Project in
Kenya by TFH, THG, and WH.
22
Project activities in Kenya. In the same month, 5. Applied to the High Court of Kenya seeking
the ODPC issued a cautionary statement preservation order of the personal and traffic
to the public on disclosing any personal or data handled by TFH
sensitive data.
In August 2023, the ODPC directed TFH The key developments from this case study
to immediately cease the collection and are that:
processing of personal data, ensure the
safe restriction of further processing of a) Economic incentives given to data subjects
the collected data, and securely store all in exchange for their consent to data
collected data. On 2 August 2023, the Ministry processing activities undermines the validity
of Interior and National Administration of consent.
suspended the operation of the Worldcoin
project in Kenya. b) Prior consent is a prerequisite for data
transfers outside of Kenya.74
Subsequently, a multi-agency committee
was formed and it took the following c) Data controllers cannot transfer their DPA
remedial actions: responsibilities to third parties.
1. Ordering TFH to cease its operations in d) Data handlers are mandated to conduct
Kenya for 12-months, until TFH, inter alia DPIA prior to the processing or transfer of
sensitive personal data.
a). Grants the multi agency team access to
its systems for purposes of conducting a e) The enforcement of the cross-border data
Security Systems Audit, transfer provisions in the DPA remains a
key challenge to the ODPC and the Cabinet
b. Conducts a DPIA for phase 2 of its data Secretary, and regulatory vigilance by the
collection activities. ODPC on the data processing operations of
foreign entities is critical.
The ODPC also took a number of remedial
action including: f ) The ODPC has an extensive mandate in
oversight and enforcement of the DPA and
2. Issuing a cease-and-desist notice to TFH thus it should neither see nor constrain itself
to cease its operations in Kenya, which was to the role of a registration-only entity.74
ignored;
3. Conducting an investigation on the ODPCs
own initiative into the project in October
2023,72
4. Cancelling registration certificates for TFH
and THG,
72. Section 9 (1) (a) of the DPA, 2019 and Regulation 14 (Complaints Handling Procedure and Enforcement) Regulations, 2021.
73. One Trust Data Guidance (2023) Kenya: ODPC finds Worldcoin, Tools For Humanity Corporation and Tools For Humanity
GmbH liable for data protection violations.
74. Key informant interview (Anon), 30 April 2024.
23
controller or data processor.
2.4.5 Emphasis on Data Subjects’
Rights In the following cases, the ODPC arrived
at a violation finding but applied
The case studies below reinforce the different enforcement penalties to each,
protection and promotion of data subjects’ demonstrating that admitted complaints will
rights under Section 26 of the DPA. be dealt with on a case-by-case basis.
Specifically, the ODPC has issued positive
determinations relating to the right to Further, each case highlights the need for
correction of false or misleading data, the organisations to fully internalise the data
right to deletion of false or misleading data, protection by design/default provisions
and the right of data subjects to access in the DPA by implementing appropriate
their personal data in the custody of a data technical and organisational measures.
Teresia noted that the Respondent sent her three messages daily for
several months. Further, the complainant noted that she had cleared
her payment in 2022, but her name was still included on the list of
default borrowers resulting in the unintended communication.
24
The determination above demonstrates a lenient approach by the ODPC with respect to
some data handlers that take steps to redress rights infringements under the DPA through
the strengthening of technical and organisational safeguards.
However, it also magnifies the inconsistency of the ODPCs approach towards dispute
resolution where similar violations are alleged by complainants.
In May 2023, the ODPC dealt with a complaint relating to a data handler’s
failure/neglect to update the complainant’s records, infringing on
their right to correct false/misleading data.76 The complainant, Koros
Kiprotich, complained that the respondent, the Higher Education Loans
Board (HELB), had listed the complainant as being in default despite
them clearing their HELB loan.
The complainant noted that they had been in default of their loan but
later cleared this. As a result of HELB’s failure to update his records and
making reference to a default history, third parties continued to make
reference to this inaccurate default history, which negatively impacted
him. In arriving at a violation finding of Section 26 of the DPA, the ODPC
held that the respondent failed to adhere to the principle of accuracy
by failing to update the complainant’s personal data and, where
necessary, rectify or erase inaccurate data.77
The ODPC directed the HELB to rectify and/or update its records to
ensure the complainant’s personal data shared with third parties is
accurate within seven (7) days. HELB noted that they were taking
remedial measures by engaging relevant third parties with whom
they share personal data to integrate HELB’s systems through APIs for
seamless updates.
The determination above clearly outlines the burden placed on data controllers to
provide accurate data to reliant third parties.
25
ODPC DETERMINATION NO. 1775 OF 2023
This ruling emphasises data handlers’ obligation to facilitate data subject access
requests, regardless of potential challenges related to other individuals’ personal
data. In this regard, data handlers should implement appropriate technical and
organisational measures to anonymise and conceal the personal data of their
staff, to be able to give effect to data subjects’ right to access.
78. ODPC (2024) ODPC Launches AI Chatbot as Kenya Marks Data Privacy Day 2024.
26
3.0 Challenges and Opportunities in Data
Protection Implementation
This section highlights key challenges and opportunities in data protection implementation.
This is canvassed through a SWOT analysis and a brief discussion on observed implementation
opportunities, as informed by key respondents drawn from KICTANet members’ informative
feedback.
OPPORTUNITIES WEAKNESSES
1. Strong collaboration and partnerships with 1. Ongoing delay by the ODPC/ICT Cabinet
various stakeholders on privacy and data Secretary to fully actualise the DPA.80
protection.
2. Constrained ODPC independence.
2. Sectoral focus on private data handlers’
with large jurisdictional/population scope 3. Lax enforcement against state entities’
(education, health, telecommunications, and data collection and processing operations.
finance).
4. Lack of national data protection
3. Functional online portals facilitating access certification standards, resulting in reliance
to information, registration and complaints, on international accreditation (e.g., IAPP).
and awareness raising.
5. Non-holistic national data governance
4. Introduction of voluntary data dispute framework resulting in data governance
mechanism (ADR) to reduce adversarial gaps (e.g., lack of data classification
administration action/litigation. guidelines).
79. Issues noted include the failure to establish an adequacy framework; the delayed publication of guidelines on the com-
mercial use of data, guidelines on the localised processing of data; the failure to publish a data-sharing code for the ex-
change of personal data between government departments/public sector, certification codes/mechanisms).
80. KICTANet (2023) How to Engage With Data Protection Authorities as an SME.
27
STRENGTHS THREATS
1. Strong multi-stakeholder goodwill, interest
1. Broad claw-back clauses in the DPA (e.g.,
and collaboration to support ODPC to
national security, public interest).
promote privacy and data protection.
2. Poor self-reporting of data breaches by
2. Strength of DPA and ODPC can be used
data collection and processing entities.
to obtain equivalency status with other
jurisdictions and generate economic benefits
3. Steep rise in cyberattacks with increased
for the country.
risks for automated databases containing
personal/sensitive personal data.
3. Directed focus on state entities to shatter
perception of data ownership vesting in the
4. ICT Ministry consideration of Cross
state rather than data subjects.
Border Privacy Rules threatening digital
sovereignty and domestic position on cross-
4. Promotion of transparency in regulatory
border data transfers
activities through publication of additional
registers (updated register of noncompliance;
5. Foreign pressure to alter provisions of
an updated register of complaints; a data
the data protection legal framework (e.g.,
protection risk register).
renewed calls by the World Bank to water
down localisation requirements).
5. Collaboration with other regulatory,
licensing and ministerial entities to support
6. Growing use of unregulated emerging
holistic data governance (e.g., introduction
technologies (e.g., AI, digital assets).
of data protection registration as a licensing
prerequisite for financial entities with the
7.Inadequate staffing and technical capacity
Central Bank of Kenya).
at data handlers’ level.
6.Active participation in the development
8.Conflation of data protection and privacy,
of the AI Strategy to ensure infusion of data
with limited focus on other privacy values.
protection considerations.
9.Low public awareness.
7.Sustained development of internal
and external stakeholder capacities and
10. Differentiated protection of sexual
capabilities (e.g., dissemination of privacy and
orientation and gender identity rights.
data protection resources, staff expansion).
8. Directed compliance support to registrable
SMEs.81
81. Gichuhi & 2 others v Data Protection Commissioner; Mathenge & another (Interested Parties) (Judicial Review E028 of
2023) [2023] KEHC 17321 (KLR) (Judicial Review) (12 May 2023) (Judgement). See also: Paul Ogendi (2023) The effect of the
90-day period for deciding on complaints submitted to the Office of the Data Protection Commissioner in Kenya.
82. A key informant noted that the ODPC is in the process of operationalizing cross-border mechanisms. This is pending. See:
Key informant interview (Anon), 03 May 2024.
28
10. Development of additional guidelines/ 11. Unregulated secondary use of data.
frameworks (e.g., user guide outlining Lack of regulatory clarity regarding the
integration of fairness and justice in data protection roles/responsibilities
complaints mechanism, guidelines of the ODPC and the Commission on
on data localisation to support digital Administrative Justice.
sovereignty efforts).
Provision of legal clarity on meta consent.
29
and regional countries. Further, the ODPC is The ODPC and ADPAs, are encouraged to
encouraged to develop a national adequacy adopt a proactive rather than a reactive
framework and proactively seek equivalency approach to emerging data protection issues.
status with other jurisdictions to facilitate Some respondents called on the ODPC and
cross-border data transfers and align with ADPAs to build their internal capacity to
the domestic agenda on global trade and understand and respond to the potential
e-commerce.83 opportunities, risks, and impact of other key
emerging technologies with an impact on
This alignment with best practices is critical data protection. These include blockchain,
for enhancing Kenya’s reputation as a the Internet of Things (IoTs), digital asset
reliable and trustworthy destination for management, robotics, fintech, cloud
digital trade and data-driven businesses computing, virtual reality, big data analytics,
and will demonstrate Kenya’s commitment genomics and biometric technologies,
to upholding high standards of data amongst others.
protection, data privacy and data security,
thereby attracting foreign investment and 3.2.3 Promoting Cross-Border Col-
partnerships.
laboration
3.2.2 Integrate and Monitor Im- The ODPC and ADPAs, are encouraged to
pact of Emerging Technologies address cross-jurisdictional data protection
challenges in collaboration with regional
Emerging technologies such as Artificial and international DPAs. Some respondents
Intelligence bring new challenges to data urged ADPAs to identify actionable areas of
protection, as they require large amounts of collaboration on emerging areas such as the
data, and can bring tremendous economic regulation of personal data, cross-border data
and social value to those who utilise that data transfers, and technological advancements
to develop solutions. such as AI, blockchain, and the Internet of
Things.84
Thus there is pressure for making data
available, but also pressure for domestic By sharing best practices, resources,
entities to capture the value from that and expertise along with establishing
data. These pressures can further test Equivalency or Adequacy statuses and
DPA implementation, and specifically test related mechanisms for cooperation, DPAs
registered data handlers’ongoing compliance. can enhance their capacity to address these
One key informant recommended the use of complex challenges and protect the privacy
rights of individuals across jurisdictions
AI to support audit and compliance processes whilst maintaining digital sovereignty.
through the integration of AI tools into data
handlers systems/processes. However, this
recommendation raises legal challenges that
need to be explored prior to the finalisation
of Kenya’s AI Strategy.
30
3.2.4 Promoting Innovation and 3.2.5 Data Protection as an Inter-
Investment in Data Protection Tech- sectional Gateway Requiring Multis-
nologies and Services takeholder Collaboration
The implementation of the DPA presents a Some respondents noted that the protection
fantastic opportunity for innovation and in- of personal data goes hand in hand with
vestment in data protection technologies efforts to bridge technology gaps to ensure
and services by technology companies. that individuals have meaningful, safe, and
secure access to digital products and services.
As organisations entrench their compliance
with the requirements of the DPA, there is a Given the cross-cutting scope of data
growing demand for solutions such as data protection, the continuing implementation
encryption, anonymization techniques, and of the DPA presents an opportunity for inter-
data breach detection tools. entity collaboration at the state level and
the prioritisation of collaborative awareness
This presents an opportunity for technology raising on intersectional issues, such as
companies to develop and offer innovative cybersecurity.
solutions to address these needs, stimulating
growth and job creation in the digital sector. DIGITALISATION TRENDS IMPACTING
In the same breath, Kenya’s migration of IT DATA PROTECTION
infrastructure onto the cloud by public and
private entities is catalysing Kenya’s growth The COVID-19 pandemic spurred the rapid
of the data centre industry, leveraging adoption of ICTs and increased digitalisation
renewable power.85 efforts across various sectors. Illustratively,
Kenya’s mobile (SIM) penetration rate stood
Boniface Abudho & Stephen Beard (2023) at 130.5 percent against a population of
Africa’s Data Centre Boom.] While this 56,203,030.86
migration is still in its nascent stages,
this presents a novel opportunity for the Communication Authority of Kenya (2023)
development of robust data protection Third Quarter Sector Statistics Report for
infrastructure and services. the Financial Year 2022/2023 (1st January
– 31st March 2023); Macrotrends (2024)
The ODPC is encouraged to proactively Kenya Population 1950-2024.] Mobile data
engage data centre entities to invest in subscriptions stood at 51 million and the
secure and compliant data storage solutions number of smartphone devices was recorded
by building data protection by design and as 33.6 million.87
default into their products and services prior
to deployment. As of February 2024, the Central Bank of
Kenya reported 77.33 million mobile money
85. Communication Authority of Kenya (2023) Third Quarter Sector Statistics Report for the Financial Year 2022/2023 (1st Jan-
uary – 31st March 2023); Macrotrends (2024) Kenya Population 1950-2024.
86. Ibid.
87. Central Bank of Kenya, Mobile Payments.
31
accounts transacting a total of KES 790.8 A few critical entities highlighted included:
billion88and Safaricom’s M-Pesa’s 30 million
active monthly users made 21.6 billion • The National Computer and
transactions valued at KES 35.86 trillion in Cybercrimes Coordination Committee
2022.89 (NC4), where an ODPC representative
sits as a member, to address growing
To leverage these ICT dividends, the cybersecurity threats.
government has prioritised service delivery
through its digital platform, eCitizen and • Relevant licensing authorities,
introduced a biometric digital identity such as the Central Bank of Kenya,
(Maisha Namba) for all citizens.90 Communications Authority, and
relevant agencies within the Office of
These developments have progressively the Attorney General, Ministry of Health
heightened cyber risks and data breaches. and Trade, to integrate data protection
In the period between September and registration as a prerequisite for
December 2023, the total cyber threats licensing for non-state entities.
detected increased by 943% from 123.9
million to 1.29 billion, of which 98.2% • Trade and taxation entities, such as
comprised system vulnerabilities.91 the Ministry of Trade, Investments
and Industry and the Kenya Revenue
Other threats noted included mobile Authority to ensure that data protection
application attacks, malware, brute force considerations are internalised into
attacks (DDOS/Botnets) and web application trade discussions, both regionally and
attacks. internationally, and at the local tax
level, noting the powers wielded by tax
The Worldcoin saga cemented the authorities.
pressing need for the ODPC and other
sector regulators and licensing entities to
collaborate in scrutinising the deployment of
3.2.6 Strict Enforcement of Unreg-
emerging technologies given their impact on ulated Data Handlers
sensitive personal data.
Respondents queried the ODPC’s capacity
To this end, respondents recommended to effectively regulate both state entities
heightened inter-entity collaboration and technology giants, such as social media
between the ODPC with critical regulators/ platforms, which process large data sets but
ministries at the domestic level for purposes remain largely unregulated.
of shattering “siloed conversations between
state entities.92 Two areas where implementation/
enforcement gaps were observed relates
32
to social media and data mining/scraping Access to Information Act, 2016 (ATI Act,
companies, which operate across borders, 2016).
making it challenging to enforce data
protection regulations effectively. This is attributed to the data protection
powers, roles and responsibilities, specifically
targeting public entities and regulatory
3.2.7 Internalisation of Data Pro- bodies, possessed by the CAJ.95
tection by Design/Default by Data
Handlers The CAJ’s data protection functions include:
‘assessing and evaluate the protection of
Data handlers are reminded about the personal data processed and stored by
need to “rethink and perhaps even redesign public entities; engaging the public on the
their processes, products and services in right to the protection of personal data;
order to factor in data protection principles ensuring public entities’ and regulatory
throughout the lifecycle of their operations.”93 bodies’ compliance with data protection
measures; monitoring state compliance
One interviewee emphasised their proactive with international treaty obligations relating
approach, which includes the regular to the protection of personal data, and
conducting of compliance audits and promoting the protection of data.’
risk assessments on their data processing
activities to ensure compliance with Other relevant institutions with functions
ODPC determinations, evolving case law, relating to privacy and data protection
guidelines, and other relevant factors.94 include the Central Bank of Kenya, the
Communications Authority, the ICT
Authority, Insurance Regulatory Authority,
3.2.8 Legislative Clarity to Address Kenya National Commission on Human
Overlapping Mandates Rights, amongst others.
Prior to enactment of the DPA, there were Noting that privacy and data protection
several laws and institutions implementing is a cross-cutting issue, it is imperative for
various sectoral functions relating to privacy Parliament to address potential mandate
and data protection. For example, some overlaps. In the interim, ODPC should
respondents observed that the Commission consider entering into a working regulatory
on Administrative Justice (CAJ) was Kenya’s arrangement with other agencies or
first data protection authority under the regulators that have a role that affects or
complements their mandate.
33
4.0 Conclusion and Key Considerations for the
Future
I
n the five years since the enactment of the to adopt rules (e.g., CBPR) and water down
DPA, the protection of personal data has localisation provisions with an impact on the
transitioned from a peripheral concern to nation’s digital sovereignty and the domestic
occupying legal and normative primacy, with position on cross-border data transfers.
significant progress being made towards
5
implementing and enforcing its provisions. Unregulated emerging technologies:
entities are deploying and harnessing
Particularly noteworthy are the emerging and automated technologies,
commendable efforts of the ODPC to bolster such as AI, to process personal data without
its internal implementation and enforcement effective intervention from the ODPC.
mechanisms, heighten awareness among
stakeholders, and fortify its ability to It is against this background that this policy
implement and uphold the DPA. These efforts brief makes critical recommendations to data
stand out as key drivers of Kenya’s notable protection stakeholders, including the ODPC,
progress in this domain. Parliament, the ICT Cabinet Secretary to:
6
However, looking back, stakeholders noted Strengthen the independence of the
the existence of key implementation and ODPC: this can be by amending the DPA
enforcement gaps and issues in Kenya’s data to make the ODPC autonomous and
protection environment that require urgent separate it from the ICT Ministry, and increase
redress. A few key issues noted in this brief the ODPCs budgetary allocation to enable it
include: to effectively discharge its mandate across the
country.
1
Independence: The ODPCs
7
independence remains a key issue, with Adopt Proactive and Collaborative
Parliament’s recommendation for a Approach to Emerging Technologies
Board to oversee the daily operations of the and Key Data Protection Threats: the
ODPC remaining a contested solution. ODPC is reminded about the need to be alive to
emerging tech and to build its internal capacity
2
Gaps in Enforcement against State to understand and respond to the potential
Entities and Technology Giants: The risks and impact of emerging technologies,
ODPC’s capacity to effectively regulate with calls for collaborative inter-agency efforts
both state entities and large technology geared towards risk mitigation from existing
giants, such as social media platforms, has and emerging technologies.
not yet been fully tested. This is attributed to
8
an ongoing delay by the ODPC/ICT Cabinet Regulation of Unregulated Data
Secretary to fully actualise the DPA, 2019. Handlers: the ODPC is urged to intensify
its efforts to regulate the data processing
3
Low Registration Levels of Data operations of all data handlers, especially state
Handlers: At least 90% of potentially entities, Big Tech, and the financial sector.
registrable business or corporate
entities remain unregistered.
4.Foreign Pressure: Kenya’s ICT Ministry
and the ODPC are facing immense pressure
34
The policy brief also makes critical transparency, and open data and the need to
recommendations to ADPAs and maintain trust in data ecosystems.
African governments, given the need to
2
collaboratively secure an effective regional Prioritise Critical Issues at the
data protection environment in Africa, which Domestic Level: ADPAs are
include: encouraged to prioritise critical issues
within their jurisdiction to ensure a strategic,
1
Prioritise Transparency in Regulatory consistent, responsive, and tailored response
Activities: ADPAs are reminded about to data protection concerns. Governments
the need to promote transparency are encouraged to provide ADPAs with the
in their regulatory activities, given the requisite resources to effectively exercise
mutually-reinforcing relationship between their mandate.
data protection, access to information,
About KICTANet
The Kenya ICT Action Network (KICTANet) is
a multi-stakeholder think tank for ICT policy
and regulation whose guiding philosophy
ICTANet
The Power of Communities
encourages synergies for ICT policy-related
activities and initiatives. The network provides
mechanisms and a framework for continuing
cooperation and collaboration in ICT matters
among industry, technical community, academia,
media, development partners, and Government.
35
ICTANet
The Power of Communities