Kenya is now a member of the club with its new Kenya Data Protection Act of 2019. We will answer the FAQ so that you are prepared and know your next steps. More and more countries are implementing data protection laws to protect their citizens. These laws offer two main benefits: not only do they protect the data subjects from harm, but they also help to attract new data-conscious businesses to invest in these countries.
Do I need to comply with the Kenya Data Protection Act?
The Kenyan Data Protection Act is extra-territorial in its scope. This means that even if you are not established in Kenya you might need to comply with the Act. The Kenya Data Protection Act applies if:
- You are established or ordinarily resident in Kenya and process personal data while in Kenya; or
- You are not established or ordinarily resident in Kenya, but you are processing the personal data of data subjects located in Kenya. (Section 4(b))
In short, you have to comply if either you or your data subjects are located in Kenya.
I comply with the GDPR – is that enough?
The Kenya Data Protection Act is very similar to the GDPR, which you can see by the similarity in the wording. The Kenyan law uses the same definitions for “personal data”, “controllers” and “processors”. In our view, there is probably a 90% overlap between the two laws.
However, there are a few small – but very important – differences that you should be aware of.
One of the most important differences is that the Kenya Data Protection Act obliges controllers and processors to register with the Data Protection Commissioner (Section 18). This provision seems to be inspired by the UK’s Data Protection Regulation, which requires only data controllers (and not processors) to register with the Information Commissioner’s Office. For Kenya, this means only registered persons can process data. However, the Commissioner is expected to implement thresholds for mandatory registration.
There are also more specific distinctions, including:
- Health data may only be processed by or under the responsibility of a health care provider or a person subject to professional secrecy under law (Section 46);
- Data transfers outside Kenya need the approval of the Commissioner (Section 30);
- In order to process personal data for commercial use, you would need consent of the data subject or explicit authorisation by law (Section 37). This provision is very unclear. Not only is “commercial use” not defined in the Act, but the provision also seems to conflict with other lawful grounds for processing. The Commissioner is expected to give guidance on this issue.
When does the Data Protection Act of Kenya commence?
The Kenya Data Protection Act commencement date was 25 November 2019.
If you have to comply with Kenya Data Protection Act, now is a good time to get prepared.
So far, no Data Protection Commissioner has been appointed. As the Commissioner is responsible for enactment and enforcement of the Act, there is no rush to comply with the Act.
What are the penalties for non-compliance?
The Data Commissioner may issue enforcement notices. If the infringing person does not comply, this is an offence. The Commissioner can enforce a fine up to five million Kenyan shillings (around 740 000 ZAR) (Sections 58, 62) as well as up to two years imprisonment.
Data subjects can also exercise a private right of action. They can claim damages for every contravention of a requirement of the Act (Section 65).
We can help you
Whether you need to make amendments to your data protection measures depends heavily on your specific industry and organisation, as well as where and how you process personal data. If you need to comply, we recommend getting tailored, professional advice.
If you need assistance with Kenya Data Protection Act compliance, we are here to help you.
Useful resources
- Full text (pdf) of the Kenya Data Protection Act of 2019
- Find out more on other data protection legislation in countries your business is targeting. For recent Californian legislation, see our post on the CCPA. For South Africa, get prepared for POPIA.
- Read more about the Data Protection Laws of Africa.