The Data Protection Act, 2019 came into operation on 25th November, 2019. One of the key operationalization steps under the Act is the establishment of the Office of the Data Protection Commissioner.

Section 5(2) of the Data Protection Act states that the Office is designated as a State Office in accordance with Article 260 (q) of the Constitution. Section 6 provides that the Public Service Commission shall, whenever a vacancy arises in the position of the Data Commissioner, initiate the recruitment process and that the Public Service Commission shall, within seven days of being notified of a vacancy invite applications from persons who qualify for nomination and appointment for the position of the Data Commissioner.

Since the Act came into operation around two months ago, I have not come across any evidence to indicate that the process of recruiting a Data Protection Commissioner has been initiated. In view of how similar offices have been operationalized I hazard two guesses why the Office may not be in place soon.

One, may be a technical question about who notifies the Public Service Commission that there is a vacancy for the position of the Data Protection Commissioner. I believe being the first Office of the Data Protection Commissioner, the Cabinet Secretary in charge of ICT should have notified PSC of the vacancy. Secondly, and perhaps the major challenge could be that there was no budgetary allocation for the Office in the current financial year. This means there may be zero resources to establish the Office. Perhaps and unless a supplementary budget is passed, the establishment of the Office may have to wait for the next financial year assuming that since the budgeting process kicked off towards the end of 2019, the Office has been factored in. Looking at these two factors, it may be a while until we have an operational Office of the Data Protection Commissioner.

Once in place, Section 8(1) provides the following functions for the Data Protection Commissioner –

(a) oversee the implementation of and be responsible for the enforcement of the Act;
(b) establish and maintain a register of data controllers and data processors;
(c) exercise oversight on data processing operations, either of own motion or at the request of a data subject, and verify whether the processing of data is done in accordance with the Act;
(d) promote self-regulation among data controllers and data processors;
(e) conduct an assessment, on its own initiative of a public or private body, or at the request of a private or public body for the purpose of ascertaining whether information is processed according to the provisions of this Act or any other relevant law;
(f) receive and investigate any complaint by any person on infringements of the rights under the Act;
(g) take such measures as may be necessary to bring the provisions of the Act to the knowledge of the general public;
(h) carry out inspections of public and private entities with a view to evaluating the processing of personal data;
(i) promote international cooperation in matters relating to data protection and ensure country’s compliance on data protection obligations under international conventions and agreements;
(j) undertake research on developments in data processing of personal data and ensure that there is no significant risk or adverse effect of any developments on the privacy of individuals; and
(k) perform such other functions as may be prescribed by any other law or as necessary for the promotion of object of the Act.

With no Data Protection Commissioner in place, it means that Kenyans have no statutory institution to address their data related issues. Section 64 of the Act provides for the right of appeal against decisions and actions of the Data Commissioner by stating –

A person against whom any administrative action is taken by the Data Commissioner, including in enforcement and penalty notices, may appeal to the High Court.

However, since the Act is operational, in the absence of a Data Protection Commissioner, Kenyans may elect to have data related issues addressed by the courts; in any case, they will be seeking the enforcement of their right to privacy. The Act outlines among other issues, principles of data protection, rights of data subjects, lawful processing of personal data, transfer of data and data protection impact assessments which the courts may easily enforce.

Looking back when the EU GDPR and the California Consumer Privacy Act came into force, public and private institutions were making public notifications of the change in privacy and data protection policies and practices to comply with the new laws. In Kenya, unless one was keenly following the Data Protection Act legislative process, there has been no action by public and private institutions to indicate the coming into force of the Act. It is still business as usual; public and private entities are still in breach of the right to privacy and data protection regulations under the new Act.

In the coming months, I will critically examine the functions and powers of the Office of the Data Protection Commissioner while making comparisons with jurisdictions where similar offices have been in place for a while.