Two years of the Kenyan Data Protection Act

Two years ago, the Kenyan Data Protection Act, 2019 (DPA) came into operation. The DPA gives effect to Article 31(c) and (d) of the Constitution that relate to the right to privacy. The DPA establishes the Office of the Data Protection Commissioner; it sets out principles of data protection; it outlines the rights of data subjects; and mandates data controllers and data processors to comply with certain basic organisational and technical measures when processing personal data.

Since enactment of the DPA there have been a few significant events on the protection of the right to privacy in Kenya. The Data Protection Commissioner (DPC) was appointed on 12th November 2020 almost one year after the enactment of the DPA. The DPC’s mandate is mainly to ensure implementation of the DPA and carry out enforcement under the Act.

Section 8 of the DPA sets out the functions of the DPC. Going through the functions of the DPC one by one indicates that the DPC has a long way to go to ensure full operationalisation of the DPA and effective enforcement of privacy rights in Kenya.

One, under section 8 of the DPA, the DPC is yet to establish and maintain a register of data controllers and data processors. This is mainly because Regulations under the DPA are yet to be enacted. In April 2021, the DPC and the ICT Cabinet Secretary published three draft Regulations under the DPA. The three drafts are the Data Protection (General) Regulations, 2021; the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021; and the Data Protection (Compliance and Enforcement) Regulations, 2021.

The three draft Regulations were subjected to public debate though not as robust as contemplated by the Constitution and jurisprudence from the courts. Notwithstanding, stakeholders identified among other inadequacies in the regulations –

They go overboard on localisation of personal data which is not contemplated under the DPA. The registration process and fees are too onerous and would have negative economic impact especially on small businesses operating in Kenya. They do not adequately address international data flows. They create overly bureaucratic measures by requiring filling of forms at every instance a data subject wishes to exercise their data protection rights. They do not clearly define harms to data subjects. They do not provide for sector specific guidelines on data protection. They are vague on automated decision-making processes. They are not simple enough for ‘mwananchi’ to understand and implement them. They do not provide for adequacy decisions by the DPC, and they do not provide for inhouse complaints mechanisms.

The DPC is yet to publicise the revised Regulations so that Kenyans may know whether their views were taken on board. It is instructive that the draft Regulations are subjected to another round of public comment.

Two, section 8 mandates the DPC to exercise oversight over data processing operations on its own motion or at the request of a data subject. On this, the High Court in Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others Ex Parte Katiba Institute & another; Immaculate Kasait, Data Commissioner (Interested Party) [2021] eKLR pointed to certain failures by the DPC and the State in general. The petition challenged the roll out of Kenya’s digital ID known as ‘Huduma Namba’. The challenge was that the State had not carried out a data protection impact assessment before rolling out the digital ID system.

The Court ruled that one, the Data Protection Act applied retroactively. That, notwithstanding that the Act was enacted in November 2019, Article 31 of the Kenyan Constitution came into place in August 2010 and that the Act applies from the date the Constitution was promulgated. Two, the Court ruled that the State must carry out a data protection impact assessment before rolling out the digital IDs. Ideally, the DPC ought to have provided oversight in carrying out a data protection impact assessment for ‘Huduma Namba’. In fact, section 8(1)(e) provides that the DPC is to conduct assessment of public and private bodies.

The above decision however indicates that the Courts will always be a forum where data subjects may seek enforcement of their privacy and data protection rights. What is worrying about the decision is that individuals will be side stepping the complaints mechanisms set out under the Data Protection Act and filing constitutional petitions claiming that they are not ‘data subjects’. This is worrying for data controllers and processors who will find themselves in court defending a matter that could have at first instance be handled by the data controller or data processor inhouse failure to which the ODPC mechanism would check in then the High Court.

The Courts ought to appreciate the complaints mechanisms in data protection are not just mere ‘fair administrative action’ issues or normal judicial review. Data controller or data processor and data protection authorities ought to first deal with complaints before courts. Giving an opportunity to data controller or data processor to handle a complaint at first instance provides a platform to address the data subjects’ complaints using ADR mechanisms before the ODPC deals with it. Even ODPC must apply ADR mechanisms.

Only after this two-step process should the Courts intervene. Courts should also be aware of Petitioners who seek to circumvent this two-step process in dealing with complaints under the DPA. It is bad precedent to get data controller or data processor defending matters directly in the Courts.

What the Court did is make itself the Data Commissioner and made an enforcement notice (S.58 DPA) for Data Protection Impact Assessment. Also looking the Court failed to make an assessment as set out under S.62(2)(a – l) of the DPA. Question is, will the Court now come back and issue and administrative fine under S.63 of DPA is a Data Protection Impact Assessment is not carried out?

Three, section 8 mandates the DPC to promote self-regulation among data controllers and data processors. This is yet to be carried out. Bearing in mind that section 74 empowers the DPC to develop sector specific guidelines in consultation with stakeholders, the DPC ought to ensure that these are in place.

Four, section 8 empowers the DPC to investigate complaints made on infringement of rights under the DPA. While the DPC has been receiving complaints from data subjects, the DPC is yet to issue any administrative order or fine against any data controller or data processor against whom a complaint has been made.

Five, section 8 indicates the DPC is to bring provisions of the Act to the knowledge of the public. Granted, since coming into office, the DPC has experienced resource constraints. In the 2021/2022 budgetary allocations, the Office of the Data Protection Commissioner (ODPC) was allocated just over Ksh. 50 million. A far cry from what the ODPC ought to be allocated by the Exchequer. Still Kenyans, data controllers and data processors around the country remain in the dark about the DPA compliance process and data subjects have no idea what their data protection rights as stated under section 26 of the DPA are.

The DPC is still tied to the hip with the ICT Cabinet Secretary. There are still two centres of power under the DPA, the DPC and the ICT Cabinet Secretary. The ICT Cabinet Secretary has roles under sections 5(5), 35(5), 37(3), 50, 68(3), 70, and 71(1) of the DPA. This ought to be remedied through amendments of the DPA to ensure a truly independent DPC devoid of control and micro-management by the Executive.

With the DPA in force, opportunities for employment, training and consultancies have opened. More and more Kenyans are seeking data protection certification. A new profession is emerging – data protection experts/specialists/gurus. However, there is still a great shortage of data protection experts to serve data controllers and data processors in both the public and private sectors.

Looking back at the two years of the DPA, it is apparent that no privacy rights defining events have taken place. A lot remains to be done especially by the DPC assuming that the State will fund the Office and ensure that it is independent of Executive control. Without such action, Kenya will remain in a state of uncertainty in relation to compliance and enforcement of the DPA. For businesses this is costly and slows down the ease of doing business in Kenya. For the data subject, it simply means they do not have effective remedies in relation to their right to privacy and data protection rights.