Two years ago, the European Union General Data Protection Regulation (GDPR) came into operation. In this article I discuss the impact the GDPR has had on privacy and data protection regulation in Kenya and lessons we may draw from its two years of existence. The GDPR generally does not apply to data processing occurring outside the European Union save for specific circumstances outlined in the Regulation.

The GDPR provides that it applies to the processing of personal data in the context of the activities of an establishment of a data controller or a data processor in the EU regardless of whether the processing takes place in the EU or not. Further, that it applies to the processing of personal data of data subjects who are in the EU by a data controller or data processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union or the monitoring of their behaviour as far as their behaviour takes place within the Union.

Notwithstanding the above, many Kenyan businesses were worried about the impact the GDPR would have on their businesses. Shortly after it came into operation, there were events and forums that sought to unpack the GDPR. In fact, trainings were held to prepare institutions on how to comply with the GDPR. People sought to be GDPR experts. The enthusiasm however waned for a while until when data protection legislation was enacted.

The chatter around the GDPR was not only reserved for institutions. When the GDPR came into operation, just like many other countries, Kenyans who had signed up to online platforms that had their registered offices in the European Union were required to review and either accept or reject new privacy and data protection policies. These online platforms indicated that they were now governed by a new data protection legal regime that required them to realign their operational policies and how they engaged with their users’ personal data. Having to re-sign into these platforms was fodder for discussions by Kenyans, there was chatter about this new phenomenon called GDPR that ‘littered’ peoples’ inboxes.

The operationalisation of the GDPR brought to the fore debate that Kenyans had not had for a while, at least in the public domain, the right to privacy and concept of data protection. In as much as Article 31 of the Constitution provides for the right to privacy, Kenya at the time had no data protection legislation and jurisprudence was scant on the issue. The GDPR reignited the debate that had been raging for almost a decade, the need for Kenya to enact privacy and data protection laws.

The GDPR announced its existence with a lot of fanfare and razzmatazz. Interestingly, in February 2010, ECOWAS Heads of State and Government enacted an Act on Personal Data Protection within ECOWAS. Ideally, this should have been the legal document that would have pushed African States to consider having concrete data protection legislation. The Act is contextual to Africa and would have provided an apt guide to the formulation of data protection policies and regulations. However, to date, some ECOWAS States are yet to comprehensively domesticate the Act.

In June 2014, the African Union adopted the African Union Convention on Cyber Security and Personal Data Protection. Kenya is yet to ratify the convention. Just like the ECOWAS Act on Personal Data, I would have expected that the adoption of the text of the AU Convention would have formed strong basis for African States to enact data protection legislation. A mention of the GDPR would elicit animated response from a Kenyan as opposed to a mention of the ECOWAS and AU documents.

In November 2019, Kenya enacted the Data Protection Act (Act No. 24 of 2019). I had the occasion to chat with some of the experts who were engaged by the Ministry of ICT to draft the Act. They intimated that they borrowed heavily from the GDPR in many aspects. There was scant mention of the influence of the AU Convention or the ECOWAS Act. From matters relating to classification of data, data subjects rights, the statutory duties of data controllers and data processors, legitimate processing of data, pseudonymisation and anonymisation, notification of breaches and enforcement provisions among others have a strong tinge of the GDPR. Without doubt, the GDPR informed the text of the Data Protection Act, 2019.

Implementation and enforcement of the GDPR within the EU has not been rosy. Many challenges abound that perhaps the Data Commissioner will have to grapple with once in office. While the challenges may be unique to EU States, I believe that how public and private institutions around the world engage with privacy and data protection is by and large the same. The challenges outlined below are lessons worth consideration.

One key challenge with the GDPR is the amount of resources EU States have allocated to data protection regulatory bodies. Two years down the line, data protection authorities within the EU have had challenges in funding, resource allocation and many are poorly staffed. This has had an impact on the efficacy and performance of these institutions.

Another challenge is dealing with the ever evolving and innovative technology space. Technological innovations are moving faster than policies and laws are being enacted.  For example, Artificial intelligence undertaking data processing has brought into question the level of free, prior and informed consent of data subjects. Most consent to data processing is mechanical. Also, how do you deal with new technologies engaged in automated decision making? To what extent is privacy by design possible? How do we balance privacy, data protection and innovation?

Enforcement poses another challenge. Critics argue that data protection authorities are not issuing enough legal sanctions and that the legal sanctions meted thus far are not commensurate to the violations committed. Should authorities adopt an adversarial or conciliatory approach when enacting privacy and data protection laws? Are legal sanctions such as fines sufficient?

Data protection adopts a risk-based approach where data controllers and data processors first carryout an assessment of the potential risks to data processing. Unfortunately for data subjects not enough and comprehensive data protection impact assessments are being carried out.

The balance between individual data subject rights and public interest use of personal data is another challenge. Within the EU, several Member States have adopted mass surveillance technology that trumps the right to privacy. In the Covid-19 era there has been robust debate on what kind of contact tracing technologies should be adopted within the EU.

Businesses are facing challenges complying with the GDPR. Is there a business case for data protection? How can regulators ensure that businesses comply without placing undue burden on them?

The cited challenges are not exhaustive, but, they offer key reflections for the Data Commissioner once in office.

Two years on the GDPR’s influence is being felt in Kenya.