The Data Protection Act, 2019 – Overview
Data protection can be defined as the mechanism of safeguarding personal data and entails protections granted with respect to collection, processing, dissemination and use of the data. Data protection laws seek to protect people’s data by providing individuals with rights over their data, imposing rules on the way in which companies and governments use data, and establishing regulators to enforce the laws.
For a long time in Kenya, there were concerns that the lack of comprehensive personal data protection legislation continued to expose citizens to various risks with respect to their privacy. Whereas the right to privacy was provided for under the Constitution of Kenya, for a long time, Kenya did not have a data protection legislation in place. This ended recently when the President assented to the Data Protection Bill. The stated objectives of the Act are to regulate the processing of personal data, provide for the rights of data subjects and obligations of data controllers and processors and to establish the legal and institutional framework for protection of personal data.
In this write up, we highlight some salient provisions of the Act.
The Act applies to data controllers or processors handling data received through all means. Data controllers are broadly defined to mean persons (whether private or public) who determine the purpose and means of processing of personal data while data processers are persons who process personal data on behalf of the data controller. The Act makes it mandatory for any person intending to act as a data controller or processor to register with the Commissioner upon furnishing of prescribed information. Notably, this Act applies to both controllers and processors established or resident in Kenya and who process personal data while in Kenya as well as to those not established or resident in Kenya, but who process personal data of data subjects located in Kenya.
The Act establishes the Office of the Data Protection Commissioner to be appointed by PSC, with the mandate of overseeing the implementation and enforcement of the Act, establishing and maintaining a register of data controllers and data processors, and exercising oversight on data processing operations. In addition, the Commissioner empowered to receive and process complaints on infringement of rights under the Act and to carry out inspections of public and private entities.
Principles on Data Protection
The Act sets out principles of data protection, which we discussed in our previous publication. These principles have been incorporated into laws governing the capital markets, telecommunication sector, the electoral process as well as employment laws.
Rights of Data Subjects
Section 26 of the Act sets out various rights that a data subject is entitled to. These include the right to be informed of the use to which their personal data is to be put, to access their personal data in custody of data controller or data processor, to object to the processing of all or part of their personal data, to correction of false or misleading data and to deletion of false or misleading data about them. The data subjects are also entitled to be notified of the fact that personal data is being collected, the purpose for which the personal data is being collected, and the third parties whose personal data has been or will be transferred to.
Collection and Processing of Data
The Act requires a data controller or processor to collect personal data directly from the data subject. In exceptional circumstances however, the data may be collected indirectly. These include where the data is contained in a public record, where the data subject has deliberately made the data public, the data subject has consented to the collection from another source, the collection from another source would not prejudice the interests of the data subject, where the intended collection is for the prevention, detection, investigation, prosecution and punishment of crime or the collection is for the protection of the interests of the data subject or another person. Concerns have been raised as to whether these exceptions defeat the purpose of the protections given under the Act.
A data controller or data processor shall also not process personal data, unless the data subject consents to the processing or the processing is otherwise permitted under the Act.
Commercial Use of Data
The Act outlaws the use of data for commercial purposes, unless the data subject consents to it or the use is permitted under law and the data subject has been informed of such use. The Act further provides that a data controller or data processor that uses personal data for commercial purposes shall, where possible, anonymize the data in such a manner as to ensure that the data subject is no longer identifiable. The Cabinet Secretary is required to come up with guidelines for commercial use of personal data.
Section 43 of the Act requires that where personal data has been accessed or acquired by an unauthorized person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorized access, a data controller shall notify the Commissioner within 72 hours of becoming aware of such breach and communicate to the data subject.
Data Transfer Outside Kenya
The Act prohibits transfer of personal data to other jurisdictions unless the transferee is subject to a law or agreement relating to protection of personal data, the data subject consents to the transfer, or the transfer is necessary for the performance of a contract between the agency and the transferee, and the transfer is for the benefit of the data subject.
This Act is important as it is anticipated it will ensure the strengthened protection of personal data and afford protection of the right to privacy for Kenyans. The putting in place of the institutional framework to ensure compliance, commitment of financial and skills resources required, as well as the support from stakeholders such as the judiciary and the industry regulators will be key to the successful implementation of the Act.
Article by George Kinyua
This publication is meant for general information only and does not create an advocate-client relationship between any reader and Mboya Wangong’u & Waiyaki Advocates. For particular expert advice on any matter dealt with above, please contact us.