On Nov. 16, 2020, Immaculate Kassait was sworn in as Kenya’s first-ever data protection commissioner. Kassait, a former director of voter education and partnerships at the Independent Electoral and Boundaries Commission, was appointed by President Uhuru Kenyatta to actualize the Data Protection Act 2019. She has promised to hold multinational companies, such as Google, Facebook and Twitter, accountable to Kenyan laws.   

According to the act, the DPC has powers to conduct investigations on its own initiative or on the basis of a complaint made by a data subject or a third party and impose administrative fines for failures to comply with the act. It also has the authority to facilitate conciliation, mediation and negotiation on disputes arising from the act, issue summons to a witness for the purposes of investigation, and require any person that is subject to the act to provide explanations, information and assistance in person and in writing.

At the same time, the DPC will be charged with overseeing the implementation of and responsible for the enforcement of the act, establishing and maintaining a register of data controllers and data processors, exercising oversight on data-processing operations, either of own motion or at the request of a data subject, and verifying whether the processing of data is done in accordance with the act.

Other DPC duties include promoting self-regulation among data controllers and data processors, conducting an assessment on its own initiative of a public or private body or at the request of a private or public body for the purpose of ascertaining whether information is processed according to the provisions of the act or any other relevant law, receiving and investigating any complaint by any person on infringements of the rights under the act, and taking such measures as may be necessary to bring the provisions of the act to the knowledge of the general public.

Finally, the DPC will be charged with carrying out inspections of public and private entities with a view to evaluating the processing of personal data, promoting international cooperation in matters relating to data protection, ensuring the country's compliance on data protection obligations under international conventions and agreements, undertaking research on developments in data processing of personal data, and ensuring there is no significant risk or adverse effect of any developments on the privacy of individuals.

The act is clear that no person shall act as a data controller or data processor unless registered with the DPC. The DPC shall prescribe thresholds required for mandatory registration of data controllers and data processors. When making such determination, the DPC shall consider the nature of industry, the volumes of data processed, whether sensitive personal data is being processed, and any other criteria the DPC may specify.

Any data controllers or data processors required to register shall apply to the DPC. Such an application shall provide a description of the personal data to be processed by the data controller or data processor and the purpose for which the personal data is to be processed, the category of data subjects to which the personal data relates, contact details of the data controller or data processor, a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of personal data, any measures to indemnify the data subject from unlawful use of data by the data processor or data controller, and any other details as may be prescribed by the DPC.

In relation to an infringement of a provision of the act, the maximum amount of the penalty that may be imposed by the DPC in a penalty notice is up to 5 million shillings, or in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower.

Photo by Sergey Pesterev on Unsplash