Kenya’s constitution is among the most progressive in the world, and one clear test is on the question of privacy. Chapter 4 of the constitution, the Bill of Rights, provides an explicit right to privacy, including protections against searches, seizure of property, unwarranted collection or disclosure of information about family or personal affairs, and intrusion of communications.

In line with the country’s Data Protection Act 2019, Kenya recently took a decisive step by advertising the position of data protection commissioner through the Public Service Commission. According to the act, the commissioner shall be appointed for a fixed term of six years with no possibility of reappointment and is capable of suing or being sued.  

Part III of the act requires the registration of data controllers and processors that shall be issued with a certificate of registration by the commissioner. The data protection commissioner is expected to keep a register of data controllers and data processors, which shall be a public document available for inspection by any person. The act prohibits any activity without registration, and the certificate is valid for a period determined at the time of the application. 

Applications to the commissioner to register data controller or data processor activity should include:

  • A description of the personal data to be processed.
  • A description of the purpose for which the personal data is to be processed.
  • The category of data subjects to which the personal data relates.
  • The contact details of the data controller or data processor.
  • A general description of the risks, safeguards, security measures and mechanisms to ensure the protection of personal data.
  • Any measures to indemnify the data subject from unlawful use of data by the data controller or data processor.
  • Any other details as may be prescribed by the data protection commissioner. 

The commissioner has the power to conduct assessments and oversight based on its own initiative or at the request of a third party and issue summons and impose administrative fines. At the same time, the commissioner is capable of conducting inspections of public and private entities to evaluate the processing of data. 

This game-changing act initiates a number of other globally relevant provisions, including calling for the appointment of a data protection officer by organizations that process or handle information about Kenyans, much like the EU General Data Protection Regulation. However, unlike the GDPR, the act calls on the commissioner to promote “self regulation among data controllers and data processors.” In fact, much like the EU-U.S. Privacy Shield, the act anticipates the commissioner to facilitate conciliation, mediation and negotiations on disputes arising from the act.

Photo by Andrew Stutesman on Unsplash