Kenya data protection

Kenya’s data protection is not yet the shining example it could be

Recently, Kenya’s High Court suspended the rollout of the government’s digital ID system, Huduma Namba, citing its disregard for data protection frameworks — a win for privacy, but a warning signal that the country must do more to understand, and protect, human rights.

Kenya’s two-year-old Data Protection Act was touted as a regional standard, often compared to the EU General Data Protection Regulation. Yet, in a  similar style to its European counterpart, implementation is proving to be less effective and robust than planned in the initial stages. 

These legislations are central to the protection of human rights in the digital age, and decision-makers must dedicate resources to make them a success. To help pave the way for an improved, and truly rights-centric approach to data protection in Kenya, Access Now is publishing Data protection in Kenya: how is this right protected? 

“The foundations of data protection are laid out in Kenyan law,” said Bridget Andere, Africa Policy Associate at Access Now. “But the Data Protection Act and its implementation have a way to go before they start delivering comprehensive safeguards to the rights of millions of people. Every day, we send and receive large volumes of personal data, often without a second thought — it’s the government’s job to unpack the risks.”

The new paper analyzes the evolving situation in Kenya, breaking down what various aspects of what the Act mean in reality, and lays out practical steps for authorities to develop a stronger, more effective application of the law. Recommendations include:

Government of Kenya:

  • Guaranteeing independence for the Office of the Data Protection Commissioner by removing seemingly compulsory involvement of the Cabinet Secretary for ICT and national security bodies;
  • Ratifying international agreements to protect personal data as established under the African Union Convention on Cyber Security and Personal Data Protection and the Convention for the Protection of Individuals;
  • Clarifying scope of the Act in regards to national security and public interest exemptions, and to ensure it mirrors the spirit of the constitution; and
  • Providing adequate resources to the Office of the Data Protection Commissioner to ensure effectiveness and functionality.

Office of the Data Protection Commissioner:

  • Improving transparency and participation in processes by making provisions for meaningful public participation processes, beyond the current 14 days; and
  • Streamlining processes by reducing the amount of information required to submit a complaint, and to register a data controller or data processor.

As Data protection in Kenya: how is this right protected? explores, there is time and scope to improve Kenya’s Data Protection Act, and establish it as a regional standard. This begins with ensuring independence for the Office of the Data Protection Commissioner, and elevating meaningful public participation. 

Read the full paper.