Kenya Passes The Data Protection! What it Means For Users and Data Processing Entities
“Kenya has joined the global community in terms of data protection standards!” Joe Mucheru, Minister for Information, Technology and Communication, told George Obulutsa and Duncan Miriri from Reuters.
On Friday 8 November 2019 Uhuru Kenyatta, President of The Republic of Kenya, signed and approved a Data Protection Law. It complies with European Union (EU) legal standards and its purpose is to reinforce investment in the Country’s Information, Communications and Technology (ICT) sector.
According to Business Daily, the signing exercise was accompanied by a meet with Amazon Web Services (AWS) Executives, who are expanding into Kenya. The Amazon-owned cloud services subsidiary sells a variety of services to corporate customers, and mainly handle tons of personal data across several regions.
Big companies like Safaricom have criticized the Kenyan government for failing to provide a reliable fail-safe data protection system to cover the Country’s Information, Technology and Communications (ICT) sector. Friends of the industry as well as members of the Republic share the same sentiments as there’s a need for legal system reinforcement to cap data abuse in the Republic.
Kenya has lured foreign firms and investors with innovations like M-Pesa mobile money services. However, the want-of prophylactic measures to protect personal data have restricted full growth potential in this area. A lack of data protection legislation has also hindered the government’s efforts to digitize identity records for citizens. However, strides in the right direction are being made thanks to the approved Data Protection Bill.
What The New Data Law Means
The Data Protection Law will regulate processing of personal data and information. Handling of the information will be aligned with principles highlighted by the General Data Protection Regulation (GDPR). Effectively, illegal processing of personal data will be punishable.
The law also states that an office of a Data Protection Commissioner (DPC) be set up, an institution that did not exist before. The law will also cover people who own and control data, as well as third parties that manage, store, and sort personal data. Furthermore, the law applies to natural or legal persons, agencies and public authorities. Local and international organizations alike will be guided by the law, on the condition that they process data belonging to locals. Additionally, organizations that own, manage, or control data will have to register their businesses at the Data Protection Commissioner’s office.
It is important for Kenyans to note that the law now gives them the right to know how their information is handled as well as the right to ask for permanent removal or editing/correction of incorrect data. Also, with regards to data portability, Kenyans now have the right to acknowledge or reject their data being transferred to another service. This will particularly impact mobile phone users/subscribers; a long term nuisance for a lot of users finally addressed!!
Auxiliary benefits include a powerful data privacy system for sensitive data and harsh penalties for those who are non-compliant with the law. For instance, law offenders will be fined up to KES 3 Million or receive a maximum jail sentence of 2-years.
In Summary ….
The purpose of the Data Protection Law is:
1. To regulate the processing of personal data;
- To ensure that the processing of personal data of a data subject is guided by the principles set out in section 25 of the Data Protection Law;
- To protect the privacy of individuals;
- To establish the legal and institutional mechanism to protect personal data; and
- To provide data subjects with rights and remedies to protect their personal data from processing that is not in accordance with this Act.