Select a location

This selection will switch the site from presenting information primarily about Kenya to information primarily about . If you would like to switch back, you may use location selection options at the top of the page.


The making of an effective data watchdog with sharper teeth

By John Ndirangu

Over the past few years, the protection of personal data has been a hot topic of discussion both in Kenya and internationally. Regulators, professionals, researchers, and policy makers have contributed massively to the legal developments in this space. We have seen the enactment of new laws and regulations, increased publications, training, public discourse, and enforcement by the regulators.

Personal data simply means any information relating to an identified or identifiable natural person. By dint of this legal definition, the target of the legal protection offered by data protection laws is a natural person, legally known as a data subject, as opposed to a legal person such as a company.

In Kenya, the Office of the Data Protection Commissioner is mandated to implement and enforce the Data Protection Act, 2019 and its regulations. While the ODPC is relatively new, with the first Data Commissioner Immaculate Kassait having been appointed on 12th November 2020, one must applaud the efforts made by the office so far in ensuring that Kenyans are not only aware of the existence of the data protection laws and their rights but also putting into place mechanisms aimed at enabling easy and cost-effective legal compliance and exercise of the protected rights.

Notably, the ODPC has a working website through which any person can register as a data controller/data processor or file a complaint for a breach of personal data. The website also carries useful resources including the relevant laws and regulations and guidelines on issues such as data protection impact assessments, consents, registration of data controllers and data processors, and complaints management.

As regards enforcement, the ODPC released a statement in December 2022 announcing that it had issued its first penalty notice against Oppo Kenya Limited for non-compliance with an enforcement notice previously issued against it. An enforcement notice is issued when the Data Commissioner is satisfied that a person has failed, or is failing, to comply with any provision of the Data Protection Act.  It also includes the measures that such a person should take to remedy the situation and the period within which to do so.

On the other hand, a penalty notice is issued to impose an administrative sanction following non-compliance with the enforcement notice. Oppo Kenya was ordered to pay a penalty of Kenya Shillings Five Million (Ksh. 5,000,000/-) for a breach of personal data.

The ODPC also disclosed that it had issued compliance audit notices to 40 digital credit providers, out of which 18 had responded. The ODPC also stated that it had issued an enforcement notice against a major hospital in October 2022 and that the hospital was demonstrating compliance.

The ODPC has also recently released its decision in the case of Allen Waiyaki Gichuhi & Another v Florence Mathenge & Another. This is an important decision on how the ODPC is interpreting and applying the provisions of the Data Protection Act. In a nutshell, the ODPC affirmed that it has jurisdiction to hear and determine a complaint involving the disclosure of personal data to a third party without the consent of the data controller. However, it has no jurisdiction to determine infringement of intellectual property rights. The ODPC further held that a data subject is a natural person and therefore the ODPC cannot find that there was a breach of the law if the complainant is a legal person.

In its Strategic Plan FY 2022/3 - 2024/5, the ODPC notes that the Government of Kenya is committed to protecting the privacy of individuals. Some of the notable achievements of the ODPC to date include issuing an advisory on Data Protection Impact Assessment for Phase II roll-out of the Huduma Namba, pushing for the regulations under the Data Protection Act which were passed in 2022, setting up the office and human resource, issuing guidance notes on various topics, developing training curriculum, policies, and manuals and establishing a framework for handling complaints.

On the international scene regulators continue to impose huge fines for non-compliance with data protection laws. The highest fine reported so far is €746 million (approximately Ksh. 100,540,863,746.80) imposed in July 2021 by Luxembourg National Commission for Data Protection against a major global company.  

All indications are that the ODPC is off to a good start. However, Kenyans are known to have big expectations and will certainly be watching this space.

The article was featured in the Business Daily on 1 February 2023 and can be accessed here