The Kenyan Data Protection Act and the impact on Cross-Border Business and Agreements
Introduction
There has been an increase in the concern regarding the storage and usage of the data collected from individuals in our daily engagements. As a result, there has been a growing campaign towards the protection of such data to uphold the individual’s right to privacy. Recently we have seen a number of laws and regulations that have been passed and implemented in a bid to ensure data protection.
In Kenya, the Data Protection Act, 2019 was passed on 8 November 2019. The key mandate and the purpose of the Act is:
- To uphold the right to privacy as per the Constitution of Kenya
- To oversee the registration of those who collect, store, process or transfer data, i.e., the data “controllers” and “processors”
- To regulate the use and transfer of personal data
- To outline the key principles governing data protection
Data Protection Principles
The Act outlines key principles on how the data controller/processors should be collected, highlighting the need for data to be collected “lawfully, fairly and transparently” [S.25(b)]. For many data “controllers” and “processors”, this means balancing the need to collect and process the data, and the rights of the data subject. The data subject has the to be informed of the data collection, especially when it comes to their personal data, and they should also have the right to access such data[S.26]. In addition, the data subject has the right to be informed of the purpose of the data collection and how such data may or will be used, including the possibility of a transfer of their data. However, there are exemptions such as:
- In the interest of national security
- Where disclosure is required under law
- In the apprehension or prosecution of an offender
- In the detection or prevention of crime or
- In the assessment or collection of tax
Transfer of Personal Data outside Kenya
Under the Act, there are provisions for the transfer of data outside of Kenya by data “controllers” or “processors” such as multi-jurisdictional entities or in the performance of cross-border transactions. In all instances, the data “controller” or “processor” must prove to the Data Commissioner that the transfer of data is necessary[S.48(c)] and that all the safeguards regarding safety and protection of personal data have been met[S.48(b), S.49].
Conclusion
What does this mean for corporates that collect and/or process data? The Act has led to such corporates taking key measure to ensure compliance including:
- Mandatory data protection officers
- Keeping a data inventory
- Ensuring proper consents are obtained from data subjects
- Registration with the Data Commissioner