The Data Protection Bill, 2019, is officially a law. This development occurred today after President Kenyatta signed the act that has been undergoing deliberations in the Senate and Parliament for an extended period.
Organizations, including the likes of Safaricom, have since faulted the state for failing to provide a reliable data protection framework for shaping ICT policies in the country. The same sentiments have also been echoed by friends of the industry and people in a country that has been seeing the proliferation of ICTs that require a legal system to be run without data abuses.
The state made vital strides in pursuing the bill. We examined the offerings of the bill prior to the approval of a progressive draft by Parliament in April 2019. The Bill was then given the go-ahead by the ICT CS Joe Mucheru. However, issues arose sometime in July 2019 because the bills were duplicated in the Senate and Parliament. The harmonization exercise directed the use of Parliament’s version to hasten the approval exercise.
A few weeks later, Parliament set a public participation date. The event was carried out across different parts of the country, and discussions were based on a constitutional article and a National Assembly Standing Order that called for the facilitation of public participation. The talks covered views and recommendations from citizens before presenting a report to the House. Discussions were concluded in mid-September.
According to Business Daily, the signing exercise was accompanied by a meet with Amazon Web Services (AWS) executives that are setting up a shop here. The Amazon-owned cloud services subsidiary sells a variety of services to corporate customers, and its main offerings entail handling tons of personal data across several regions. Kenyatta’s meeting with executives from AWS is effectively timely based on the operations of the organization.
What the new Data Law means
The law will regulate the processing of personal data and information. The handling of that information will be bound to the principles of data protection that ape those provided by GDPR. Illegal processing of personal data will effectively be punishable.
The law will also see the setting up of the office of a Data Protection Commissioner. Previously, such an institution did not exist.
The law will also cover people who own and control data, as well as third parties that manage, store, and sort personal data. Furthermore, it applies to natural or legal persons, agencies and public authorities. Local organizations and global ones will be guided by the law provided they process data belonging to locals.
We will also see organizations that own, manage, or control data register their business at the Data Protection Commissioner (DPC).
Kenyans should also note that the law now gives them the right to know how their information is handled. You will also have the right to ask for the deletion or editing of incorrect data.
In the case of the ability to move data among different organizations, also referred to as data portability, Kenyans now have the right to acknowledge or reject their data being transferred to another service. This will come in handy for mobile subscribers and has been a nuisance for a lot of users for a while now.
Additional benefits include a robust data privacy system for sensitive data and stiff penalties for groups that will go against the law. For instance, abusers will be fined up to KES 3 million or receive a maximum of a 2-year jail sentence.
