4 Things You Need To Know About The New Data Protection Law


Kenya finally has a Data Protection Law.  The Law Publisher, National Council of Law Reporting (NCLR) also known as Kenya Law has now availed the public copy of this law here

About one year later, we’re back here to review what we’d initially seen in the first bill and compare that with what we have now . 

As earlier stated, This review is not comprehensive on every single aspect of the law and is not exhaustive. It does not suffice as apt legal advice either to be used by persons to influence business decisions or operations. The author advises parties to engage and contract their own lawyers who will give the best legal advice for the given circumstances.

1. You have the rights

The law is human centered and now provides for an elaborate legal basis for Kenyans and residents in country to ask that personal information be properly handled and per the highest globally accepted standards of data protection.

2. The Data Protection Commissioner (DPC) 

As was proposed, this has been actualized, well in writing. We will have an official known as the Data Protection Commissioner who will establish an office for the sole purpose of execution of this law.

3. Data on the Cloud?

The initial draft of this law indicated that all data for Kenyans was to be held in Kenya; that was later deleted and the now passed version allows for data transfer but provides for standard thresholds which service providers must meet for data to be stored in other countries.

4. Registration if you hold/manage/process personal data 

The law foresees an existing obligation to register at the Data Protection Commissioner. This passed, however the catch now is that the DPC needs to issue clear guidelines and regulations on who should register in terms of which type of data controller or processor, how and what form the registration will be in, the length of registration and how long such certificate will be valid for etc.

That being said, two fundamental concerns to take note of:

First, the law provides the general overarching provisions and the new Data Protection Commissioner’s office when set up will have to do a lot of implementation groundwork as the law is very generic and doesn’t provide for the detailed nuances.

Secondly, this law is currently being challenged in court by Public Interest Litigator, Okiya Omtatah on grounds that the Senate was not involved (remember there were two bills, the Senate one was actually the first one) and that there was not sufficient public participation on the lawmaking process.

It’s a great first step in having this law in place as the right is enshrined in the letter and the spirit of the Constitution especially in this new digital age. What remains to be seen is the outcome of the case and the implementation plan for the Data Protection Commissioner when they come on board.