Global Tech Corporations Not Spared from Scrutiny in Kenya Data Protection Law

Immaculate Kassait
Data Commissioner Immaculate Kassait

The Data Protection Act went live in 2019. The law has been under exploration for an extended period, following pressure from activists that wanted Kenya to safeguard the privacy of locals online.

The Act directed the appointment of a Data Protection Commissioner. Immaculate Kassait was nominated for the post and is undergoing a Parliamentary vetting process.

During her meet with Parliament’s ICT Committee, Immaculate asserted that global tech corporations will have to adhere to the regulations stated in the act, mainly in the manner they process data belonging to Kenya citizens.

According to the law, the processing of sensitive personal data out of Kenya can only be effected after obtaining consent of the data subject and on obtaining confirmation of appropriate safeguards.

Furthermore, the Act adds that the Data Protection Commissioner is tasked to request a person who transfers data to another country to show the effectiveness of the security safeguards or the existence of compelling legitimate interests.

To this end, the Commissioner may, in order to protect the rights and fundamental freedoms of data subjects, stop, suspend or subject the transfer of such conditions as may be determined.

These are interesting developments locally, and we have seen them take effect in other places under regulations such as GDPR.

The regulations may come in handy during pools. The Cambridge Analytica case put the likes of Facebook at a tight spot, having used the profiles of Kenya users to shape the campaign strategies for the current regime.

As a recap, the Data Commissioner is tasked with the following responsibilities:

  • Overseeing the implementation of and being responsible for enforcement of the Data
    Protection Act;
  • establishing and maintaining a register of data controllers and data processors;
  •  exercising oversight on data processing operations and verify whether the processing of data is done in accordance with this Act;
  •  promoting self-regulation among data controllers and data processors;
  • conducting assessment for the purpose of ascertaining whether the information is processed according to the provisions of the Act or any other relevant law;
  • receiving and investigating any complaint by any person on infringements of the rights under the Act;
  • taking such measures as may be necessary to bring the provisions of the Act to the knowledge of the general public;
  • carrying out inspections of public and private entities with a view to evaluating the processing of personal data;
  • promoting international cooperation in matters relating to data protection and ensure the country’s compliance with data protection obligations under international conventions and agreements;
  • undertaking research on developments in data processing of personal data and ensuring that there is no significant risk or adverse effect of any developments on the privacy of individuals; and
  • performing such other functions as may be prescribed by any other law or as necessary for the promotion of object of the Act.