Fastrack implementation of Data Protection law
Angry Kenyans recently protested their registration as members of various political parties without their consent.
This has brought into sharp focus the Kenya Personal Data Protection Act passed in 2019 and whether it puts in place sufficient mechanisms to achieve its overall aim.
The law, which took effect in November last year with the appointment of Kenya’s first Data Protection Commissioner, is a tremendous leap forward since it facilitates lawful use of personal data, including research, thus strengthening individuals’ fundamental rights.
It was enacted in the wake of monumental risk of infringing on privacy given the gravity of the data being collected by various actors and the advances in the technology for processing it. The law was, therefore, a timely idea.
This milestone placed Kenya among the few African countries that have achieved the feat.
Although African countries have been trailing their global counterparts in data protection, there is a silver lining on the horizon.
According to Privacy International, almost half of Africa’s 53 countries — including some of the biggest sub-Saharan economies — have at least adopted some regulations with the goal of protecting personal data.
The political party registration mess, which was unconvincingly defended as an error made in a piloting exercise, has seen Kenyans push the data commissioner to act on the matter, fearing the violation of their privacy would occur further in future.
The law requires the commissioner to enforce it by putting in place administrative structures involving Data Protection Officers, data controllers and data processors, which she must now fast-track.
The commissioner is also responsible for sensitising the public about data issues and providing a code of practice to accompany the Act.
Kenya’s Constitution guarantees the right to privacy as a fundamental right. To give effect to this constitutional right under Article 31(c) and (d), the Data Protection Act of 2019 was enacted.
The Act has not been fully implemented and progress towards implementation started last year.
The Act governs the use, processing, and archiving of personal data, makes provision for regulating the processing of personal data, stipulates the data producers’ rights, and specifies the obligations of the data controllers and processors.
On 15 January, the ICT Cabinet Secretary appointed the Taskforce for the Development of the Data Protection General Regulations, with a term of six months, whose mandate includes development of the data protection regulations, auditing of the Act, identification of gaps or inconsistencies in the Act, and proposing any new policy or legal and institutional framework that may be needed to implement the Act as well as other tasks related to its full implementation.
Public participation has been conducted on Data Protection (General) Regulation, 2021, Data Protection (Compliance and Enforcement) Regulations, 2021 as well as Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 setting the stage for deliberations and adoption by lawmakers. The regulations will help to operationalise the Data Protection Act. — The writer is a Public Policy Analyst —[email protected]