The Kenya Data Protection Act, 2019 (the “DPA”) entered into force on 25th November 2019 marking a significant milestone with respect to the protection of personal data in Kenya.
To facilitate the implementation of the DPA, the Cabinet Secretary for ICT published the following regulations on 14th January 2022:
- the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (the “Registration Regulations”);
- the Data Protection (General) Regulations, 2021 (the “General Regulations”); and
- the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021 (the “Complaints Regulations”)
together hereinafter referred to as the “Data Protection Regulations”.
Copies of the Data Protection Regulations can be accessed here.
Please note that pursuant to the Statutory Instruments Act, 2013, the National Assembly is required to consider the Data Protection Regulations within twenty eight (28) days from the date the Regulations are referred to the relevant National Assembly Committee. If there is no objection from the said Committee, the General Regulations and Complaints Regulations will come into force upon the expiry of the said period.
However, the Registration Regulations will come into effect 6 months from the date of publication following their approval by the relevant National Assembly Committee.
We set out below some of the salient issues covered in the Data Protection Regulations:
1. The registration regulations
The Registration Regulations provide for the procedure and requirements for registration of data controllers and/or data processors key aspects of which are as follows:
a) Mandatory registration thresholds
Regulation 13 of the Registration Regulations provides that it shall be mandatory for the following persons to register with the Data Commissioner (“the Commissioner”) as a data controller and/or processor:
(i) persons with an annual turnover or revenue of above KSH. 5,000,000 (about US$50,000) and more than ten employees;
(ii) persons who have an annual turnover or revenue of below KSH. 5,000,000 (about US$50,000) but with more than ten employees;
(iii) persons who have an annual turnover or revenue of above KSH. 5,000,000 (about US$50,000) but with less than ten employees; and
(iv) persons engaging in activities outlined in the Third Schedule of the Registration Regulations. See the explanation on this below at section 1(b).
Data controllers or processors who do not meet the registration requirements set out above are exempted from registration.
b) Mandatory registration due to nature of data processing
Data controllers or processors who do not meet the registration requirements outlined in section 1(a) above, will still be required to register with the Commissioner if they process personal data for the following purposes: canvassing political support among the electorate; crime prevention and prosecution of offenders (including operating security CCTV systems); gambling; operating an educational institution; health administration and provision of patient care; hospitality industry firms but excludes tour guides; property management; provision of financial services; telecommunications network or service providers; businesses that are wholly or mainly in direct marketing; transport services firms (including online passenger hailing applications); and businesses that process genetic data.
c) Application for Registration
An application for registration must be made in the prescribed form. If after verification, the application meets the registration requirements, the Commissioner shall, within 14 days, issue the applicant with the relevant certificate of registration. Such certificate of registration is valid for a period of 24 months from the date of issuance and is renewable upon expiry.
d) Registration Fees
Registration fees vary depending on the number of employees and the revenue of the applicant and range between Kshs 4,000 to Kshs40,000 (about US$40 to US$400) for registration and between Kshs 2,000 to Kshs 25,000 (about US$20 to US$250) for renewal every 2 years.
e) Refusal of registration
The Commissioner may decline to register a person as a data controller or processor where:
(i) the particulars provided in the application for registration are insufficient;
(ii) the applicant does not have appropriate safeguards for the protection of a data subject’s privacy; or
(iii) the data controller or processor is in violation of the DPA.
If the Commissioner declines an application for registration, she shall notify the applicant of the refusal and provide reasons for the decision within 21 days.
f) Penalty for failure to register
Section 19(7) of the DPA provides that a data controller or processor who fails to comply with its registration requirements set out in the Act commits an offence. The penalty for such an offence is a fine not exceeding Kshs 3,000,000 (about US$30,000) or an imprisonment for a term not exceeding ten years, or both.
2. The general regulations
The General Regulations elaborate and provide further guidance on the provisions of the DPA. We highlight some few key aspects of the same as follows:
a) Regulation 6(3) of the General Regulations provides for an onerous requirement to the effect that where a data controller or data processor collects personal data indirectly from the data subject, the data controller or processor must, within 14 days, inform the data subject of such collection of the personal data.
b) Regulation 5(2) of the General Regulations provides for a requirement on the part of a data controller or processor to rely on only one legal basis for processing at a time. Such legal basis must be established before the processing is undertaken.
c) Regulations 7 to 12 of the General Regulations provide tight deadlines for data controllers or processors within which to respond to data subjects’ requests in relation to their rights under the DPA. For instance, a data controller or processor is required to comply with a data subject’s request to access their personal data within 7 days.
d) All requests by a data subject to a data controller or processor in relation to the data subject’s rights under the DPA are to be responded to free of charge except for a data portability request in respect of which a reasonable fee may be charged.
e) Under Regulation 15(4), it is an offence for a data controller or data processor to use personal data for commercial purposes without the consent of the data subject. The offence is punishable by a fine not exceeding Kshs 20,000 (about US$ 200) or by imprisonment for a term not exceeding 6 months or both. A data controller or data processor is considered to use personal data to advance commercial interests where personal data is used for direct marketing through:
(i) sending a catalogue through any medium addressed to a data subject;
(ii) displaying an advertisement on an online media site where a data subject is logged on using their personal data; or
(iii) sending an electronic message to a data subject about a sale, or other advertising material relating to a sale, using personal data provided by a data subject.
f) A data controller or processor is required to develop, publish and regularly update a data protection policy setting out their personal data handling practices.
g) A data controller or processor is also required to establish a personal data retention schedule, which should outline the purpose of retention, the retention period, provision for periodic audit of the retained personal data and actions to be taken after the periodic audit.
h) Under Section 50 of the DPA, there is a requirement for data localization where processing of personal data is based on grounds of ‘strategic interests of the state’ which grounds are elaborated on in Regulation 26(2) of the General Regulations. Under the said regulation, a data controller or processor who processes personal data for the purpose of strategic interest of the state will be required to either process the personal data through a server and data centre located in Kenya or store at least one serving copy of the personal data in a data centre located in Kenya.
i) Part VI of the General Regulations provides categories of data breaches that must be notified to the Data Commissioner within 72 hours under section 43 of the DPA. In addition, Part VI sets out the details that must be contained in such notification.
j) A data controller or processor is prohibited from transferring personal data outside Kenya unless such transfer is based on one of the following:
(i) appropriate data protection safeguards;
(ii) an adequacy decision made by the Data Commissioner;
(iii) transfer as a necessity; or
(iv) the consent of the data subject.
k) Under the DPA, a data controller or data processor is required to undertake a Data Protection Impact Assessment (DPIA) prior to processing operations considered to result in high risks to the rights and freedoms of a data subject. The General Regulations outline what constitutes such high risks processing operations but some of the operations are couched in very broad and general terms rendering them unclear for purposes of compliance.
3. The complaints regulations
Under Section 56 of the DPA, a data subject may lodge a complaint with the Data Commissioner where one is aggrieved by a decision of any person under the DPA. The Complaints Regulations set out the procedure for lodging a complaint to the Data Commissioner. This includes the requirements and thresholds for admitting, withdrawing, consolidating, discontinuing and investigating complaints.
Notably, a respondent of a compliant is required under the Complaints Regulations to respond within 21 days of being notified of a complaint by the Data Commissioner.
Further, under the DPA and the Complaints Regulations, the Data Commissioner has powers, inter alia, to:
(i) issue an enforcement notice;
(ii) issue a penalty notice;
(iii) issue an order for compensation to a data subject; or
(iv) recommend criminal prosecution.
4. Way forward
If you are a data controller or processor you ought to take the following actions immediately to ensure compliance with the DPA and the Data Protection Regulations:
(a) confirm whether you meet the mandatory registration thresholds under the Registration Regulations and plan to register immediately upon the Registration Regulations entering into force;
(b) review the various personal data processing activities that you undertake and the relevant lawful bases for such processing activities;
(c) consider whether you rely on consent as a lawful basis for processing and if so, formulate appropriate consent clauses to be obtained from the relevant data subjects;
(e) establish your data retention schedule;
(f) consider whether your processing activities require a mandatory data protection impact assessment;
(g) consider whether to appoint a data protection officer;
(h) enter into data controller-data processor agreements with persons that process personal data on your behalf;
(i) review and amend contracts with provisions for data protection and privacy ;
(j) review your technical, security and organisational measures to ensure the protection of personal data and assess whether such measures are adequate;
(k) ensure your staff are trained in relation to the DPA and the Data Protection Regulations;
(l) ensure that you have established mechanisms that enable data subject exercise their rights under the DPA such as the right to access personal data, the right to object to the processing of a data subject’s personal data etc; and
(m) establish whether you engage in any cross-border transfer of personal data and if so, put in place mechanisms for complying with the Data Protection Regulations in that regard.
Please note this is not a closed list of measures that businesses may adopt for purposes of complying with the DPA and the Data Protection Regulations. Additional measures may be required depending on the nature of personal data processing undertaken by a business.
Read the full article at Dentons HHM