Analysis of Kenya’s Data Protection Act, 2019

We welcome the effort by the Government of Kenya to give life to and specify the right to privacy, already enshrined in Article 31(c) and (d) of the Constitution of Kenya by proposing a draft Data Protection Act. We particularly appreciate the direct reference to this Constitutional right in the purpose of the Act and the way it is referred to on several occasions in the Act.

While these efforts have positive intentions and we are pleased that Kenya has adopted a comprehensive data protection law, the Act adopted has a number of shortcomings which ought to be addressed moving forward with the implementation and application of the Act.

As part of this process, we call on the government of Kenya to review the areas of concerned flagged in this analysis in order to ensure that personal data is effectively and adequately protected, and to ensure that the Office of the Data Protection Commissioner is well-resourced (both administrative and financial), made operational and is empowered to operate independently.

Furthermore, given some of the areas of concerned outlined in our analysis, it is important that the Office of the Data Protection Commissioner address rapidly some of these issues by issuing recommendations and guidelines, outlining its interpretation of some provisions or aspects of a data protection law and clarifying the law as necessary.

This analysis was undertaken by the Defenders Coalition, The Kenya Legal and Ethical Issues Network on HIV and AIDS (KELIN), Dr. Robert Muthuri and Privacy International (PI).