Kenya’s new data protection law, Data Protection Bill 2019, creates a legal framework for the use of personal data processed on or related to individuals and both public and private entities.
The law also establishes the office of the Data Commissioner.
President Uhuru Kenyatta signed it into law Friday further outlines key principles that will govern data processing, sets out the rights of data subjects and assigns duties to data controllers and data processors.
President Uhuru Kenyatta has today signed into law the Data Protection Bill 2019. The new data law establishes the office of the Data Commissioner and sets out the requirements for the protection of personal data processed by both public and private entities. pic.twitter.com/grDL5Hlqrv
— State House Kenya (@StateHouseKenya) November 8, 2019
In addition to setting the conditions for the transfer of personal data outside Kenya, the Act provides for the exemptions to processing of data and outlines data handling offences and attendant penalties.
The law gives effect to Article 31(c) of the Constitution, which outlines the right of every person not to have “information relating to their family or private affairs unnecessarily required or revealed” and Article 31(d), the right not to have “the privacy of their communications infringed”.
On November 6th, the National Assembly made some amendments to the Bill.
The President has fourteen days to convene a selection panel for the purpose of selecting suitable candidates for appointment as the Data Commissioner.
It has taken four years to have the law in place since 2015 when a Data Protection Bill was tabled in Parliament. The Privacy and Data Protection Bill was first developed in 2012. Initially, The Kenya ICT Action Network had indicated that the continued absence of a data protection law was worrying given the increased uptake of online services and the widespread collection and processing of the personal information of the public by various players without sufficient guarantees as to the security of the information.
It, therefore, had urged the Government to review, revise and operationalise the draft ICT Policy 2016 and adopt the Data Protection Policy.