After a long wait, Kenya has now passed comprehensive data protection legislation – the Data Protection Act of 2019 which was assented to by the President of the Republic of Kenya on 08 November 2019 (the "Act").

The Act brings into play comprehensive laws that protect the personal information of individuals. It establishes the Office of the Data Protection Commissioner, makes provision for the regulation of the processing of personal data, provides for the rights of data subjects and obligations of data controllers and processors.

Why Data Privacy?

Privacy laws are more relevant today than ever before. With data crossing borders following the increased internet penetration and increased use of social media and other digital information platforms, it is becoming more important to ensure that personal data is protected, processed and used for the correct purpose. While these protection laws are (sometimes) good news for those who have data stored or transferred online, it may not be so for those who have to navigate this mass of regulation.

Highlights of the Act

Establishment of the Office of the Data Protection Commissioner

The Act establishes the office of the Data Protection Commissioner (the "Commissioner"). There is no indication at the moment as to when a Commissioner will be appointed. This is a process that could take several months.

The Commissioner's office is mandated with overseeing the implementation of the Act together with establishing and maintaining a register of data controllers and data processors; receiving and investigating any complaints on infringements of the rights under the Act; carrying out inspections of public and private entities with a view to evaluating the processing of personal data; imposing administrative fines for failures to comply with the Act, amongst other functions.

Registration of Data Controllers and Data Processors

All data controllers and data processors are required to be registered with the Commissioner. The Commissioner is required to prescribe thresholds for mandatory registration and is to consider the nature of industry; the volumes of data processed; whether sensitive personal data is being processed amongst other matters. Until such thresholds are prescribed, mandatory registration does not come into play.

Data Protection

Every data controller or processor is required to ensure that all personal data is processed lawfully, fairly and in a transparent manner in relation to any data subject. The Act applies to data controllers and processors established or resident in or outside Kenya in so far as they process personal data while in Kenya or of data subjects located in Kenya.

The data subjects have the right to be informed of the use to which their personal data is to be put; to access their personal data; to object to the processing of all or part of their personal data; to correction of false or misleading data; and to deletion of false or misleading data about them.

Care should be taken in the manner in which data is collected, used and processed. The primary overarching principle being that personal data should only be collected directly from the data subject and used (be it for processing, commercial use or otherwise) with the express consent of the subject. There are certain exclusions on the collection of personal data such as data already contained in public records, collection from a different source authorised by the subject and so on.

Storage of Data

There are no prescribed durations for the retention of personal data. Data controllers and processors are required to apply a reasonableness test in assessing retention durations.

Sensitive Data

Data that reveals race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of  children, parents, spouse or spouses, sex or the sexual orientation are deemed sensitive data. Specific provisions apply to the collection, storage and processing of such data. For example, personal data relating to the health of a data subject may only be processed by or under the responsibility of a health care provider.

Transfer of Personal Data Outside Kenya

Data controllers and processors will be permitted to transfer personal data to another country only where the data controller or data processor has given proof to the Commissioner on the appropriate safeguards with respect to the security and protection of the personal data. It is not clear what process needs to be followed in this regard.  Further, the Cabinet Secretary may prescribe, based on grounds of strategic interests of the state or protection of revenue, certain nature of processing that can only be effected through a server or a data centre located in Kenya. There is no indication as to when or whether such a restriction will be implemented.


General exemptions from the provisions of the Act apply in cases where publication of data would be in the public interest, for journalism, literature and art, research, history and statistics (all under specific circumstances).


The Act gives the Commissioner wide powers on investigation of data breaches including powers of entry and search and issuing administrative fines.  Where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access, a data controller is required to notify the Commissioner without delay, within seventy-two hours of becoming aware of such breach.

Offences under the Act attract a fine of up to KES5-million and/or a term of imprisonment of up to ten years.

What next?

Until such time as the Data Commissioner is appointed and specific regulations, thresholds and rules are published, the full implementation of the Act will be constrained.

Nonetheless, two critical aspects which responsible parties should consider as part of demonstrating accountability are the appointment of a data protection officer and ensuring that accountability documents (i.e. policies, procedures and practices) and trade documents (contracts with customers and suppliers) are drafted, implemented, monitored and maintained in compliance with the Act.

It would also be prudent that your organisation complies with the Act by means of risk assessments being conducted and sufficient data protection policies, procedures and practices having been implemented.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.