Data privacy in Kenya has become an increasingly critical issue with the rapid advancement of technology and digital communication. The right to privacy is enshrined in the Constitution of Kenya under Article 31, which serves as the foundation for data protection laws and practices in the country.
This article explores the constitutional basis for privacy rights, relevant legal frameworks, key provisions of the Data Protection Act, implications of data breaches, economic exploitation of privacy, and the roles of key institutions such as the Data Commissioner and the High Court.
The Right to Privacy in the Constitution of Kenya
The Constitution of Kenya, promulgated in 2010, includes a robust Bill of Rights that guarantees fundamental freedoms. Article 31 explicitly protects individuals’ right to privacy, stating:
“Every person has the right to privacy, which includes the right not to have— their person, home or property searched; their possessions seized; information relating to their family or private affairs unnecessarily required or revealed, or the privacy of their communications infringed.”
This constitutional provision emphasizes that interference with an individual’s privacy must be justifiable and fair. The courts have upheld this right in various rulings, reinforcing that unauthorized use of personal information violates this fundamental right.
Key Terms in Data Privacy
Understanding the terminology used in data privacy is essential for comprehending the obligations and rights under Kenyan law:
Data: It is any information processed by equipment(s) operating automatically, recorded and/or stored by a private or a public entity.
Personal Data: Refers to any information relating to an identified or identifiable natural person. Examples include names, identification numbers, location data, email addresses, bank accounts, blood groups and online identifiers.
Data Subject: The individual to whom personal data relates.
Data Controller: A person or entity determining the purpose and means of processing personal data.
Data Processor: A person or entity that processes personal data on behalf of the data controller.
Sensitive Personal Data: Data that require higher protection due to their nature, such as health information, biometric data, political opinions, sexual orientation or religious beliefs.
Consent: Freely given, specific, and informed agreement by a data subject for their data to be processed.
Breach of Data Privacy: Any unauthorized access, loss, alteration, disclosure, or destruction of personal data.
Data Protection Impact Assessment (DPIA): This process assesses risks in data processing activities. It involves identifying risks, mitigating risks, managing risks and governing data protection.
Privacy by Design: Integrating privacy when designing and throughout the business processes, systems and data processing activities.
Privacy by Default: Ensuring that business processes, systems and data processing activities always revert to privacy- this should happen without requiring any input from the user
Anonymization: Removal of identifying particulars or details from data to make it NOT personally identifiable to a person
Pseudonymisation: Processing personal data in ways that delink it from a specific data subject. This can be done by removing some information or keeping some information about the data subject separately.
Encryption: Converting data into coded/unreadable form. Once encrypted, data needs to be decrypted to be legible.
Governing Laws on Data Privacy
The Data Protection Act 2019 (DPA) serves as Kenya’s primary legal framework governing data privacy. It aims to give effect to Articles 31(c) and (d) of the Constitution by establishing guidelines for processing personal data. The Act outlines the principles of data protection, the rights of data subjects, and the obligations of data controllers and processors. It also establishes the ODPC and registration, compliance, and enforcement procedures.
Key Provisions of the Data Protection Act
The DPA contains several essential provisions aimed at protecting individuals’ privacy rights. Some key provisions include:
Principles of Data Protection (Section 25):
The right to privacy Principle: Personal data must be processed, giving credence to the right to privacy.
Lawfulness, fairness and transparency Principle: Personal data must be lawfully and transparent only when there is a valid explanation.
Purpose Limitation Principle: Data collection should be only for specific reasons limited to what is necessary for its intended purpose.
Data minimization Principle: Only process data that is adequate, relevant and limited to what is necessary concerning the purpose for which it is processed.
Accuracy Principle: Data must be collected and stored accurately. Any inaccuracies must be deleted.
Storage Limitation Principle: Data should not be Kept in a form that identifies the data subjects for no longer than is necessary for the purpose for which it was collected.
International Transfers Principle: Data should not be transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject
Integrity and confidentiality Principle: Data Subjects have the right to be informed of the use of their data.
Rights of Data Subjects:
Right to Access: Individuals can request access to their data held by a controller or processor.
Right to Rectification: Data subjects can correct inaccurate or incomplete personal data.
Right to Erasure: Individuals can request deletion of their data when it is no longer necessary for its purpose.
Right to Object: Individuals can object to processing based on legitimate interests or direct marketing.
Right to Data Portability: Individuals can request their data in a structured format for transfer to another service provider.
Right Not to Be Subjected to Automated Decision-Making: Individuals cannot be subjected to decisions based solely on automated processing that significantly affects them without human intervention.
Consent Requirements:
Explicit consent must be obtained from data subjects before processing their personal data (Section 28).
Data Security Obligations (Section 30): Data controllers and processors must implement appropriate technical and organizational measures to ensure data security.
Breach Notification (Section 34): Organizations must notify the Data Protection Commissioner and affected individuals within 72 hours of becoming aware of a data breach.
Extraterritorial Scope: The DPA applies to entities within and outside Kenya that process personal data about Kenyan citizens (Section 3).
Other laws relating to data processing
Kenya’s legal framework for data processing is not limited to the Data Protection Act but extends to sector-specific laws to ensure comprehensive regulation and compliance. In the realm of consumer protection, the Consumer Protection Act of 2012 and the accompanying Consumer Protection Guidelines provide safeguards for consumer data, ensuring their privacy and fair treatment. Similarly, the Kenya Information and Communications Act, 1998, and the Kenya Information and Communications (Consumer Protection) Regulations, 2010, outline compliance standards for licensed information and communication service providers, who act as data collectors and controllers, emphasizing transparency and accountability.
When it comes to financial data, the National Payment System Act and its National Payment System Regulations, 2014, alongside the Central Bank of Kenya Prudential Guidelines for Institutions Licensed under the Banking Act, the Guidelines on Cybersecurity for Payment Service Providers, and the Banking (Credit Reference Bureau) Regulations, 2013, ensure the secure handling, confidentiality, and integrity of sensitive financial information.
Additionally, elections data is regulated through the Elections Act, 2011, the Elections (Registration of Voters) Regulations, 2012, and the Political Parties Act, 2011. These laws safeguard the accuracy, protection, and transparency of voter information throughout electoral processes.
Collectively, these laws reinforce Kenya’s commitment to robust data governance, ensuring that data processing across key sectors—consumer protection, finance, and governance—meets stringent regulatory standards. This multi-layered approach promotes trust, accountability, and compliance in the nation’s rapidly growing digital and information-driven economy.
