Data protection is the process of safekeeping against any form of compromise, corruption or loss of personal information. In November 2019, President Uhuru Kenyatta assented to comprehensive data protection legislation – the Data Protection Act. The Act applies to data controllers and processors established or reside in or outside Kenya, as long as they process data in Kenya or of subjects located therein. The data controllers and processors in question include private and government entities and how they handle customer and citizen data respectively.

The Act establishes the Office of the Data Protection Commissioner, Immaculate Kassait who is charged with the responsibility of: overseeing the implementation of the Act together with establishing and maintaining a register of data controllers and data processors; receiving and investigating any complaints on infringements of the rights under the Act; inspecting public and private entities with a view to evaluate the processing of personal data; imposing administrative fines for failures to comply with the Act, amongst other functions. With the Data Protection Commissioner’s (DPC) office in place, the Act demands that organisations – public and private are registered with the Commissioner.

According to the Data Protection Regulations 2011, all personal data is to be handled in a fair, lawful, and transparent manner regardless of the data subject in a bid to protect their privacy. This means that Kenyan citizens now have the right to ask pertinent questions regarding the collection of their personal information such as why and how their information is being recorded, stored and handled, and for what specific purpose it will be used. They also have the right to be informed of the use to which their personal data is to be put; to access their personal data; to object to the processing of all or part of their personal data; to correction of false or misleading data; and to deletion of false or misleading data about them. The specification in collecting personal data is that it should be collected directly from the subject, and used only with the consent of the subject in question.

In the event that personal data is breached, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorized access, a data controller is required to notify the Commissioner within 72 hours of becoming aware of such breach. An arduous walk awaits the implementation and enforcement of this law against digital lending apps. For example, before issuing a loan, most digital lenders demand that the borrower gives a list of guarantors. Unknown to them, the guarantors are to pay in the event that the borrower defaults on repayment. The height of it all is calling the guarantors to demand for payment. The digital lenders predatory tactics involves determining credit worthiness by accessing Smartphone data including SMS, call logs, bank balance messages and bill payment receipts is a form of privacy breach.  Conversely, the Data Protection Act stipulates that companies can acquire data from their clients by asking them to consent to the move, and specify how and what the information gathered will be used for. While applying for these loans, individuals consent to giving out this data as part of the loan process.

This law is a welcome relief to many Kenyans who have long been subjected to various forms of privacy violations, especially with the country’s concentration of mobile connectivity and adoption of mobile money services.  The rising cases of mobile and online fraud often targeting users accustomed to mobile money payments. It has also become common practice among Kenyan businesses that accept mobile money transactions to spam their customers with promotional messages from contacts solely collected for payment purposes. Some county data collection points have equally proved to have loopholes that candidates exploit especially during elections. The information collected purposely for building county population data ends up being used as a campaigning tool by sending messages asking constituents to vote in favor of a particular candidate.

Notwithstanding such facts, any complaint on infringements of the rights under the Act is subject to extensive investigation by the DPC with the power to file lawsuits and impose fines. All things considered, offences under the Act attract a fine of up to KES5-million and/or a term of imprisonment of up to ten years.