This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy

Data Protection Leader
Back to Contents

Volume: 15 Issue: 8
(August 2018)

data protection legal reform


Kenya: Data protection bill a “step in the right direction”

The Ministry of Information, Communications and Technology (‘the ICT Ministry’) released, on 16 August 2018, the draft Privacy and Data Protection Policy 2018 (‘the Draft Policy’), and, on 17 August 2018, the Data Protection Bill, 2018 (‘the Bill’). The Bill seeks to establish the Office of the Data Protection Commissioner, regulate the processing of personal data, establish data subject rights and create data-related offences. Moreover, the Draft Policy outlines that its purpose is to lay the foundation to enforce the right to privacy, pursuant to Article 31 of the Constitution of Kenya.

Fiona Makaka, Associate at TripleOKLAW Advocates LLP, said, “The Bill, in its current form, does not sufficiently protect citizens’ right to privacy and personal data. It is a step in the right direction, but it needs substantial review. [In particular,] while the Bill may have comprehensive provisions, blanket exemptions are accorded throughout the legislation, this almost makes the whole document counter-intuitive. The previous Data Protection Bill 2013 remained a bill for over three years.” 

In particular, the Draft Policy sets out the objectives of informing the development of privacy and data protection laws, facilitating statutory and regulatory compliance, enhancing effective application of the proposed laws, and adherence to international good practices. 

Makaka commented, “The Bill borrows heavily from the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). The six principles of data protection as envisioned in the GDPR are reflected in the Bill. The aim is to empower the data subject and enable them to manage their personal data. There are however some key provisions that are provided for in the GDPR that are conspicuously missing in the Bill, one such provision is the data subjects’ right to be forgotten […] A close look at the Bill and you will discover the issue of consent has also not been properly emphasised and addressed [either]. It is provided for as a tick box issue as opposed to [serving as] a data subject’s empowerment tool. There is, equally, no requirement to keep a record of consent that should be traceable in case of dispute.” 

The ICT Ministry is currently seeking comments on both the Bill and the Draft Policy until 12 September 2018. In addition, the Cabinet Secretary of the ICT Ministry has set up a task force to develop the Policy and Regulatory Framework for Privacy and Data Protection in Kenya by defining the requirements for the protection of personal data. 

Makaka concluded, “Most African countries find themselves on the same footing as Kenya as they now take steps to commence data protection policies. Less than ten countries have legislation in place that protects their citizens’ rights to safeguard personal information […] We anticipate seeing more companies review and amend their terms and conditions, privacy policies, conditions of carriages and contractual agreements in an attempt to comply.”

Search Publication Archives

Our publication archives contain all of our articles, dating back to 2004.
Can’t find what you are looking for?
Try an Advanced Search

Log in to data protection leader
Subscribe to data protection leader
Register for a Free Trial to data protection leader
data protection leader Pricing

Social Media

Follow data protection leader on TwitterView data protection leader LinkedIn Profiledata protection leader RSS Feed