For a long time, Kenya has lacked a comprehensive personal data protection legislation which has been quite necessary in this age of digital use and access. This has exposed citizens to the risk of their personal data being misused. In April 2019, the Kenyan Government rolled out the “Huduma Namba” programme which required the capturing of biometric details from citizens as well as information on land ownership and assets among other particulars.

The aim of the programme was to facilitate the identification of people holding forged or false identification documents by collecting all data pertaining to an individual including name, age, property owned and residence. This was in accordance with the amendments made to the Registration of Persons Act that allowed the Government to collect people’s personal information – including DNA samples, biometric data like fingerprints and retinal scans, and global positioning system (GPS) information to pinpoint their locations.

The plan was met with opposition as many felt that there was potential for violation of Kenyans’ right to privacy which although enshrined in the Constitution had no specific legislative framework that would guarantee the protection of sensitive personal data. The Data Protection Act is intended to provide this framework.

The purpose of the new law is to regulate the processing of personal data, protect the privacy of individuals and to establish the legal and institutional mechanism to protect personal data. The law establishes the office of the Data Protection Commissioner that is to exercise oversight on data processing operations and to receive and investigate complaints on processing of personal data.

Some salient provisions of this new law include:

1. All institutions that own, manage, or control data will under this law, be required to register their businesses with the Data Protection Commissioner (DPC).
2. The new law sets out restrictions on how personally identifiable data obtained by firms and government entities should be handled, stored and shared. The application of the law extends to local and international firms (to the extent that are processing information relating to citizens), natural persons and public authorities.
3. Under this law, everyone person will be entitled to know how their personal information is used and gives the affected person an opportunity to delete and edit any incorrect data upon examination.

The new law also provides for issues surrounding data portability. Kenyans now have the right to consent to or reject their data being transferred to another service. This will come in handy for mobile subscribers and has been a nuisance for a lot of users for a while now.

In its quest to protect personal data, the law prescribes stiff penalties on persons who contravene the law regarding protection on personal data and provides that those found guilty will be fined up to KES 3 million or receive a maximum of 2-year jail sentence.