DataGuidance confirmed, on 25 April 2019, with the Kenyan Ministry of Information, Communications and Technology (‘the ICT Ministry’), that the Data Protection Bill, 2018 (‘the Bill’) and the draft Privacy and Data Protection Policy 2018 (‘the Draft Policy’) had been approved by the Parliament of Kenya. In particular, the Bill seeks to establish the Office of the Data Protection Commissioner, regulate the processing of personal data, establish data subject rights and regulate data protection offences. Moreover, the Draft Policy reinforces the right to privacy, contained in Article 31 of the Constitution of Kenya, as well as sets out objectives for informing the development of data protection laws.
Nzilani Mweu, Partner at Rilani Advocates, told DataGuidance, “For context, there were two bills: the first, a senate bill released in May 2018, and the second one, the Bill, which has received approval along with the Draft Policy. The Bill came about when the Cabinet Secretary appointed a Data Protection Taskforce that then formulated the Bill and Draft Policy. [However], it is not guaranteed that the Bill will end up as law […] The final draft of the Bill amends [the previous version] to include new clauses and deletes some previous provisions. The key changes in the Bill include the harmonisation of the definition of biometric data with the definition in the Registration of Persons Act 2014 (‘RPA’), as well as an inclusion of the definition of health data.”
One of the major issues is the collection of biometric data
In addition, the Bill requires data processors to carry out Data Protection Impact Assessments where such processing may lead to high risks to the rights and freedoms of a data subject. Moreover, the Bill outlines penalties for the commission of data protection offences such as unlawful disclosure and sale of personal data, which range from a five-year imprisonment to a fine of up to KES 5 million (approx. €44,180).
Mweu concluded, “The [final draft of the] Bill gives and takes, [since] the data subject appears to have fewer rights [compared with the previous version]. [Notable deletions from the previous version include] the right of the data subject to enquire about the details of the processing or the period and manner in which the processing shall take place, as well as the right to erasure […] One of the major issues is the collection of biometric data under the RPA. As this is [within the purview of the] Ministry of Interior Security, and collection of data for security purposes is one of the circumstances exempt from the application of the provisions of the Bill, it leaves data subjects’ most sensitive information unprotected. It is also important to note that with the removal of data subjects’ right to be informed when data is used to profile them, there is room for abuse of profiling mechanisms especially along ethnicity lines.”
ADETOKUNBO HUSSAIN Privacy Analyst