The Applicable Data Protection Laws in Kenya
Data Protection is a new sphere in law which has emerged pursuant to the advancement of new technology, innovation in the technological space and the automation of procedures and processes. In light of this, the Data Protection Act, 2019 (the “Act”)was designed to govern the use, processing and archiving of personal data and to present misuse of personal data.
In order to operationalize the provisions of the Act, various regulations have been put in place namely the Data Protection (General) Regulations, the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. Further, the Office of the Data Protection Commissioner (the ‘ODPC’) established under the Act was operationalized in March 2021.
Non-compliance with the data protection laws: Case of Oppo Kenya
The risk of infringing on data protection laws is growing by the day given the increased frequency and granularity of the data being collected and advances in the technology for processing them. The Data Protection Act, 2019 outlines various sanctions to be imposed upon infringement of provisions of the Act.
Recently, Oppo Kenya was fined KShs 5,000,000/- by the ODPC pursuant to Section 63 of the Data Protection Act and Regulation 20 of the Data Protection (Complaints Handling Procedure and Enforcement) for non-compliance with an enforcement notice issued against it. The said enforcement notice was issued by ODPC on 3rd November, 2022 after Oppo Kenya infringed on the privacy of a complainant by using the complainant’s photo without his consent. Oppo Kenya was also faulted for neglecting to comply with Section 37 of the Act and for failing to adduce a data protection policy pursuant to the enforcement notice issued.
Further, in a recent press release issued by the ODPC on 5th October 2022, Commissioner Kassait provided fresh statistics on complaints and audits being carried out by the ODPC. The press release indicated that as at 30th September 2022, the ODPC had received 1,030 complaints and admitted 555 complaints. Notably, more than 50% of the complaints received related to digital lenders.
Enforcement mechanisms and sanctions under the data protection laws
Failure to comply with the obligations under the Data Protection Act, 2019 and Regulations, may attract issuance of an enforcement notice by the ODPC spelling out the steps that a non-compliant party should take to remedy the non-compliance. Failure to comply with the enforcement notice will then attract a penalty being imposed upon the non-compliant entity.
Penalties may be in the form of fines and prison terms. The maximum amount that can be imposed is KShs. 5,000,000/- or in the case of an undertaking, up to 1% of a company’s annual turnover of the preceding financial year, whichever is lower. The offence may also attract a prison term of up to 2 years upon conviction which may be imposed either as an alternative or an addition to the fine. Offences under the Act which have no specific penalties shall attract KShs. 3,000,000/- and a prison term of up t0 10 years which may be imposed either as an alternative or an addition to the fine.
How can companies comply with the data protection laws?
In light of the foregoing, it is important for companies to put in place internal mechanisms aimed at ensuring compliance with data protection laws in Kenya. This entails registration of data controllers and data processors with the Data Commissioner for Companies with a minimum of 10 employees and whose annual turnover or revenue is above KShs. 5,000,000/- . In addition, the Act provides that companies offering the following services must register with the Data Commissioner (irrespective of the Company’s annual turnover or the number of employees);
- Canvassing political support among the electorate;
- Crime prevention and prosecution of offenders;
- Gambling;
- Health administration and provision of patient care;
- Hospitality industry firms excluding tour guides;
- Property management including selling of land;
- Provision of financial services;
- Telecommunications network or service providers;
- Businesses that are wholly or mainly in direct marketing;
- Transport services firms (including online passenger hailing applications);
- Businesses that process genetic data
In addition, it is important for companies to have in place a data protection policy. A data protection policy is an internal statement outlining how a company uses and protects the personal data it possesses. It further outlines internal mechanisms that a Company will put on place to ensure that data is collected, processed and stored in line with the Data Protection Act, 2019. A data protection policy must also take into consideration various basic principles for processing personal information namely accountability, lawfulness of processing, specification of purpose, openness, data security safeguards and data subject participation.
In the event, you need further information and assistance in preparation of a Data Protection Policy, contact us via info@kiragu.co.ke.
