Yesterday, the 28 of January 2021; was the 15th Data Protection Day and the 40th anniversary of Convention 108. Data Protection Day or Privacy day is a day to raise awareness and promote privacy and data protection best practices. It is usually held on the 28th of January because that is the day the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature by the Council of Europe in 1981.

 The day was initiated by the Council of Europe to be first held in 2007 as the European Data Protection Day. Two years later, on the 26 of January 2009, the United States House of Representatives passed House Resolution HR 31 declaring 28 January National Data Privacy Day.

Kenya and Data Protection

Kenya’s constitution has in it, the right to privacy in the Bill of Rights. On 8th November 2019, President Uhuru Kenyatta signed into law the Data Protection Act. On the 16th of November 2020, Ms Immaculate Kassait began her tenure as Kenya’s first Data Protection Commissioner.

 During yesterday’s Data Protection Day celebrations, she called upon stakeholders both in the public and private sector to collaborate with the Office of the Data Protection Commissioner as she operationalizes the office and delivers on their mandate to regulate and promote practices that ensure that the processing of personal data of a individuals is done in accordance with the principles set out in Data Protection Act, 2019. She committed to continuously work with stakeholders, which includes the general public, to ensure the success of this Office.

 The Centre for Human Rights hosted a webinar to mark the Data Protection Day 2021 in Africa. In attendance was the Head of the Data Protection Unit, Council of Europe Sophie Kwasny and

Frans Viljoen who is the Director of the Centre for Human Rights. Data Protection authority heads from Kenya, South Africa, Ghana, Mauritius and Morocco were the key speakers.

 Patricia Adusei Poku, the Executive Director of the Ghana Data Protection Commission said that her country has ratified the Budapest Convention and the Malabo Convention. She also added that they are having discussions on TV to promote data protection awareness.

Kenya’s Data Protection Commissioner, Immaculate Kassait mentioned that she’s hit the ground running with the recently Gazetted taskforce that will create Data Protection regulations.

Drudeisha Madhub, the Mauritius Privacy Commissioner said that they revamped their 2004 Data Protection Act in 2018 and that they had ratified Convention 108+ in 2020 September. Her South African peer, Sizwe Snail ka Mtuze on the other hand said that Convention 108 and Convention 108+ are not ‘Bibles’ but best practice.

One of the key takeaways from the whole discussion was the need for a continental African data protection law. This is necessary to ensure adequacy with wake of cross border data transfers and to create an effective cross border complaint system such as the one provided in Convention 108+.

Kenya’s Data Protection Commissioner is mandated by law to promote international cooperation in matters relating to data protection and ensure the country’s compliance on data protection obligations under international conventions and agreements. This provision expects that Kenya will be part of international data protection conventions and agreements.

Earlier in the year, the Data Protection Commissioner shared with a group of stakeholders her priorities for the next 6 months to one year. Together with her team, she intends to set up a workstation and communication tools, get human resources, mobilise resources for implementation of the Act and develop General Regulations under the Act.

Based on these plans, one can say that Kenya will be a key player in the continent’s data protection arena as soon as the internal Office structures are put in place.