A note on the Data Protection (General) Regulations
Earlier this month, the Data Protection Task Force along with the Office of the Data Commissioner (ODPC) and the Ministry of ICT, published 3 draft regulations for public participation. This note provides some of the key segments of the Draft Data Protection (General) Regulations, 2021.
The Regulations provide for the enforcement of the rights of the data subjects, use of personal data, obligations of data controllers and processors, elements of data protection, conduct of data protection impact assessment, exemptions and offences among other things. They do not apply to the civil registration entities involved in the processing of personal data relating to registration of births, registration of adoptions, registration of persons, issuance of passports and other identity documents, registration marriages or registration of deaths. Below is a look at some of the key provisions of the Regulations.
Data Processing to be Done in Kenya
Under the Regulations, a data controller or data processor who processes personal data required for actualizing public good is required to ensure that the processing is effected through a server and data centre located in Kenya and at least one serving copy of the concerned personal data is stored in a data centre located in Kenya.
The data that require processing in Kenya includes revenue administration, administering a national civil registration system, the conduct of elections in the country, processing health data for other purposes other than providing health care directly to a data subject, managing any system designated as a protected computer system in terms of section 20 of the Computer Misuse and Cybercrime Act, 2018 and managing personal data to facilitate access of primary and secondary education in the country.
The Cabinet Secretary may however require a data controller who processes personal data outside Kenya to process the data in Kenya if the personal data outside Kenya has been breached. This also applies where the services have been used to violate the Data Protection Act, 2019 (the Act) and where the controller has not taken measures to stop or handle the violation and resists, obstructs or fails to comply with requests of the Data Commissioner or any other relevant authority in cooperating to investigate and handle the violations.
This segment will have implications for the companies who contract with various government agencies especially those that deal with the finance sector, health sector, education sector, civil registration and elections among others.
Notifiable Breach
According to the Regulations, a data breach resulting in real risk of harm to a data subject amounts to a notifiable data breach if that data breach relates to:
- a) the data subject’s full name or identification number and any of the personal data or classes of personal data relating to the data subject
- b) personal data relating to a data subject’s account with a data controller or data processor—
- the data subject’s account identifier, such as an account name or number; and
- any password, security code, access code, response to a security question, biometric data or other data that is used or required to allow access to or use of the individual’s account.
This however excludes personal data that is publicly available (though not as a result of any breach) or any personal data that is disclosed to the extent that is required or permitted under any written law.
A notification by a controller to the Data Commissioner of a notifiable data breach shall include the date of the occurrence and the cause of the breach and how it occurred, steps taken, number of affected persons and contact information of the controller’s representative. Where the controller does not intend to communicate to a data subject affected by a notifiable breach, the notification to the Data Commissioner should provide for the grounds for not notifying the affected data subject.
The requirements seem to mirror what is provided for under the General Data Protection Regulation (GDPR).
Transfer of Personal Data Outside Kenya
On this segment, the Regulations provide for the requirements of transferring personal data out of Kenya among other things. A data controller or data processor is however required to determine that the recipient of the data is bound by legally enforceable obligations to provide the personal data with protection, there is consent from the data subject to transfer their personal data and their rights are safeguarded and that reasonable steps have been taken to ensure that the recipient shall not use the personal data transferred for unintended purpose.
On the requirements, the Regulations use the word “and” intimating a requirement that all the conditions be met prior to the transfer of data. The Regulations also require that the data subject be duly informed of the safeguards and implications including the risks involved in the cross-border transfer of their personal data. However, it is notable that the requirements for crossborder transfer may not allow restriction of cross-border transfers where the transfer is permitted under the Act and the requirements arbitrarily or unjustifiably discriminate against any person, imposes a restriction on trade and the restrictions on transfers of personal data is greater than are required to achieve the objective.
Providing false or misleading information in order to obtain a data subject’s consent for cross-border transfer is an offence. One shall be liable to a fine not exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both. In addition, the Court may order the forfeiture of any equipment or any article used or connected in any way with the commission of an offence or prohibit the doing of any act to stop a continuing contravention.
Cross border Transfer Agreements
A transferring entity shall enter into a written agreement with the recipient of personal data. The contract will contain provisions relating to the unlimited access by the transferring entity to ascertain the existence of a robust information technology system of the recipient for storing the personal data and the countries and territories to which the personal data may be transferred under the contract.
A country or territory will be deemed to have the appropriate data protection safeguards anticipated under the Data Protection Act, 2019 if they have: ratified the Malobo Convention, have a reciprocal data protection agreement with Kenya and have an adequate data protection law as shall be determined by the Data Commissioner.
Way Forward
The Data Protection Task Force along with the Office of the Data Commissioner (ODPC) are currently holding public participation forums on the data. From the various forums, the major concerns raised include the provisions on cross data transfer of personal data, registration and certification requirements, ratification of the Convention, localization of data as well as the time implementation. Submissions were to be submitted to the ODPC on 27th April 2021. However, this has since been extended to 11th May, 2021 following an outcry from the private sector and various government agencies. It is expected that the Taskforce and the ODPC will continue holding public participation forums and hearing what the Citizens of the Republic of Kenya have to say about the Draft Data Regulations.