Data Protection Act turns two years but more needs to be done to assure Kenyans
The Data Protection Act, 2019, (the DPA) was assented to by President Uhuru Kenyatta on November 8, 2019, and came into effect on November 25, 2019. This month marks the 2nd year anniversary since the DPA came into force.
As Kenyans become savvier about their data privacy rights, this milestone provides an opportunity to reflect on the impact of the Act 2 years down the road. Since the Act was operationalized, much has happened within the Kenyan data protection landscape. Notably, the Office of the Data Protection Commissioner (ODPC) was set up with the first Data Commissioner, Ms Immaculate Kassait, being appointed on November 16, 2020.
Following the set up of ODPC, the Office has realized a number of achievements towards the realization of its mandate. Some of the notable achievements as outlined in the ODPC’s Strategic Plan for FY 2021/2022 – FY 2023/2024 include the development of 3 sets of draft regulations and guidance notes on conducting data protection assessments, seeking consent from data subjects and processing personal data for electoral purposes. The Office has also developed a draft data protection training curriculum that is currently awaiting stakeholders’ validation and approval. On awareness, the Data Commissioner has held 16 virtual and physical awareness creation and consultation forums with various stakeholders drawn from the public, private sector and development partners. Furthermore, the ODPC has so far issued 9 advisories and guidance notes to data controllers and processors both in the private and public sector.
Despite these notable achievements, much remains to be done to foster public confidence in the ODPC. In June this year, Kenyans took to social media to protest following revelations that they had been registered as members of political parties without their knowledge and consent. They termed the revelations as a breach of the right to privacy and demanded answers from the Office of the Registrar of Political Parties. In response, the ODPC issued a statement indicating that it had met with the Registrar and resolved that the names of the complainants be deregistered by political parties. Public sentiment, going by reactions posted on social media, indicate that Kenyans were generally dissatisfied with the ODPC’s handling of the matter and saw it as a missed opportunity for the Office to flex its muscles. To many, the Data Commissioner was all bark but no bite. Stiffer penalties should have been meted out on the relevant political parties and the Office of the Registrar of Political Parties.
The ODPC is domiciled in the Ministry of ICT, Innovation and Youth Affairs. This arrangement has seen the office receive criticism from some quarters as being a bit too reliant on the Ministry thus hurting its independent status. Given the nascent status of the ODPC, its reliance on the Ministry is understandable but more needs to be done to build its institutional capacity and resource mobilization.
As the DPA crosses the 2 year line, the ODPC needs to take stock of the emerging issues around data privacy and position itself to effectively execute its mandate. It is noteworthy that Kenyans are increasingly becoming conversant with their data rights and demanding more transparency on how their data is used. This provides an opportunity for the Data Commissioner to exercise the full range of powers bestowed upon her office.