You can run, but you can’t hide: As Kenya adopts CRS, calls for balancing tax transparency with data privacy concerns emerge.

Kenyan commercial banks have started implementing the Common Reporting Standards (CRS), a tax procedures regulation of 2023. This regulation requires all Kenyan banks, trusts, and other financial institutions to report and share information about foreign account holders with the Kenya Revenue Authority (KRA) as the

AU Data Governance Policy Framework unveils strategies for intra-continental collaboration and innovation

On July 28, 2022, the African Union (AU) released its Data Policy Framework. The Framework aims to provide a multi-year blueprint outlining how the AU will accomplish its goals for Africa’s digital economy. It also sets forth the AU’s vision, scope, and priorities for Africa’s

Data protection and privacy: A guide to avoid event privacy pitfalls

In the advent of the new adage that ‘data is the new gold’, entities are increasingly relying on data to drive their business decisions and as the basis for profit optimization. However, the collection, handling and storage of data must align with international standards on

The fly in the ointment of Threads hype is data privacy and competition concerns

Meta’s recent launch of the Threads app has captured substantial attention, stemming not only from its rapid user adoption but also from the growing concerns over potential data privacy and competition issues it may raise. Threads gained over 100 million users within a week of

Corporates, influencers and copyright: Navigating the tide and entrenching a culture of compliance Precedent-setting decision?

If the recent pronunciation by a court in a copyright suit by Hip Hop artiste Hubert Nakitare, alias Nonini, against Japanese company Syinix Electronics Ltd and influencer Brian Mutinda, does not ring alarm bells for corporates and corporate influencers, concerning intellectual property, then what will?

Snooping on tax evaders: Balancing between protection of personal data and KRA’s bid to monitor transactions

As the world marks Data Privacy Day on 28th January 2023, Kenya has been busy this week with a series of activities organized by the Office of the Data Protection Commissioner (ODPC) to commemorate the day. The week-long events will culminate in a two-day Data

Uproar over Zuku services call for guidelines to streamline Internet Service Providers

Zuku, an internet service provider owned by Wananchi Group, has recently faced sharp public criticism. The company received widespread backlash online from its customers over poor internet services. Zuku customers experienced internet outage, downtime, and slow speeds for an extended period. To further worsen the

NTSA move to streamline transport network companies is a wake up call to data commissioner 

The National Transport and Safety Authority (NTSA) has moved to streamline digital hailing companies operating in the country. This is after NTSA issued a directive to digital hailing transport companies to register afresh with the Authority.  This, NTSA said, was a decision reached by stakeholders

Kenya’s National Cybersecurity Strategy: Securing Kenya’s cyberspace

Kenya developed its first cybersecurity strategy in 2014. Significantly, the 2014 strategy culminated in the development of the 2022 National Cybersecurity Strategy. The latter gives guidance for a coordinated approach in the execution of cybersecurity operations in Kenya. The strategy combines good governance with a

Special feature:EY Kenya Data Protection & Privacy Survey, 2022: The path to compliance with data protection and privacy

EY Kenya Data Protection & Privacy Survey, 2022, was launched mid this year with a goal to firstly gauge how far along organisations are in their compliance journeys. Secondly, to identify the difficulties that companies are having in their pursuit of compliance. Thirdly, identify the

Harmonising Africa’s regulatory for the realisation of an African data economy

In Part III of our series “Dissecting the African Union Data Policy Framework”, we will cover the key considerations in aligning a country’s regulatory context with the requirements of an African data economy.  A trusted data environment requires users to trust the entire political and

What will cross border transfers on the African continent look like under the AU Data Policy Framework?

For digital trade to occur, data has to be moved across borders. While data accumulation can be a safe and secure way to manage data, hoarding data without means to use, exchange, or repurpose in a safe manner can create underutilisation risks, which may decrease

The AU Data Policy Framework: Africa’s solution to data emancipation?

The data policy framework for African countries seeks to maximise the benefits of a data-driven economy by creating an enabling policy environment for private and public investments necessary to support data-driven value creation and innovation.  The document, if implemented accordingly, will increase data policy harmonisation

What KRA needs to do before leveraging on digital intelligence to weed out tax evaders

The Kenya Revenue Authority (KRA) has announced the establishment of an advanced forensic laboratory that will provide the authority the capability to access financial data from taxpayers’ computers and mobile phones, in a bid to detect tax evasion and to reduce financial fraud.  The Kenyan

Data Privacy Certification: Establishment of Global Cross-Border Privacy Rules Forum and Resurrection of the Privacy Shield

On Thursday, April 21, 2022, US Commerce Secretary Gina M. Raimondo issued a statement on the establishment of the Global Cross-Border Privacy Rules (CBPR) Forum. The forum consists of Canada, Japan, the Republic of Korea, the Philippines, Singapore, Chinese Taipei, and the United States of

Details of the newly launched National Digital Master Plan expected to accelerate socio-economic growth

Information Communication Technologies are developing so quickly that there is a need to design a way to allow constant growth in the economic system and community. This is why the Cabinet Secretary for ICT, Innovation and Youth Affairs, Mr Joe Mucheru,  launched the Kenya National

Data Commissioner calls for public comments on draft Alternative Dispute Resolution framework

The Office of the Data Protection Commissioner (ODPC) has called for comments from the public on its first draft Alternative Dispute Resolution (ADR) framework for data protection disputes.  The ADR, in the context of the framework, is a voluntary process of settling data protection disputes

Proposed EU Data Act and possible impact of the rules

On February 23, the European Commission proposed new rules on who can use and access data generated in the EU across all economic sectors. These rules would be contained in the proposed Data Act. According to the press release, the proposal for the Data Act

Investing in the Metaverse: Opportunities in the platform’s next frontier

Human social interactions are on the verge of the next major evolution as we enter the age of the metaverse. The metaverse provides humans with access to a digital platform in parallel with our physical reality. The internet as we know it has the potential

IEBC concerned over bid to integrate Huduma Namba into voter listing and verification process

The Independent Electoral and Boundaries Commission (IEBC) has expressed concerns over the integration of Huduma Namba (National Integrated Identity Management System (NIIMS)) into the voter registration and verification process.  Through a memorandum to the National Assembly’s Committee on Justice and Legal Affairs, the IEBC stated

What you need to register as a data controller or processor

2022 has been hailed as Kenya’s year for data protection compliance. Despite enactment of the Data Protection Act in November 2019, enforcement of Kenya’s data protection framework has largely remained hindered due to lack of a functioning regulatory supervisory authority, as well as insufficient regulations

Lifting the veil of ambiguity around transfers of personal data outside Kenya – the 2022 version of the draft Data Protection (General) Regulations

In an increasingly globalised world, consequential and integral to international trade is the flow of data. More than ever, for-profit organizations are expanding the scope of their operations across the globe to access new and larger markets or to capitalize on lenient tax regimes. Correspondingly,

Privacy and data trends to watch in 2022

It is 2022 and data protection continues to be a major issue in business. For companies operating in multiple jurisdictions, there are key trends that will be important for them to keep in mind. The growing call for international data protection collaboration In 2021, the

Meta takes data security a notch higher by launching privacy centre to educate users

As more and more economic and social activities take place online, the importance of data privacy and protection is coming to the fore even as more users voice concerns over security of their private information.  This points to why Meta launched a prototype Privacy Centre

Data Protection Commissioner announces opportunities for the ODPC and stakeholders to collaborate during dual data protection report launch

Kenya’s Data Protection Commissioner Immaculate Kassait has asked stakeholders to collaborate with her office to increase awareness of Data Protection laws and simplification of the legal framework.  Ms Kassait said it is not the sole responsibility of the Office of the Data Protection Commissioner to

Elections 2022: Bulk Political Messaging Do’s and Don’ts

Kenyans can expect to receive an influx of political messages as we approach the August 2022 General Election. Most political aspirants and candidates will seek to capitalize on the campaign period through use of bulk political Short Message Service (SMS). Unlike past experiences, the 2022

Elections 2022: The ODPC should tame political parties on data privacy breach

On June 18th 2021, the Registrar of Political Parties Anne Nderitu shared a link through which members of the public could verify their political party membership status. Many Kenyans took to e-Citizen to confirm this and what followed was an uproar by people who claimed

Data Protection Act turns two years but more needs to be done to assure Kenyans

The Data Protection Act, 2019, (the DPA) was assented to by President Uhuru Kenyatta on November 8, 2019, and came into effect on November 25, 2019. This month marks the 2nd year anniversary since the DPA came into force. As Kenyans become savvier about their

A sneak peek at China’s Personal Information Protection Law (PIPL)

On Monday, November 1, 2021, China’s Personal Information Protection Law (PIPL) took effect, months after it was promulgated by the Standing Committee of China’s National People’s Congress. This is China’s first comprehensive law in the personal information protection area and it is based on the

Stakeholders Add Their Voice to Draft Strategic Plan by Office of the Data Protection Commissioner during Public Participation Forum

A draft strategic plan by the Office of the Data Protection Commissioner (ODPC) in Kenya was taken through a validation forum by stakeholders under public participation. The ODPC and the UK Embassy held a day’s workshop during which the ODPC Draft Strategic Plan (FY 2021/2022-

What next for Huduma Cards after court calls for data protection impact assessment

Data security came to play at the High Court in Nairobi on Thursday, October 14, 2021, after Justice Jairus Ngaah declared that the government’s decision of November 18, 2020, to roll out Huduma Cards was illegal. The judge said the government had not adhered to

Regulating the legal tech space, Bills in the pipeline

Bridging the nexus between technology and the law has proven to be an increasingly tumultuous  domain to regulate. However, this has not discouraged Kenyan legislators from attempting to regulate the disruptive sector. Below is a snapshot of four proposed legislation, at varying stages of approval,

Post BREXIT Data Partnerships: Kenya’s First ‘Adequacy Partnership/ Decision’?

The United Kingdom on Thursday announced their Post-Brexit approach to international data transfers which includes future partnerships with Kenya. India, Brazil and Indonesia are also in this priority list. The first territories which it will prioritise striking ‘data adequacy’ partnerships will be the United States,

ODPC, time to press play?

Is your company compliant with the Data Protection Act, 2019? Or does it have systems to ensure that it is compliant with data protection laws? The Act which was enacted in 2019 regulates the processing of personal data and has provisions on how to protect

Data Policy Framework for Africa

The African Union Commission (AUC) is in the process of developing a Data Policy Framework for Africa. The process which is made possible by the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) under the Data-Cipation programme, is being spearheaded by Research ICT Africa (RIA). Currently, RIA

Data Breaches and Cyber Security: What you need to know

A few years ago, many corporations used to think data protection meant security of systems. And this was because they thought the word protect meant security in the context of cyber security. While security of data is a way of implementing privacy and data protection,

The Cost of Data Breaches

Growth of Technology Kenya’s digital landscape has grown immensely amid the Covid-19 Pandemic period partly due to the reliance of technology as a saving grace. With the growth, new technology and increased internet connectivity has led to an increase in information sharing. This has improved

Data Sovereignty: Threat to Cloud?

On June 22, Senegal’s President Macky Sall launched a national data centre which will host Senegal’s all government data and digital platforms in an effort to strengthen its digital sovereignty. The 70 million Euro data center has been financed with a Chinese loan and built

A Review of a report on publicly available Data Policies of Commercial Banks

The Centre for Intellectual Property and Information Technology Law (CIPIT), Strathmore University has published a study of the Publicly Available Data Policies of Commercial Banks operating in Kenya in Relation to a Set Data Protection Standard. The report compares the banks’ data policy provisions against

State of the GDPR at 3 and its global effect

As of Tuesday 25 May, it was 5 years of General Data Protection Regulations (GDPR). 3 years since its enforcement and its impact on the world can be felt. The Regulations have elevated the awareness of privacy and data protection from boardrooms to living rooms

Regulatory Impact Assessment on the Data Protection Regulations

The Office of the Data Protection Commissioner (ODPC) vide a Gazette Notice No. 4697 informed the public that a Regulatory Impact Assessment (RIA) on the proposed Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 had been prepared. The aim of the RIA

Children of a lesser god? How Whatsapp is imposing Terms and Conditions outside the EEA

WhatsApp’s new terms of service will go into effect from May 15, 2021 all over the world except for the EU. This is because WhatsApp users in Europe can opt-out of the new privacy policy owing to the General Data Protection Regulation (GDPR), which shields

Public Bodies and data protection: What you need to know

Public bodies are expected to comply with the provisions of the Data Protection Act, 2019. The Act defines a data controller as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of

A note on the Data Protection (General) Regulations

Earlier this month, the Data Protection Task Force along with the Office of the Data Commissioner (ODPC) and the Ministry of ICT, published 3 draft regulations for public participation. This note provides some of the key segments of the Draft Data Protection (General) Regulations, 2021.

Primer on the proposed registration of Data controllers and processors

The Data Protection Commissioner has published the draft Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. These Regulations will give effect to the provision of the Data Protection Act that provides for the registration of data controllers and data processors.  The registration

New rules for Data Protection

The Officer of the Data Protection Commissioner released Draft Data Protection Regulations earlier this week for public participation. The Regulations comprises: The Data Protection (Compliance and Enforcement) Regulations – The Regulations outline the compliance and enforcement provisions for Data Commissioner, Data Controllers and Data Processors.

Data Protection Regulations: What To Expect

In January 2021, the Cabinet Secretary for Information, Communications, Technology, Innovation and Youth Affairs Hon. Joe Mucheru constituted the Taskforce on the Development of Data Protection General Regulations. The mandate of this taskforce is to develop data protection regulations, conduct a comprehensive audit of the

Data Protection and COVID-19 Health data at the workplace

The COVID-19 pandemic has disrupted the lives and livelihoods of many individuals. Many businesses are still trying to catch up with the new normal which has greatly affected how transactions take place. Sectors that were used to cash payments are now accepting cashless payments. This

The Office of the Data Protection Commissioner: 100 days later

The Office of the Data Protection Commissioner (ODPC) on Wednesday commemorated 100 days since the swearing-in of the first Data Commissioner and the establishment of the Office. On this day, the ODPC launched their Official Logo and Website, the Draft Guidance note of Data Protection

Data Protection Day 2021: Kenya’s steps into compliance

Yesterday, the 28 of January 2021; was the 15th Data Protection Day and the 40th anniversary of Convention 108. Data Protection Day or Privacy day is a day to raise awareness and promote privacy and data protection best practices. It is usually held on the

The guidance note on Personal Data Protection on COVID-19

In March 2020, the World
Bank declared COVID-19
as a global Pandemic
prompting governments
and health officials to take
precautionary measures to
curb the spread of the virus. Some
of the measures put in place require
an aspect of mass surveillance in
order to map out close contacts
who may have interacted with an
infected or a potentially exposed

Establishment of the Taskforce on Development of the Data Protection (General) Regulations

The Cabinet Secretary for Information, Communications, Technology, Innovation and Youth Affairs, has constituted a Taskforce to be known as the Taskforce on the Development of the Data Protection, General Regulations. The Task force constitutes of the following: Role  Name Chairperson Immaculate Kassait   Members Humphrey Njogu

What’s up WhatsApp? The truth behind the new privacy policy

Introduction WhatsApp is a free, multiplatform messaging app that lets you make video and voice calls, send text messages, and more with just a Wi-Fi connection. It is owned by Facebook (Facebook acquired it in 2014 for US$19.3 billion)  and currently has over 12 million

Kenya appoints her first Data Commissioner

As the Data Commissioner, she will be responsible for the enforcement of the Data Protection Act

Is Huduma Number the future of KYC

On Wednesday,
during the
unveiling of the
Central Bank
branch in Kisii
County, the
President said
that the rollout of
Huduma Namba
will change
operations in the
banking industry.
He said that the
new system will
make it easier
for banks to
capture details of
clients’ increasing
confidence in
dealing with them.

A look into the Data Commissioner’s in tray

With the government having announced plans to proceed with the Huduma Number project, the Data Commissioner’s role will be to ensure that the process is in compliance with the data protection Act while building public confidence in the whole system.

Update on the Kenya’s Data Commissioner interviews and appointment

Kenya’s Data Protection Act which came into effect on 25 November 2019, provides for the establishment the office of the Data Protection Commissioner to be headed by the Data Commissioner. The Public Service Commission had undertaken a shortlisting exercise and published names and interview schedules for the 10 shortlisted candidates on 7 July 2020. However, on the same morning, the Employment and Labour Relations Court, through an order issued by Judge Hellen Wasilwa and directed to the Commission to suspend the ongoing recruitment of the Data Commissioner pending the hearing and determination of a petition filed by lawyer Mr Adrian Kamotho.