Hefty fines for data misuse

Companies that send unsolicited text messages to consumers now face fines of up to 2 per cent of their annual turnover if found guilty of violating the Data Protection Act 2019.

President Uhuru Kenyatta yesterday assented to the long-awaited data protection law that will significantly change how public and private entities handle users’ information.

According to the Act, entities and individuals that deal with users’ personal information will now have to seek permission first before collecting, processing or storing this data.

"A data controller or data processor shall not provide, use, obtain, procure data of a data subject for the purpose of direct marketing without prior consent of the data subject,” states the law in part.

Users may object to processing of their personal data for such marketing, which includes profiling with the law defining consent as a “voluntary, specific and informed expression of will”.

Companies will now have to inform users of any personal data they are collecting, the purpose for collecting that data and how long it will be stored.

The law also gives users the right to decline to have their data collected or processed as well as demand to have false data corrected or deleted.

This requirement is however exempted where the data is required or authorised by law or used for historical, statistical, journalistic literature and art or research purposes.

The Data Protection Act 2019 makes Kenya the 24th country in Africa to have data protection legislation.