× Digital News Videos Kenya @ 50 Health & Science Lifestyle Opinion Education Columnists Ureport Arts & Culture Moi Cabinets Fact Check The Standard Insider Podcasts E-Paper Lifestyle & Entertainment Nairobian Entertainment Eve Woman Travelog TV Stations KTN Home KTN News BTV KTN Farmers TV Radio Stations Radio Maisha Spice FM Vybez Radio Enterprise VAS E-Learning Digger Classified Games Crosswords Sudoku The Standard Group Corporate Contact Us Rate Card Vacancies DCX O.M Portal Corporate Email RMS
Login ×

Kenya's Data Protection Act still way off the mark

By Ombo Malumbe | November 27th 2019 at 15:00:00 GMT +0300

Kenya had the opportunity to take notes while observing the western countries grapple with issues on data protection, but that did not happen. Kenya, like most African countries, borrows a lot from western countries when it comes to making a step to legislate on “new” areas of law.

However, even when having the opportunity to implement useful research and development (R&D) practices and procedures, it terribly fails and merely adopts the copy and paste principle, which is quite fast.

However, it lacks a sense of direction because there is no R&D. While the writing of the Data Protection Act No 24 of 2019 (DPA) has the taste of the United Kingdom’s Data Protection Act, 2018 and 1998, there are other elements from other legislation.

On April 27, 2016, when the European Union (EU) was approving the famous General Data Protection Rules 2016/679/EU (GDPR), it shared a firm conclusion about the directive through its official Journal of European Union.

Read More

It stated that the Directive 95/46/EC (the Directive) “objectives and principles of the Directive remain sound, but it has not prevented fragmentation in the implementation of data protection across the union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity.”

 The EU concluded that there was a need to advance the issue on data protection. As a result, the Directive had to be repealed in favour of the GDPR.

The European Commission Decision 2000/520/EC that was birthed as a result of the Directive, both repealed, in letter and spirit, influenced critical provisions under the DPA.

Therefore, like the Commission Decision 2000/520/EC, the DPA provides that data controllers and data processors can self-regulate.

The idea of self-regulating provided a loophole for data controllers, and data processors in the US have their Government engage the EU on diplomatic terms, which the US did through its Department of Commerce (DoC).

The results of these diplomatic discussions resulted in effecting Commission Decision 2000/520/EC popularly known as the Safe Harbour Regulations. The Safe Harbour Regulations operated for at least a decade before questions were raised about its legality and whether it was superior or inferior to the Directive.

It had occurred that the US-based entities were infringing the data protection laws meant to protect citizens of EU member States.

The EU was not aware of the breach until whistle blower Edward Snowden raised issues on US-based entities' mass surveillance and data breach activities on the EU.

These data breaches were primary possible since the foreign entities were self-regulating, which is the same piece of cake offered by Kenya to the world. 

Letter to the Editor from Ombo Malumbe in Nairobi.

More stories

Take a Break