State inches closer to implementing data protection law

Kenya has inched closer to the implementation of the draft data protection regulations meant to safeguard the handling of personal information by State and non State actors.

This is after a task force- established to undertake a review of Kenya’s Data Protection Act of 2019 and propose regulations to fill the identified gaps on Thursday completed three-day virtual public participation on the draft rules.

During the public participation that commenced on Tuesday to Thursday, Kenyans gave their views on three sets of data protection regulations currently under consideration.

They include Data Protection (General) Regulations, 2021; Data Protection (Compliance and Enforcement) Regulations, 2021 as well as Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

The task force, headed by Data Protection Commissioner Immaculate Kassait, has however extended the timeline for submission of views to May 11.

“The participation of Kenyans is key towards the realisation of the data protection general regulations, 2021,” said the task force.

The task force was established on January 15, by ICT Cabinet Secretary Joe Mucheru to operationalise the Data Protection Act and to report to the ministry in six months.

The force was mandated to undertake a comprehensive audit of the law, which protects the personal information of individuals as well as to identify any gaps or inconsistencies in the law and the Data Protection Policy and propose specific review requirements.

They were also to propose any new policy, legal and institutional framework that may be required to implement the data law, develop the Data Protection (General) Regulations and train stakeholders and the public on the said regulations and undertake public consultation the regulations and any other activities required for the effective discharge of the task force’s mandate.

Kassait noted that issues being considered by the committee include a review of the data localisation requirements, cross border transfer of personal data, duration of renewal of the certificate of registration and reduction of the registration fees.

Others are automation of the process of the data commissioner, clarification and simplification of the complaints handing procedures as well as harmonisation of the commercial use of personal data with existing legislation.

The next step after consideration of the public and stakeholders’ memoranda will be to engage the National Assembly committees followed by the gazettement of the regulations, public awareness on the regulations and development of sector specific regulations.

The draft regulations came after the establishment of the Office of the Data Protection Commissioner in November 2020 pursuant to the Data Protection Act, 2019 to regulate the processing of personal data and to ensure that the processing of personal data of a data subject is guided by the principles set out in Section 25 of the Act.

It is also aimed at protecting the privacy of individuals, establishing the legal and institutional mechanism to protect personal data and provide data subjects with rights and remedies to protect their personal data from processing that is not in accordance with the Act.

The regulations propose to have the Independent Electoral and Boundaries Commission host servers in Kenya.