Data protection and right to privacy legislation in Kenya

The Parliament of Kenya enacted Data Protection legislation which came into effect on November 25, 2019. The new law was passed in view of the provisions of article 31 of the Constitution of Kenya, 2010 which guarantee the right to privacy as a fundamental right. Data Protection and citizens’ right to privacy is now a topical concern as evident around the world in many jurisdictions. The increasing globalization, cross-border transactions, internet penetration and the use of social media and digital platforms among citizens, governments and the private institutions raises several data security and privacy concerns that breaches may amount to loss of reputation, identity, safety concerns, legal penalties or compensation for damages or loss of business. As a result, enactment of Data Protection legislations plays a resounding role in providing the requisite legal framework to regulate activities of market players, government and private entities, in collecting, storing, processing, accessing, transmitting, sharing and disposing of personal or corporate data among other subjects. This paper reviews the crucial provisions of the Kenya’s Data Protection law which covers regulated actions seeking compliance by data controllers and processors under the stewardship of the Office of the Data Protection Commissioner ('ODPC'). The paper will also provide a comparative analysis of the practice in other jurisdictions, case laws and court decisions, merits and demerits of data protection legislations and areas of possible data breach targets.