As Kenya marks five years since the enactment of the Data Protection Act (DPA), it’s time to reflect on the successes, challenges, and the future of data protection in our rapidly evolving digital landscape. The recent DPA@5 event highlighted key achievements, lessons learned, and the urgent need for continued action to safeguard privacy rights in the age of digital innovation.
Since its introduction in 2019, the Data Protection Act has positioned Kenya as a leader in privacy protection on the African continent. The establishment of the Office of the Data Protection Commissioner (ODPC) was a critical milestone in regulating how personal data is collected, processed, and stored. The ODPC has been instrumental in addressing privacy concerns across both the private and public sectors, dealing with security breaches, and holding violators accountable.
But the real success of the DPA is not just in the law itself—it’s in the collaboration between key players, including civil society, government bodies, and the private sector. As noted by Dr. Mugambi Laibuta, Chair, Data Privacy and Governance Society of Kenya, partnerships between groups such as Amnesty International Kenya (AIK), and the ODPC have helped build capacity, raise awareness, and promote self-regulation within the private sector. These collaborations are vital to ensuring that data protection is more than just a legal requirement—it becomes a culture.
Challenges Along the Way
Despite this progress, significant challenges remain. One of the biggest hurdles is low public awareness. Many Kenyans are still unaware of their data protection rights and obligations under the DPA. As Grace Bomu highlighted, while young people—being digital natives—are becoming more aware of their privacy rights, breaches like the political parties’ misuse of personal data show just how vulnerable many still are. Ensuring that all citizens understand their rights to privacy is a critical next step.
Another challenge lies in emerging technologies. Artificial intelligence, biometric systems, and other digital tools are evolving faster than the laws governing them. While the ODPC and other regulators are committed to securing Article 31’s guarantee of the right to privacy, as Bernard Rotich from the Ministry of ICT noted, Kenya must ensure that regulatory frameworks keep pace with technological advancements. This requires both public and private sectors to be agile, working together to build systems that are privacy-centered from the ground up.
Political Goodwill and Legal Evolution
For any regulatory framework to succeed, there must be political goodwill. The ODPC has received strong backing from the government in terms of resources and legislative support, which has been key to its successes so far. However, as the Data Commissioner pointed out, challenges such as cross-border data flows and achieving adequacy with Europe’s General Data Protection Regulation (GDPR) still need to be addressed. Kenya’s efforts to achieve GDPR adequacy will open up opportunities for international business while positioning the country as a privacy leader in Africa. This is not without its obstacles. Sensitive data definitions and exemptions, such as those in the Malabo Protocol, still need to be aligned with GDPR requirements. The path toward adequacy is long, but Kenya’s commitment to data protection offers hope for a positive outcome.
The Future of Data Protection: Calls to Action
As we look ahead, several areas demand immediate attention to strengthen Kenya’s data protection framework:
- Raise Public Awareness: One of the most pressing needs is to educate the public about their data rights and obligations. It is crucial to go beyond online spaces to reach a wider audience through traditional media, community engagement, and targeted campaigns that inform people about the protections they are entitled to under the DPA.
- Foster Collaboration Across Sectors: The success of the DPA thus far has been built on collaboration, and this must continue. Rosemary Koech (KCB Group) highlighted that the biggest lesson learned so far was the importance and impact of collaboration and in terms of compliance, due to the scale of operations involving data and sometimes sensitive data, it is important for various stakeholders to work together. Both the public and private sectors, along with civil society, need to work together to develop privacy-focused systems that can adapt to emerging technologies. The private sector, in particular, should not work in silos when dealing with sensitive data. Instead, they must share knowledge and best practices to ensure compliance across industries.
- Invest in Compliance Culture: Data protection is more than a legal obligation; it’s a culture. Organizations, whether private companies or government entities, need to embed compliance into their operational DNA. The ODPC’s audits have shown that data privacy must go hand in hand with business continuity and risk management. Cultivating a compliance culture will ensure that data protection becomes second nature across sectors.
- Regulate Emerging Technologies: As Kenya continues to embrace digital transformation, the government must develop tech-neutral regulations that protect citizens without stifling innovation. Regulatory sandboxes and ethical frameworks are essential tools for testing new technologies like AI and ensuring they align with data protection standards. By implementing these, Kenya can create a balance between fostering innovation and protecting personal data.
- Revise Penalty Structures: Finally, the penalty framework under the DPA needs to be reviewed to ensure it is fair and proportionate. Current penalties, such as the flat Ksh. 5 million or 1% of turnover, may not be appropriate for all breaches. Larger companies may see such penalties as mere slaps on the wrist, while smaller firms could be bankrupted. Penalties should be tailored to the severity of the breach and the size of the organization involved.
The next five years of data protection in Kenya will be critical as we navigate the complexities of a fast-paced digital world. While the DPA has laid a solid foundation, much work remains to be done. By focusing on public awareness, fostering collaboration, regulating emerging technologies, and refining our legal frameworks, Kenya can continue to lead the way in data protection across Africa.
Data protection is not just about compliance, it’s about safeguarding the rights and freedoms of every individual. As we move forward, let’s ensure that these rights remain at the forefront of our digital future.
Sharlene Muthuri is Amnesty International Kenya Technology & Human Rights Campaigns Officer and writes in her personal capacity. Email: [email protected]