Kenya has the Data Protection Act of 2019, which was signed into law in November 2019. The law aims to regulate the processing of personal data in Kenya, protect the privacy of individuals, and provide a framework for the safe and secure transfer of personal data. The act applies to both public and private entities that process personal data and establishes the office of the Data Protection Commissioner to oversee and enforce the law.
Under the Data Protection Act, personal data must be processed lawfully and in a transparent manner, collected for specified, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes. Individuals have the right to access their personal data, request rectification or erasure of their data, and object to the processing of their data. The act also imposes obligations on data controllers and processors to implement appropriate technical and organizational measures to ensure the security of personal data.
Non-compliance with the Data Protection Act can result in penalties and fines, with the maximum fine being 3% of the data controller’s gross annual turnover or KES 5 million (whichever is higher). The act also provides for criminal liability for certain offences, including unauthorized disclosure of personal data, destruction or alteration of personal data, and failure to comply with a lawful request by the Data Protection Commissioner.
Overall, the Data Protection Act of 2019 is an important step towards safeguarding the privacy and security of personal data in Kenya and ensuring compliance with international data protection standards.