Country: Kenya: Coulson Harney LLP

On 26 January 2024, the Court of Appeal declined to issue stay orders suspending the implementation of the High Court decision issued on 28 November 2023 that declared the provisions of the Employment Act, 2007 (the Employment Act) on the affordable housing levy unconstitutional (the High Court Judgment). The earlier stay orders issued by the High Court suspending the implementation of its decision and allowing the Kenya Revenue Authority (KRA) to continue collecting the housing levy until a formal application for a stay of the High Court Judgment is filed before the Court of Appeal or in case no such application is filed, until 10 January 2024 (the High Court Stay Order) lapsed on 6 December 2023. Therefore, employers had no legal basis to deduct the housing levy from employees’ salaries for the month of January 2024.

Employers who deducted the housing levy from January salaries should refund the same amounts to the employees.
While there is a risk that the KRA may backdate collection of the housing levy should the Court of Appeal overturn the High Court Judgment, we are of the view that this risk is remote because the non-payment of the housing levy by employers pending determination by the Court of Appeal is based on a final judgment of the High Court, being the High Court Judgment and the lapse of the High Court Stay Order.

The above said, employers should notify their employees of the risk (albeit remote) of the KRA backdating the collection of the housing levy and inform them that in such case the employer would recover such back levies from them.

Click here to read more of our analysis of this ruling.

The draft Income Tax (Donation and Charitable Organisation Exemption) Rules, 2023 (the Draft Rules) propose rules on the eligibility of charitable organisations for an income tax exemption and eligibility of persons donating to an exempt charitable organisation for a tax deduction under the Income Tax Act, Chapter 470 of the Laws of Kenya (the Income Tax Act). The Draft Rules propose to repeal the Income Tax (Charitable Donations) Regulations, 2007).

What documents will be required when applying for the income tax exemption certificate

The KRA will require an application for exemption to be accompanied by certain documents including the following:

• certified copy of the governing documents of the charitable organisation such as the rules, constitution, trust deed, and memorandum and articles of association;
• certified copy of the charitable organisation’s registration documents;
• audited financial statements for the three (3) years preceding the making of the application. An entity applying for an exemption for the first time is required to have been in operation for at least one (1) year when making the application. Therefore, it is presumed that such an organisation will submit the financial statements for that one (1) year; and
• original introduction letter from the County Commissioner where the principal activities are carried out.

Other documents required include original bank statements for three (3) years, a schedule of assets and values, an impact report of present and future activities in Kenya, beneficiary selection criteria, an itemized summary of payments showing the payee, amount, and purpose, identification documents of the officials, physical address proof, and letters from the charitable organisation’s representative.

Should the documents submitted contain any specific information?

The Draft Rules set out in detail the required scope of objectives for charitable organisations established for the relief of poverty, distress of the public and advancement of religion and education (the Restricted Charitable Purposes) to qualify for an income tax exemption.

The governing document should limit the objects of the organisation to one or more of the Restricted Charitable Purposes. This requires that the founding documents clearly state: (a) its primary charitable purpose being the relief of poverty, distress of the public, advancement of religion, or advancement of education; (b) the specific charitable activities it intends to carry out to achieve its charitable purpose such as projects to be undertaken; and (c) the targeted beneficiaries including the criteria for selecting the beneficiaries.

The governing document should also prohibit the use of funds and assets for non-charitable purposes such as providing private benefits to persons associated with the management and ownership of the organisation. The governing document should provide that upon dissolution of the organisation, the entity would transfer its assets to another charitable organisation with similar charitable purposes as the organisation being dissolved.

Depending on the charitable purpose, the governing document may be required to contain additional provisions. For example:

• if the purpose of the organisation is the relief of poverty, the governing document should have provisions for identifying beneficiaries who cannot acquire the necessities of life or simple amenities that would be reasonably regarded as necessary for a modest and adequate standard of living;
• where the charitable organisation is seeking to advance education but charges a fee for the education, the KRA will require proof that full scholarships would be granted to at least ten per cent (10%) of the students from poor and needy backgrounds; or
• relief of distress of the public has been defined to include providing relief to victims of natural disasters, children in need of care and protection, and persons living with disabilities and accordingly if an organisation is established for this purpose, it should expressly include the above in its governing documents. An organisation providing healthcare services as a means of relief of distress of the public would be required to, among others, offer free emergency treatment at an active emergency room and free specialised medical equipment not available at local hospitals.

What are the prohibited activities for charitable organisations seeking an income tax exemption?

A not-for-profit organisation should not:

• take part in illegal activities such as terrorism, fraud, money laundering and any tax avoidance schemes;
• distribute the income of the charitable organisation directly or indirectly to any person except as reasonable remuneration for services rendered; and
• retain more than an average of fifteen per cent (15%) of its surplus funds in a period of three (3) succeeding years without using the funds for its charitable purposes. When determining the surplus funds to be retained, the organisation would not take into account the gains or profits from the business. The exclusion of such business income would mean that the government is seeking to restrict the accumulation of donations and grant income (being the primary sources of tax-exempt income for non-profit organisations) and require their use for charitable purposes.

What are the timelines for the issuance of an income tax exemption certificate?

The KRA is required to issue a decision on granting an income tax exemption certificate within sixty (60) days of all the application requirements being met. Such an exemption certificate would be valid for five (5) years and may be renewed by an application to be made at least six (6) months before the expiry of the existing certificate.

A charitable organisation is entitled to appeal a decision of the KRA to reject an application for the exemption certificate or if an exemption certificate that had been granted is revoked. The appeal must be filed with the Tax Appeals Tribunal within thirty (30) days of the organisation receiving the written decision of the KRA, after giving the KRA notice in writing of the intention to appeal the decision.

After receiving the exemption certificate, the charitable organisation would be required to submit an income tax return on an annual basis to the KRA.

What are the rules on the allowability of donations to charitable organisations as a tax deduction for the donor for income tax purposes?

Pursuant to section 15(2)(w) of the Income Tax Act, persons making donations to a charitable organisation with an income tax exemption certificate or to a project approved by the Cabinet Secretary responsible for matters relating to finance qualify for a tax deduction on the donation.

To qualify for the tax deduction under the Draft Rules, the donation must:

• be in cash and not be refundable or repayable to the donor;
• not confer any direct or indirect benefit on the donor or any person associated with the donor;
• not be revoked by the donor once paid to the organisation unless approved by the KRA, in which case, tax would be due and payable.

Further, the donor must obtain a receipt showing the full name and address of the recipient organisation, the tax personal identification number of the recipient organisation, the date of the donation, the purpose of the donation, and the amount of the donation.

Notably, the Draft Rules propose to require that the donor obtain proof of utilisation of the funds from the non-profit organisation. This would include the approved project proposals and budgets submitted by the charitable organisation and approved by the donor, a copy of the exemption certificate of the organisation or the Cabinet Secretary’s approval of the project and a declaration from the recipient that the donation shall be used exclusively for charitable purposes.

The Draft Rules propose to repeal the Income Tax (Charitable Donations) Regulations, 2007.

Our comments

The Draft Rules provide clarity on the key considerations that the KRA will use to evaluate applications for an income tax exemption certificate and allowability of donations for income tax purposes. Charitable organisations and donors will be able to prepare their applications to the KRA with a clear understanding of the documents and information required. However, we note that some of the requirements are too prescriptive.

The attempt to limit the surplus funds that non-profit organisations may hold over a three-year period may discourage fundraising efforts by organisations seeking to accumulate funds to support long-term (over three (3) years) activities since the definition of surplus funds does not exclude common sources of funds such as donations or grants.

In attempting to set out the scope of activities that constitute the relief of poverty or distress of the public, or for the advancement of religion or education, the Draft Rules provide a closed list of activities, which may not be exhaustive.

Further, the Draft Rules introduce additional requirements that limit the number of eligible entities. For example, an organisation providing healthcare services as a means of relief of distress of the public would be required to, among others, offer free emergency treatment at an active emergency room and free specialised medical equipment not available at local hospitals.

The requirement for a person to obtain proof of utilisation of funds to qualify for an income tax deduction for donations to an exempt charitable organisation would impose an additional compliance burden on the donor. The charitable organisation would have to provide the donor with the required documentation including budgets, proposals, the exemption certificate, and a declaration that the funds will be used exclusively for charitable purposes.

The deadline for submission of comments to the KRA was 29 December 2023. We will continue to monitor developments on the Draft Rules and share updates on the same.

In today’s digital age, where information flows at an unprecedented pace and is a major driving force behind economies and societies, data breaches have become a common concern for individuals and organisations alike. Cybersecurity threats and data breaches have surged globally, and Kenya is no exception to this rapidly increasing concern.

According to the 2023 IBM Cost of a Data Breach Report, the global average cost of data breaches reached USD 4.45 million, a 15% increase from 2020, prompting 51% of businesses to increase their cybersecurity investments.  Locally, Kenya saw a significant surge in cyberattacks, with 860 million incidents reported in the past year. According to the Communication Authority of Kenya (CAK), cybercriminals often facilitated these attacks by exploiting weaknesses in the particular organisations’ internal controls, system protocols, and information systems, thus leading to unauthorised access. The CAK also observed that various sectors, including financial services, healthcare, education, energy and utilities, and government agencies, are vulnerable to cyberattacks. One notable incident involved a cyberattack on the eCitizen platform in July 2023, disrupting access to over 5,000 government services provided by ministries, county governments, and agencies – read more here.

This issue is now a serious agenda item in the boardroom. Chief Executive Officers, Board of Directors and General Counsel are spending much time grappling with this new risk, which can not only lead to loss of revenue and data but also seriously damage their brand and reputation in the market that has been built over a long period. Indeed, the nature of a data breach and the rules around reporting it is difficult to keep confidential, hence the reputational risk.

In this article, we explore the intricacies of personal data breaches in Kenya as enumerated in the Data Protection Act of 2019 (DPA). We have drawn on our experience in assisting our clients to navigate such incidents and comply with the applicable legal requirements in Kenya.

Meaning of a personal data breach

The DPA defines a personal data breach as a security breach leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Therefore, a data breach needs not only to be unlawful or unauthorised such as in instances where a hacker causes it, but it can also arise from an accidental release of data to the public by an employee.

Thresholds for a notifiable data breach

The first step when analyzing a suspected incident is undertaking a review to determine whether the breach would be classified as a data breach under the law. The DPA provides two key requirements in determining whether there has been a data breach. These are that firstly, personal data should have been accessed by an unauthorised person and that such access results in a real risk of harm to the data subject whose personal data has been subjected to unauthorised access.

The Data Protection (General) Regulations 2021 provides that a data breach may result in a risk of harm if it relates to, among others, the data subject’s full name or identification number, details of the data subject’s income such as wages, bonuses or income from the sale of goods or property, credit cards or debit cards, financial details such as bank accounts number and health-related data.

The exception to this category is with respect to information that is publicly available or information that is disclosed in accordance with the law. However, such information should not be publicly available as a result of a data breach.

Fulfilling Notification and Communication Requirements in the Aftermath of a Data Breach

After determining whether a breach has happened, the second step is to determine whether the breach is notifiable to the regulator, in this case, the Office of the Data Protection Commissioner (ODPC) and to the affected data subjects. In the aftermath of a data breach, data controllers and data processors are required to comply with certain notification conditions under the DPA should the notification conditions be met. The question as to whether a notification is required would need to be considered fairly quickly because of the strict timelines set in the law regarding notification.  We have discussed the notification conditions further below.

Notifications between Data Processor and Data Controller

A data processor, who is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller,  must notify a data controller of the occurrence of a data breach. A data controller is defined as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing personal data. In some instances, you will find that data processors and controllers are different or related entities within a group of companies and at times, this may present complications.

If a data processor becomes aware of a data breach, they are required to notify the data controller within forty-eight hours of becoming aware of such breach.

Notification to the Office of the Data Protection Commissioner

The DPA further requires a data controller to mandatorily notify the Data Commissioner within seventy-two hours of becoming aware of such a breach.  This notification period is understandably very tight, especially if a breach has occurred across a vast network of branches of the affected company or in several countries if it’s a multinational. In addition, sifting through the data and internal reporting requirements between the various teams in the company may lead to delays. This is, therefore, a contentious issue in particular instances where a data controller requires more time to undertake investigations to establish whether the breach is indeed notifiable before informing the ODPC since the ODPC tends to insist on strict compliance within this notification timeline. One of the practical ways that the regulator has broached is to share a brief update email as a preliminary breach notification with the regulator that there is a suspected breach that may or may not be notifiable and indicate that investigations are ongoing and a detailed notification will be made should the same be found to be notifiable.

The DPA does not prescribe a specific format to notify a data breach. However, section 43(4) to (5) of the DPA outlines the considerations and information required to be set out in the notifications of data breaches. This information includes the facts about the breach, its effects and the remedial action taken. Such information can be provided in a single notification or phase depending on the information concerning the data breach that is available to the data controller when making the notification.

If the notification of the data breach to the ODPC is made past the seventy-two-hour period, the data controller is required to accompany the late notification with the reasons for the delay. In our experience, the ODPC, in most instances requests additional information upon submitting the initial notification, which should be made within the seventy-two-hour period. It is, therefore, imperative that the initial or follow-up notification, as the case may be, submitted to the ODPC be as comprehensive as possible.

Notification to the Data Subject  

The DPA requires data subjects to be notified of a personal data breach in writing if they are identifiable. The timeline for this notification is not strictly defined but should be done within a reasonably practicable period. If data controllers decide not to notify data subjects, they must provide reasons for this decision in their notification to the Data Commissioner.

Since the DPA does not prescribe the format of the notification to the data subjects, the notification could take various forms depending on the appropriate and convenient mode. This could range from an e-mail to the respective individuals (preferably where the number of data subjects is definite and ascertainable), publishing a notice on the data controller’s website, or publishing a public notice in a newspaper with wide circulation.

How to Navigate a data breach

Based on our experience, the key takeaways for any data controller who suffers a data breach include:

1. Upon learning that a data processor’s systems are compromised, the data processor should within 48 hours notify the data controller.
2. Data controllers should submit a preliminary breach notification to the ODPC within the 72-hour period of a potential data breach under investigation, followed by a more formal notification once more details are discovered that confirm the breach is notifiable and, if possible, the data subject(s) within a reasonable timeframe.
3. The data controller should consider involving a competent cybersecurity firm to examine the extent of the data breach and the categories of data accessed.
4. If the data was not encrypted and the data breach affected classes specified under the second schedule to the General Regulations, the data controller should seek legal assistance in determining whether the data breach is notifiable.

Conclusion

Navigating data breaches requires a proactive approach and compliance with notification requirements to the ODPC and data subjects. Therefore, the response to data breaches should be coordinated to protect both data subjects and controllers.

In conclusion, data breaches are a pressing concern in the digital age, and Kenya has taken steps to address this issue through robust legislation. Understanding the intricacies of notifiable data breaches and the significance of timely notification to the regulator is pivotal for organisations. Navigating these incidents effectively requires a proactive approach, legal compliance, and collaboration with cybersecurity and legal experts. By doing so, organisations can protect their data, maintain customer trust, and thrive in an increasingly data-driven world.

The Affordable Housing Bill, 2023 (the Bill) has been tabled before the National Assembly. The Bill comes against the backdrop of the High Court decision on the validity of the Affordable Housing Levy (the Levy) provided for in the Finance Act 2023, rendered on 28 November 2023. In its decision, the court declared the Levy unconstitutional. However, despite finding the Levy unconstitutional, the court granted a stay of its judgment and allowed the government to continue collecting the Levy until 10 January 2024.

The Bill sets out its key objects as to give effect to the constitutional right to accessible and adequate housing, impose a levy to facilitate provision of affordable housing and provide a framework for implementation of the affordable housing programmes. Overall, the Bill seeks to remedy the irregularities raised by the High Court in declaring the Levy unconstitutional, by establishing a comprehensive legal framework for the imposition of the Levy. The Bill proposes to make provisions for the following:

• the establishment of the Levy to be imposed on the gross salary of employees and on gross income of unemployed persons. For employed persons, the Levy is 1.5% of the employee’s gross salary with a matching contribution from the employer. The employer has the obligation to deduct and remit the levy by the ninth (9^th) working day of the month following that in which payment is due. The due date for remitting the levy is likely to be open to wide interpretation since every organization has the leeway to define its working days and this may give employers more time to remit the levy;
• the designation of the Commissioner General of the Kenya Revenue Authority (KRA) or any other person appointed by the Cabinet Secretary, the National Treasury as the collector of the Levy;
• the establishment of the Affordable Housing Fund into which the Levy will be paid;
• the establishment of a legislative framework for the eligibility, criteria and application procedure for an affordable housing unit; and
• the repeal of sections 31B and 31C of the Employment Act, 2007 which currently provide for the payment of the Levy.

Some of the highlights from the Bill are analysed in further detail below.

No.	Proposal	Our Comments
1.	The Bill proposes to impose the Levy at a rate of 1.5 percent of the gross salary of each employee. The employer is required to match the employee’s contribution. Employers will be required to deduct the employee’s monthly contribution from the employee’s salary and remit both the employer and the employee’s contributions to the designated collector. Additionally, the Bill proposes to impose the Levy on unemployed persons at a rate of 1.5 percent of the gross income of such persons. The Bill also empowers the Cabinet Secretary (CS) responsible for the National Treasury to exempt any income or class of income or any person or class of persons from the Levy.	The imposition of the Levy on unemployed persons is intended to promote the fair sharing of the tax burden among all Kenyans and to address concerns raised by the High Court on the discriminatory nature of imposing the Levy on employed persons only. In its decision, the High Court faulted the government for imposing the Levy on employed persons only and held that the selective taxation was discriminatory. However, it is still unclear how the government intends to collect the Levy from unemployed persons every month due to the challenges that riddle collection of taxes and levies from the informal sector. Should the government fail to develop an effective system of ensuring persons in the formal and informal sector share the tax burden equally, it may subject the Levy to future scrutiny.
2.	The Bill designates either, the Commissioner General of the KRA, or any other person appointed by the CS responsible for the National Treasury, as the collector of the Levy. The Levy should be paid to the collector by the ninth (9th) working day after the end of the month in which the gross salary was due or gross income was received or accrued. Any default on payment attracts a penalty of three percent (3%) of the unpaid amount payable for each month that it remains unpaid.	The appointment of a designated collector remediates concerns raised by the High Court which found that the KRA was initially not properly authorised to collect the Levy. In its decision, the court faulted the purported appointment of KRA as the collector of the Levy by the CS for the Ministry of Lands, Public Works, Housing and Urban Development and held that only the CS in charge of Finance could appoint the receivers of national revenue.
3.	The Bill establishes the Affordable Housing Fund into which the Levy will be paid. The purpose of the fund is to provide funds for the development of affordable housing and associated social and physical infrastructure. The Bill also establishes the Affordable Housing Board whose purpose is to oversee the development of affordable housing and manage the Affordable Housing Fund. The Board shall be composed of: (a)   a non-executive chairperson appointed by the President; (b)   the Principal Secretaries to both the National Treasury and the State Department responsible for matters related to affordable housing or their designated representatives; (c)   three other persons appointed by the cabinet secretary responsible for matters related to affordable housing. The three persons shall be nominees of the Council of County Governors (COG), the Central Organization of Trade Union (COTU) and the Federation of Kenya Employers (FKE) his designated representative; (d)   three persons, not being public officers appointed by the cabinet secretary and possessing qualifications in the bult environment, finance and law; and (e)   the Chief Executive Officer who shall have no right to vote at a meeting of the Board.	This proposal addresses the issues raised by the High Court on the lack of a legal framework on how the Levy would be administered once collected.
4.	The Bill establishes a framework for the criteria and application procedure for an affordable housing unit. The Bill proposes three (3) categories of housing units; a social housing unit for persons whose monthly income is below KES 20,000, an affordable housing unit for persons with income of between KES 20,000 and KES 149,000 and an affordable market housing unit for persons with income of over KES 149,000. The Bill also allows persons who meet the eligibility criteria to make an application to the relevant agency for allocation of an affordable housing unit or for a loan towards the purchase of a unit.	This proposal is intended to address the issues raised by the High Court which faulted the government for imposing the Levy without establishing a corresponding legal mechanism on how affordable housing will be actualised.