Skip to content

An update on the Data Protection Bill 2019: a step forward for Kenya

2 August 2019
– 2 Minute Read


Kenya is making good headway towards the process of enacting its first primary piece of data protection legislation. The revised Data Protection Bill 2019 (the Bill) was gazetted on 5 July 2019 and represents a positive step forward after much to-and-fro. Please click here for some background.

Conditions for cross-border transfers

One of the major concerns with the previous texts of the draft legislation was the requirement for the local storage of personal information.

The sentiment was that these restrictions were counter-productive to emerging technologies (in particular cloud computing) and would result in unnecessary hindrances to the ever-evolving technological landscape that is shaping the everyday lives of Kenyans. The Bill permits the cross-border transfer of personal data subject to certain conditions being met. These include adequacy of appropriate safeguards, consent of the data subject, the transfer being necessary to perform a contract, implementation of pre-contractual measures, or for any matter of public interest.

However, the Bill introduces a very broad carve-out allowing the Cabinet Secretary to prescribe that a certain type of processing should only be effected through a server or data centre located in Kenya. This would be permissible ‘based on strategic interests …or … protection of revenue’. No further details are given and this, together with the fact that the Cabinet Secretary can exercise these discretionary powers at any time, creates uncertainty, in our view.