KENYA: PUBLIC PARTICIPATION ON THE DRAFT DATA PROTECTION REGULATIONS

By John Syekei,Terry Mwango,Dominic Indokhomi,Ariana Issaias Tuesday, April 20, 2021

The Ministry of ICT, Innovation and Youth Affairs, has issued a call for comments on the draft Data Protection Regulations to be passed under the Data Protection Act, 2019, as part of public participation. Three Regulations have been proposed, which are the:

Data Protection (General) Regulations, 2021 (available here);
Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 (available here); and
Data Protection (Compliance and Enforcement Regulations), 2021 (available here).

The deadline for members of the public and various stakeholders to issue their views on the above Draft Regulations is Tuesday 27 April 2021. Furthermore, a series of virtual public hearings will be conducted on the 27^th, 28^th and 29^th of April to allow for discussions on the various views; emphasizing the Office of the Data Protection Commissioner’s (ODPC) commitment to a transparent process.

Some of the salient provisions we have identified in our preliminary analysis of the Draft Regulations are as follows:

Data Protection (General) Regulations (the General Regulations)

Consent Requirements. The General Regulations clarify that consent as a basis for processing personal data mustar be explicit, clear, informed, voluntary, specific and freely given by the data subject. Further, it also sets out various modes of signifying consent such as orally or in writing and may include a handwritten signature, oral statement of use of an electronic or other medium, to signify agreement.
Commercial use of personal data. The General Regulations describe direct marketing as a commercial use of personal data. There is a clear threshold for what constitutes using personal data for the purposes of direct marketing. The categories are as follows:
where a data processor

1. sends a catalogue through any medium, to a data subject;
2. displays an advertisement on an online media site a data subject is logged onto via the use of their personal data; or
3. sends an electronic message or any other advertising material to a data subject about a sale using personal data provided by the data subject.

Furthermore, not only must the data subject have to consent to receive the direct marketing communication but the data subject must also be empowered to opt-out of advertising. Data controllers/processors are obliged to provide data subjects with opt-out messaging that is clear, simple to understand, allows for communication between the data subject and the data controller/processor and is free of charge (or charged at a nominal rate).

Data Retention Schedules. The Regulations go on to oblige data controllers/processors design personal data retention schedules with appropriate time limits. This ensures that the data controller/processor conducts periodic reviews of whether retention of specific personal data is necessary.
Furthermore, the General Regulations reinforce the principles set out in the DPA including the principles of data minimization and storage limitation.

Disclosure rule on automated decision-making. The Regulations require data controllers/processors to provide “meaningful information about the logic involved” in automated decision-making. We consider that if passed in the current form, this regulation may potentially violate intellectual property rights (IP) that protect the software used by, for instance, financial service providers for automated processing of the credit worthiness of a potential customer. Indeed, the protection of confidential trade secret information such as proprietary algorithms is a concern.
Data localization requirements. The Regulations provide that where data processing is done for the purpose of actualizing a public good, the processing should be effected through a server and data center located in Kenya and at least one serving copy of the personal data should be stored in a data center in Kenya. The General Regulations describe “processing for purposes of actualizing a public good” to include; managing an electronic payment systems licensed under the National Payment Systems Act; processing health data for any other purpose other than providing health care directly to a data subject; managing personal data to facilitate access of primary and secondary education: and management of a system designated as a protected computer system under the Computer Misuse and Cybercrime Act, 2018.

In our view, the second requirement to have at least one serving copy to be stored in Kenya is not clear and it seems to contradict the first requirement. It is not clear whether the provision would allow for processing to be done through multiple servers and data centers simultaneously, i.e. both servers located within and outside Kenya. Equally, the security of the current data infrastructure network in Kenya may not be adequate.

Data Breaches. Financial service providers are directly affected by these provisions. The General Regulations specifically provide that a real risk of harm occurs where the data breach involves a data subject’s account identifier (the account name/number) and password, codes, two-step authentication data or biometric data. As such, financial service providers shall be obliged to notify the ODPC of such breaches.
1. Cross-border transfer of personal data. The General Regulations set out the requirements that need to be met before transferring personal data outside Kenya. They are:
  the recipient is bound by legally enforceable obligations to ensure the same level of protection to the transferred personal data as that provided for under the DPA and the General Regulations;
2. the data subject is informed of the safeguards and the implications and risks involved in the cross-border transfer and the data subject has consented to the transfer to that recipient. This suggests that the recipient must clearly be identified in the applicable privacy statement;
3. the transferring entity has taken reasonable steps to ensure that transferred personal data is not used for any unintended purposes; and
4. the data subject’s rights are safeguarded.

However, cross-border transfers of data may be allowed without restrictions where the transfer is “necessary” as provided under section 48(c) of the DPA; the requirements arbitrarily or unjustifiably discriminate against any person; the requirements impose a restriction on trade; and the restrictions on transfers of personal data are greater than are required to achieve the objective under the DPA.

The General Regulations also prescribe the terms that are to be contained in cross border transfer agreements between transferring entities and the recipients of personal data. However, they do not go as far as prescribing the template model standard clauses as currently exists with the counterpart European legislation.

Data Protection (Registration of Data Controllers and Data Processors) Regulations (Registration Regulations)

Application for registration. An application for registration of a data controller can be filed online, should be in the prescribed form, and accompanied by the prescribed registration fees, prescribed supporting documents and any other relevant information that the ODPC may require. Where a data controller also acts as a data processor, then they must also register as a data processor.
Once issued, a certificate of registration will be valid for a period of one year and shall be subject to renewal. All registration certificates must be clearly displayed on the data controller or processor’s website or principal place of business and failure to do so attracts an administrative fine.

The ODPC may refuse an application for registration or renewal where insufficient information is provided; appropriate safeguards for the protection of the data subject’s privacy have not been provided, or the data controller or processor is in breach of the DPA.

Thresholds for mandatory registration. The Registration Regulations also set out the thresholds for mandatory registration as data controller or data processor. These are an annual turnover exceeding KES 5,000,000 and more than 10 employees. In our view, this minimum threshold appears low as a result of which a majority of businesses in Kenya will be obliged to register with the ODPC, even if data collection and processing may not constitute an integral part of their core business. This adds to the layers of registrations that business set up in Kenya are required to procure and may impede the ease of doing business in Kenya. This will result in additional regulatory burdens for SMEs.

Additionally, data controllers and processors who do not meet the above threshold but engage in any of the activities listed under the Third Schedule to the Draft Registrations Regulations are required to register. The list includes health administration and providers of patient care, hospitality industry firms; insurance administration and similar undertakings; faith based or religious institutions; retirement benefits administrators; property managers including the sellers of land; providers of financial services; telecommunications network or service providers; businesses that are wholly or mainly in direct marketing; and internet access providers.

Data Protection (Compliance and Enforcement) Regulations (Compliance and Enforcement Regulations)

Complaints Procedure. The Compliance and Enforcement Regulations provide clarification on how data subject complaints will be handled. It sets out the following procedural provisions:
1. joint consideration of complaints where two or more complaints are lodged against a respondent with similar allegations. The ODPC will treat one complaint as a test complaint and any decision made will apply with necessary modifications to all the other complaints consolidated with it.
2. the notification of data subject complaints to a respondent data controller or data processor will be done in the prescribed form and a response from a respondent is to be submitted within 14 days of receiving the notification from the ODPC
3. the ODPC can request for any document or piece of information from a person or institution subject to the complaint proceedings, despite the fact that there is currently no requirement set out in the Draft Regulations, for the ODPC to seek a warrant before doing so.
4. the use of negotiation, conciliation or mediation for the resolution of data subject complaints by the ODPC. However, the Compliance and Enforcement Regulations do not make an express provision for the use of internal dispute resolution and complaints handling procedures by a data controller or data processor.
Daily Fines. The Compliance and Enforcement Regulations allow the ODPC to impose a daily fine of not more than ten thousand shillings (KES 10,000 (approximately 100 USD)) for each identified breach until it is rectified. Depending on the number of breaches identified, this fine may be very hefty, particularly where a service provider processes large volumes of data.

The Bowmans Data Protection team will be submitting its substantive comments on the proposed Draft Regulations, to the Office of the Data Protection Commissioner. In this regard, our submissions will take into account the implications for our clients who are data collectors, data processors or data subjects. Do let us know if you have any specific concerns arising from the Draft Regulations, that you would want us to include and/or consider, for submission.

In addition, we will provide an in-depth review of the Draft Regulations.

Based on the preliminary issues identified above, we consider that the Draft Regulations will potentially place numerous procedural obligations on data processors and data collectors, if passed in the current form. Additionally, here is a risk of the Draft Regulations stifling innovation, where they are not technology neutral (i.e. they focus on regulating specific forms of technology, and in doing so, hinder the occurrence of new developments in that field). It would be prudent to consider these Draft Regulations carefully due their far-reaching impact in the business of entities that collect and process data in Kenya. Please reach out to your relationship partner at Bowmans for any further guidance.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.