Skip to content

Developments on the Appointment of the Data Commissioner

27 July 2020
– 2 Minute Read


A key step in the implementation and enforcement of the Data Protection Act 2019 will be the eventual appointment and establishment of the Office of the Data Protection Commissioner and the appointment of the Data Protection Commissioner.

Good progress was being made by the Public Service Commission, who had initiated the process to recruit a Data Commissioner (see our previous update here). To this end, the Public Service Commission had recently published a shortlist of 10 candidates, who were set to be interviewed to fill the position of Data Commissioner. However, the Employment and Labour Relations Court put a halt to the interviewing process, after it received a judicial review application from Adrian Kamotho to stop the process on grounds of lack of transparency, particularly taking into account the position and power of the Office of Data Commissioner. It is claimed that the Public Service Commission acted in excess of its legal jurisdiction, after it scheduled interviews more than two months after it received applications from the public.

The Data Protection Act requires the Public Service Commission to complete the entire process of appointing a Data Commissioner, including shortlisting and interviewing candidates, within 21 days of receiving applications from the public. Accordingly, the Court is set to determine whether the process adopted by the Public Service Commissioner of appointing a Data Commissioner was flawed. As a result, the process of appointing a Data Commissioner is likely to be further delayed, which in turn will set back the efforts to enforce principles of data protection in Kenya.

The matter was due to be heard on 14 July 2020, however as yet no further updates have been issued. We will keep you updated on any further developments with respect to this matter.

Until such time as the Data Commissioner is appointed, we encourage entities acting as either data controllers and or data processors to self-regulate in order to ensure compliance with the Data Protection Act 2019.