In a significant move to enhance Kenya’s data protection landscape, the Data Privacy and Governance Society of Kenya (DPGSK) has proposed substantial amendments to the country’s Data Protection Act of 2019. These proposed changes aim to strengthen compliance obligations, enhance individual rights, and align Kenyan standards with evolving global standards. Below is a summary of the key amendments and their potential impact on organisations if enacted.
Key Proposed Amendments
1. New Definitions and Clarifications
The draft bill introduces new definitions and modifies existing ones, including the following:
- An expanded definition of ‘sensitive personal data’ that includes political opinions and trade union membership
- A slight modification to the definition of ‘consent’ for more flexibility.
- The addition of definitions for ‘commercial purposes,’ ‘public authority,’ ‘national security,’ and ‘tribunal’.
2. Expanded Data Subject Rights:
Section 26, which outlines data subject rights, is expanded to explicitly include the right to data portability and rights relating to profiling and automated decision-making. However, the language relating to automated decision-making is vague and may lead to confusion in interpretation or enforcement.
3. Establishment of a Complaints Appeal Tribunal
The bill proposes a new legal institution aimed at exclusively hearing appeals related to decisions made by the Office of the Data Protection Commissioner (ODPC). Specifically, it proposes the establishment of a Data Protection Appeals Tribunal with six members to be appointed by the Judicial Service Commission who will hear all appeals related to determinations from the ODPC. Under this provision, appeals would be heard in the tribunal.
4. Empowerment of Regulatory Authority
The proposed amendments transfer specific powers from the Cabinet Secretary to the ODPC, including the authority to make regulations, set exemptions, and approve annual reports. The Commissioner would also gain expanded responsibilities, including the accreditation of Data Protection Trainers as well as the development of comprehensive training frameworks. The bill also encourages cross-regulatory collaboration.
Implications
If implemented, the proposals would build further on the data subject rights already enshrined in the Data Protection Act and brings Kenya’s data protection framework closer in wording to the EU’s General Data Protection Regulation (GDPR).
The proposed bill would introduce more specialised oversight with the creation of the appeals tribunal. This would strengthen the Kenyan privacy regime and create checks on the ODPC as it continues to exercise its statutory powers.
Furthermore, the proposed bill would also grant greater autonomy to the ODPC to set regulations and standards by transferring certain powers from the Cabinet Secretary to the regulator. These changes would streamline the process of developing regulations.
Looking Ahead
The DPGSK plans to submit a refined draft for consideration to the Kenya Data Protection Act Review Committee established by the Ministry of Information Communications and the Digital Economy, and the ODPC.
Stay Informed!
Barizi Data Privacy Services (BDPS) continues to monitor and report on major developments in the data privacy space here in Kenya and beyond. To stay up-to-date on all the latest developments, follow us across social media or email us at info@bdps.co.ke to join our mailing list.
Disclaimer: This alert is for informational purposes only and does not constitute legal advice. For further guidance, please consult a qualified advocate or data protection specialists.
