Data Governance

Kenya Data Protection Bill 2018

8 min read

According to data from UNCTAD, 107 countries (of which 66 are developing countries or transitioning economies) have put in place legislation to secure the protection of data and privacy. In Africa, 22 countries (41%) already have a law in place to secure and protect data and privacy. Kenya is one of the 7 African countries (13%) with a draft legislation to protect consumer data. However, 13 African countries have no legislation and 12 countries have no existing data on data and privacy legislations.

What is Kenya’s Data Protection Bill?

Kenya’s Data Protection Bill 2018 is a regulation that requires businesses to protect the personal data and privacy of Kenya’s citizens for transactions that occur within Kenya. The new rules have sweeping implications for users and businesses of the Internet and non-compliance could cost companies dearly. Kenya’s Privacy and Data Protection Policy will also regulate the exportation of data outside Kenya.

It has to be said that Kenya’s Data Protection Bill mirrors the GDPR – which represents one of the most robust data privacy laws in the world. Once implemented, Kenya’s Privacy and Data Protection Policy will give Kenyan Citizens the right to ask companies how their personal data is collected and stored, how it’s being used, and request the personal data to be deleted.

The Policy will also require companies clearly explain how our data is stored and used, and get our consent before collecting it. Kenyans can also object to personal data being used for certain purposes such as Direct Marketing. Please note that this bill also applies to all data subjects, whether a resident of Kenya or not, whose data is, or has been collected or processed by a data controller in Kenya.

What is the purpose of the Bill?

The short answer to this question is public concern over privacy. Kenya’s Privacy and Data Protection Policy aims to lay the foundation to enforce Article 31 of the Kenyan Constitution by developing privacy and data protection laws.

According to Article 31 of the Kenyan Constitution, every person has the right to privacy which includes the right not to have the privacy of their communications infringed.

This policy reaffirms the commitment of Kenya’s government to protect the Personal Data including the Personal Sensitive Data. The main objectives of this policy are:

  1. To inform the development of Privacy and Data Protection laws and facilitate statutory and regulatory compliance, and enhance effective application of the proposed laws in Kenya;
  2. To comply with the international good practice and ensure consistency in practices and procedures in developing and administering the Privacy and Data Protection laws;
  3. To ensure effective protection and management of Personal Data by identifying, assessing, monitoring and mitigating privacy risks in programs and activities involving the collection, retention, use, disclosure and disposal of Personal Data;
  4. To establish the required institutional framework for privacy and data protection; and
  5. To protect children and vulnerable groups

What types of privacy data does the Kenya Data Protection Bill protect?

Just like the EU General Data Protection Regulation (GDPR), Kenya’s Data Protection Bill protects:

  • Basic information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

Which companies will be affected by this Policy?

Any company that stores or processes information about Kenya’s citizens must comply with the Kenya Privacy and Data Protection Policy; even if they do NOT have business presence within Kenya. Specific criteria for companies required to comply are:

  • A presence in Kenya.
  • No presence in Kenya, but processes personal Data of Kenyan citizens.

Section 7.5 allows Cross Border Transfer. This means that the Policy may allow the personal data of Kenyan citizens to be transferred to other countries or entities if such countries or entities have met the adequate safeguards spelt out in this policy for maintaining the required protection for the privacy rights of the data subjects in relation to their personal data.

Who within your Company will be responsible for compliance?

The Data Protection Bill defines several roles that are responsible for ensuring compliance:

Data Controller, Data Processor and Data Protection Officer. The data controller defines how personal data is processed and the purposes for which it is processed. Section 8 of the Policy clearly defines all the key obligations and requirements of Data Controllers and Processors.

It MUST be highlighted that it is the role of the Data controllers/Processors to designate a Data Protection Officer to handle all matters of data protection; according to section 8.2.8. The Data Controllers/Processors are also tasked with developing internal data protection policies and procedures as per section 8.2.10.

What are the Key sections of the Bill?

5.3 Data Minimization

During the Kenya Internet Governance Forum 2018, Panelists of the third Session- Strengthening Data Security in the context of emerging trends – agreed that we are collecting too much data in Kenya. John Walubengo spoke of the need to enhance data minimization and the importance of a regulation that can guide data collectors on how much data they collect from the Kenyan Public.

5.3.1. Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which the data will be processed.

5.3.2. Before processing personal data, a data controller must determine whether and to what extent the processing of personal data is necessary in order to achieve the purpose for which the data was required.

5.3.3. Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by law.

5.3.4. Privacy and security should be built and integrated in from the onset in all data management systems that collect and process  personal data. Such systems should have privacy incorporated by design or default.

6.1.8. The right to data portability;

The Kenya Data Protection Bill introduces data portability – the right for a data subject to receive the personal data concerning them and and have the right to transmit that data to another controller. Kindly note that Internet Yetu already provides the right to data portability for our website users and subscribers. Users/subscribers can request their personal data through this form . To learn comprehensive details about what the right to data portability means; kindly read Article 20 of the EU General Data Protection Regulation.

6.1.9. The right to be forgotten

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Users/ Subscribers of Internet Yetu also have the right to be forgotten. They can request the removal of their personal data through this form . To learn more about the right to erasure, read Article 17 of the EU General Data Protection Regulation.

8.3 Data Protection by Design and Default

Privacy(Data Protection) by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

8.5 Data controller must manage any personal data breaches promptly and appropriately:

8.5.1. All data breaches are to be reported to the Data Protection Regulator. The reporting must be done expeditiously.
8.5.2 The frequency and severity of the breach will determine the next level of intervention.

What would we like to see?

The Data Protection Bill does not clearly outline how it impacts local Cookie Policies. At Internet Yetu, we believe that it is paramount for Kenyan organizations to find a lawful ground to collect and process data from cookies. Currently, Kenyan organizations rely on consent (either implied or opt-out).

According to Recital 30 of the EU General Data Protection Regulation (GDPR), if/when cookies can identify an individual via their device, it is considered personal data. This directly supports recital 26 of the GDPR, which states that any data that can be used to identify an individual either directly or indirectly (whether on its own or in conjunction with other information) is personal data.

All these facts considered, Internet Yetu suggests that the Kenya Data Protection Bill integrate The Cookie Law based on the findings of 2016 Data Protection Compliance Conference. The Cookie Law states:

  • Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent.
  • ‘By using this site, you accept cookies’ messages are also not sufficient for the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means:
  • It must be as easy to withdraw consent as it is to give it. If organizations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first.
  • Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.


If implemented, Kenya’s Data Protection Policy will be one of the most progressive Data Protection Legislations not only in Africa, but in the whole world. As mentioned before, the Data Protection Bill effectively adopts key concepts from the EU General Data Protection Regulation – which represents the most exhaustive data privacy laws in the world.

It is therefore in the interest of all stakeholders in Kenya, that all sections of the Privacy and Data Protection Policy be strictly adhered to (Once bill is implemented).

To view and download the Kenya Data Protection Bill, click here.