Trends in Data Protection, Enforcement in Kenya

The Kenyan Data Protection Act 2019 (“DPA”) was passed just over three years ago.

The creation of the Office of the Data Protection Commissioner, the introduction of supplemental laws, ongoing public awareness efforts, and most recently, regulatory action and enforcement, its implementation has advanced quickly.

The occasion presented by International Data Privacy Day last month allowed for reflection on certain recent enforcement trends both domestically and internationally, as well as their implications for Kenyan data controllers and processors in 2023 and beyond.

One of the ODPC’s responsibilities is to carry out audits of organizations that handle personal data to determine whether such handling complies with the DPA’s and related legislation’ data protection principles and other standards.

The ODPC announced on October 5th, 2022, that it would be undertaking an audit and evaluation of 40 Digital Credit Providers (DCPs).

Also, the Aga Khan University Hospital received an enforcement notice for violating the law regarding data privacy.

Some of the most important points that the ODPC would take into account while conducting an audit against a data controller or a data processor were outlined in the notices.

These requirements include, among others, evidence of registration as a data controller or processor or the submission of an application, a description of the processing operations carried out, compliance with the DPA’s notification obligation, and compliance with consent conditions.

The October audit notifications were particularly significant since they marked the first overt regulatory action by the ODPC focusing on enforcement of the DPA for purported legal violations.

The majority of the ODPC’s public efforts up until that point had been focused on raising public knowledge of the DPA and the organization’s regulatory mandate.

Late in December 2022, the regulator issued its first fine under the DPA for a violation of the law, underscoring the ODPC’s emphasis on enforcement.

A customer’s privacy was violated by smartphone manufacturer OPPO Kenya when the client’s image was posted on the business’ Instagram account without their permission.

After receiving a complaint from the customer, the ODPC sent OPPO Kenya an enforcement notice ordering it to take down the image from its social media page. The company was deemed not to have a data protection policy, as required by the DPA and legislation, and to have disregarded the enforcement notice.

The highest sanction the regulator can impose under the DPA, Sh5 million, was levied by the ODPC against OPPO Kenya for these infractions.

European data protection authorities actively fined numerous organizations for GDPR violations. The social media company Meta, which owns Facebook, Instagram, and WhatsApp, was fined EUR 405 million by the Irish Data Protection Commissioner for processing minor users’ personal data on the social network.

The French and Italian data protection authorities both penalized American facial recognition startup Clearview AI Inc. EUR 20 million for processing personal data, including biometric and geolocation data, unlawfully in violation of the GDPR.

Also, Google had to pay up 10 million euros after being fined by the Spanish data protection authority for not properly implementing data subject requests.

According to the incidents mentioned above, the ODPC and comparable data protection and privacy regulators elsewhere are relying more on enforcement actions to encourage adherence to data protection regulations.

To ensure that their data protection and privacy compliance regimes are strong enough to minimise the danger of enforcement action being taken against them, businesses in Kenya must stay up to date on such regulatory action.

The use of personal data, such as photos, for marketing and other commercial purposes, the use of online profiling applications, such as cookies and AI, the suitability of data protection impact assessments to flag high-risk processing, and the failure or delay in responding to regulatory notices are some key risk points to be drawn from the cases above.

In order to avoid coming under the regulators’ scrutiny, businesses must be cautious in managing Any company that handles personal data should make sure that all of its employees have received the necessary training on privacy concerns and data protection.

Also, it needs to create a list of all the personal data it handles.

They should also conduct a thorough assessment of their operations’ data protection and privacy risk gaps and put into place steps to close any gaps that are found.

A company processing personal data must regularly assess its operational environment for emerging threats to data security and privacy. Data protection and privacy risk in Kenya and elsewhere in 2023.