The right to privacy is guaranteed under Article 31 of the Constitution of Kenya, 2010 (“the Constitution”). On 25th November, 2019, the Data Protection Act, No.24 of 2019 (“the Act”) was enacted to give effect to Article 31(c) and (d) of the Constitution which provide for the right to privacy. This includes the right not to have information relating to their family or private affairs unnecessarily required or revealed and the right not to have the privacy of their communications infringed respectively.
The Act governs the use, processing, and archiving of personal data, establishes the Office of the Data Protection Commissioner, makes provision for the regulation of the processing of personal data, stipulates the data producers’ rights, and specifies the obligations of the data controllers and processors.
Consequently, three regulations were enacted in order to implement the Act. These were the Data Protection (General) Regulations, 2021, the Data Protection (Compliance and Enforcement) Regulations, 2021 and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. The regulations have however not been operationalized and have been submitted to the Senate for review.
The Data Protection (General) Regulations, 2021
These regulations set out the rights of data subjects including the right to access personal data, the right to restrict the processing of data, the right to object to data processing, the right of rectification of data and the right of erasure of data. Further, the regulations elaborate on the duties and obligations of data controllers and data processors including the obligation to explain to the data subject, in an understandable language, on the nature of processing of the data, the obligation to obtain express consent from the data subject before collecting any data and the duty to collect data which is specific to the data subject.
The Data Protection (Compliance and Enforcement) Regulations ,2021
The Data Protection (Compliance and Enforcement) Regulations, 2021 outline the compliance and enforcement provisions for the Data Commissioner, Data Controllers, and Data Processors. The process of lodging complaints is also streamlined. The pertinent issues that arise from these regulations include transparency and accountability, enforcement measures on the International Personal Data Transfer (IPDT) and the imposition of administrative fines.
The Data Protection (Registration of Data Controllers and Data Processors) Regulations,2021
The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 define the procedure that is adopted by the Office of the Data Protection Commissioner in registering Data Controllers and Data Processors as per the Act. Registration is done by lodging an application to the Data Commissioner accompanied by the registration fees, the establishment documents, particulars of the Data Controller /processor and description of the categories of personal data.
The Data Protection laws are crucial in the protection of human rights in the digital age. Recently, in the case of the Republic v Joe Mucheru, the Ministry of Interior and Coordination of National Government, the Attorney General and the Data Commissioner (Judicial Review Application No. E1138 of 2020), the High Court suspended the rollout of the government’s digital ID system, Huduma Namba, citing its disregard for data protection framework on privacy. This was a move towards the recognition and enforcement of data protection laws in Kenya. As evidenced by recent developments like the Huduma Namba case, the established legal framework on data protection is essential in the protection of the right to privacy.

The court decision can be found here.

Please contact us at info@cfllegal.com should you require further information.