Kenya now has a data protection law. What does this mean for netizens?

M-pesa mobile money stand in Nairobi, Kenya. Photo credit: Fiona Graham / WorldRemit CC BY-SA 2.0.

On November 8, 2019, Kenyan President Uhuru Kenyatta ascended the 2019 Data Protection Bill into law. Kenya now joins 25 out of 54 African countries that have so far implemented laws on personal data protection with Zambia and Zimbabwe soon joining their ranks.

Kenya’s new data protection law, modeled around the European Union’s General Data Protection Regulation (GDPR), has been long overdue. Despite earning the title of Africa’s Silicon Savannah for its giant strides in the proliferation of information and communication technologies (ICTs) and becoming a hotbed for startups from within the continent and Silicon Valley, Kenya has not had any data protection laws.

This lack of a legal framework on how private and government entities should handle customer and citizens’ data became the subject of one of the world’s first cases where citizens’ private data was used to sway a presidential election. 

The 2013 and 2017 Kenyan presidential elections that saw the reelection of President Kenyatta were embroiled in a scam in which Cambridge Analytica illegally collected Facebook profile data from millions of Kenyans. These profiles were then correlated with over 47,000 surveys conducted in the run-up to the 2013 presidential election to determine Kenyan voters’ needs and concerns, which informed campaign messaging. In the 2017 presidential election, these insights were used in a data-driven micro-targeted digital campaign to help incumbent Kenyatta get re-elected.

The UK-based consulting company had been in the limelight since United States President Donald Trump's election victory in 2016 for harvesting data about millions of Facebook users and targeting them with information intended to sway them in Trump's favor. 

This new data law will have a significant and far-reaching impact as Kenya continues to have one of the highest rates of internet penetration in Africa at 112% according to the latest statistics from the Communications Authority.

A review of Kenya’s new data protection law

The mandate of this new law will essentially be to establish a legal and institutional mechanism to regulate the collection, storage and processing of personal data in order to protect the privacy of individuals. The law will enforce the right to privacy by providing remedies against any breach.

Kenyan citizens now have the right to: know why and how their information is being recorded, stored and handled, and for what specific purpose it will be used. They will also have the right to access their personal data and object to its processing, and the right to correction and deletion of false or misleading data as well as to prohibit the disclosure or reuse of their personal data.

Organizations and government authorities that own, manage, store or control data will now be required to register their businesses with the office of a Data Protection Commissioner, as mandated by the new law. They will also be required to inform users of the personal data they are collecting, why they are using it and how long they are storing it.

Kenyans welcome new law

The new law is a welcome relief for many Kenyans who have been subject to various forms of privacy violations, in particular, due to the country’s proliferation of mobile connectivity and adoption of mobile money services.  

The collection of personal data from citizens has, for a long time now, been part of security requirements by private and government institutions for Kenyans to gain access to most buildings. Although the information is often collected as a safeguard measure, its effectiveness has been put into question as a stop-gap measure to acts of violence. The most recent Dusit terror attack and the September 2013 Westgate shopping mall attack drove the painful point home. 

Whereas these data collection points have proved to have loopholes that terrorists have exploited by registering fake details, the majority of Kenyans do fill their actual personal details in these building registers

Cases of mobile and online fraud have continued to increase, often targeting users of M-pesa mobile money service — the most popular way to pay for goods and services both online and offline in Kenya. M-pesa is a service by Safaricom, a public limited company and one of Kenya’s largest mobile network operators.

It has also become a common practice among Kenyan businesses that accept M-pesa payments that use the Paybill service to spam their customers with promotional messages from contacts collected with the sole purpose of facilitating a payment transaction.

Kenya’s ICT practitioners hailed the signed bill as a good regulatory framework for the industry and have urged the government to fast track the composition of guidelines and regulations around the data protection law in consultation with their industry.

Concerns on enforcement

The enforcement of this new law shall be carried out by the office of the Data Protection Commissioner, a body that shall be created and headed by the data commissioner who will be recruited and employed by the Public Service Commission upon appointment by the president and subject to the approval of the National Assembly. The DPC will run under the Ministry of Information Communications and Technology (ICT).  The commissioner will receive and investigate violations, with the power to file lawsuits and impose fines.

According to Kenyans online, this is only the beginning. A major hurdle will be the implementation and enforcement of this law against the biggest culprits — digital lending apps. These apps use predatory and unethical tactics that require access to users’ smartphone data in a bid to determine creditworthiness and recover loans from defaulters and retail businesses that spam their customers with promotional text messages.

Critics have raised concerns on the timing of the signing which comes at the heels of an uproar by Kenyans regarding the massive implementation of the National Integrated Identity Management System (NIIMS) – better known as Huduma Namba — which was heavily criticized by privacy advocates. 

NIIMs is a national program introduced by the Kenyan government in April 2019 for the establishment of a mass biometric registration system with the objective of creating, managing and storing Kenya’s population data and as the “single source of truth” of information about Kenyan citizens and foreigners residing in the country. 

Kenyan freelance writer, Rasnah Warah recently opined an article on why the signing of the data bill is meant to fast track the implementation of Huduma Numba, which many were opposed to earlier due to a lack of a proper framework. She reads malice in the hurried manner with which the new data protection bill was passed into law. She believes it was created as a gateway for commercial interests of the Huduma Numba national exercise in which citizens will be driven into a debt trap.

Her sentiments have also been shared by renowned Kenyan economist David Ndii, whose article “Crony Capitalism and State Capture 2: Documents Reveal the Kenyatta Family’s Plans to Take over Lending to SMEs,” delves into the details of a proposed mobile phone lending platform in which the Kenyatta family-owned bank, NCBA, has vast interests. 

The proposed initiative is a “collaborative initiative to bridge the access to credit by micro and small enterprises.” 

Interestingly, on the day President Kenyatta signed the bill into law, he was flanked by executives from Amazon, who announced their plans to set up an Amazon Web Services Edge Location in Kenya. Amazon operates Amazon Web Services — the largest cloud-computing platform in the world.

It remains to be seen whether or not the new law will protect the rights of Kenyan citizens or merely serve as a conduit through which private data can legally be acquired, stored and used for commercial purposes by players higher up in the digital capitalism food chain.

Start the conversation

Authors, please log in »


  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.