This year, Kenya celebrates five years since the enactment of the Data Protection Act (DPA), including establishing the Office of the Data Protection Commissioner (ODPC), a comprehensive privacy and data protection framework for the country.
To reflect on this, KICTAnet, a multi-stakeholder think tank for people and institutions interested in and involved in ICT policy and regulation, developed a policy brief to reflect on Kenya’s progress, challenges, and opportunities in its journey towards the implementation of the DPA and also identify areas for enhancement and reform. The brief was released Wednesday at an Africa-wide Data Protection Conference in Nairobi.
The five-year policy brief on data protection act termed, “Five Years of Kenya’s Data Protection Act: Reflections and Considerations for the Future” launched by @KICTANet and presented at the NADPA Conference is accessible at: https://t.co/cn0urC97YO
#DataProtectionKE pic.twitter.com/DSABZfyuJZ— OFFICE OF THE DATA PROTECTION COMMISSIONER (@ODPC_KE) May 8, 2024
Speaking during the release of the report, Victor Kapiyo, Trustee, KICTAnet, highlighted some of the positive achievements: “There is a strong policy and regulatory framework with laws, guidelines, regulations and guidelines accompanied by an active ODPC which has undertaken a wide range of measures to operationalize and enforce the Act. This has led to the willingness of other jurisdictions such as the European Union to offer Kenya equivalency status, which can enhance trade, investment, cooperation and job opportunities.”
He also highlighted some challenges, such as “threats to the independence of the ODPC due to limited funding, low staffing, legal structure, political interference, recommendations for a board appointment, and the existence of competing data protection roles and responsibilities with other sectors regulators.” He added that “while it is important to enable responsible international data transfers to enhance trade and economic opportunities, there is pressure from other jurisdictions for alternative data protection regimes, which could affect the sovereignty of the ODPC and the effectiveness of the DPA in protecting personal data.”
The report provided a number of recommendations, including:
- Parliament should strengthen the independence of the ODPC by amending the DPA to make the ODPC autonomous, separate it from the ICT Ministry, and increase the ODPCs.budgetary allocation to enable it to discharge its mandate across the country effectively.
- The government should formulate a comprehensive national data governance framework to holistically address complementary data protection issues, including interoperability, classification, and security.
- ODPC should issue relevant guidelines, codes, and frameworks to operationalize the DPA fully. including publishing guidance for lawful data sharing between state agencies and adequacy rules to facilitate lawful cross-border data transfers. ODPC should obtain equivalency status with other jurisdictions and collaborate with government agencies to reap economic benefits.
- ODPC should intensify efforts to regulate and oversee the data processing operations of all data handlers, especially state entities, Big Tech, and the financial sector.
With the Network of African Data Protection Authorities holding its annual conference in Kenya, the report also made recommendations at an African-wide level to enhance regional integration and alignment, which would better protect Africans’ data while enabling greater trade and opportunities from the digital economy.
The report can be downloaded at: tinyurl.com/rrafdrdt
