On November 8, Kenyan President Uhuru Kenyatta enacted the Data Protection Bill 2019. The law paves the way for an Office of the Data Commissioner and sets out the requirements for the protection and processing of personal data in public and private companies. The law will come into effect within fourteen days of its publication in the Official Gazette, which is expected in the coming days.

President Kenyatta praised the new legislation, saying it will make Kenya “one of the most important innovative digital financial services hubs in the region”. He also stressed how beneficial it is for the development of a country to promote the digitalization of its economy.

Key aspects of the law:

• Provides for the establishment of an Office of the Data Commissioner. This will oversee compliance with the law by public and private entities storing personal information and may carry out inspections to this end and to assess the mechanisms in use to guard data. The Office may impose administrative fines of up to USD 48,800 on regulated entities that breach the law.

• Establishes the rights of data subjects, including to be informed of what companies will do with their information and to be able to access it should they wish. They must also be able to rectify and/or delete any incorrect or misleading information. Users may also transfer their data from one company to another without any resistance to this.

• Personal information may be collected from indirect sources when it is stored in public records or if the owner of the data allegedly published it, among other scenarios.

• When an unauthorized person accesses another user’s personal information, the company in question must inform the Data Commissioner within 72 hours of being notified of the leak. The person concerned must also be informed.

• A company that stores and/or processes personal data and that wishes to transfer these to another country, will be able to do so as long as it has the authorization of the Data Commissioner and of the owner of the information. The institution wishing to do so must check that the external company that will store the information has the appropriate security measures in place.

• The Secretary of Information, Communication and Technology will issue regulations under the law that it deems necessary. The text of the law itself does not provide for a period of time for the publication of such regulations.