By Jackline Akello
The recently enacted Data Protection Act, 2019 has brought about the need to enlighten stakeholders about its implication on personal data. The lawyers Hub training on Data Protection and the General Data Protection Regulation (GDPR) conducted on 22nd January, 2020, focused on expounding provisions of the Act with an intention of incentivizing lawyers on ways to comply. The training also highlighted provisions of the GDPR, from which the Data Protection Act has been heavily borrowed.
The speakers were Dr. Isaac Rutenberg, Director for the Centre for Intellectual Property and Information Technology Law (CIPIT), who explained the Data Protection principles and the GDPR; Grace Bomu, Research Fellow at CIPIT, who took participants through the Kenyan Data Protection Act and; Rosemary Koech, Legal and Regulatory Officer at Oxygene Communications Ltd, who demonstrated measures that can be adopted by lawyers to ensure compliance with the Act.
Dr. Isaac Rutenberg commenced by highlighting the principles of data protection , established to guide data controllers and data processors in the processing of personal data, and compared them with the principles laid out in the GDPR, where it was evident that the principles laid out in the two statutes are similar. He subsequently elaborated the difference between personal data and sensitive personal data and gave a clear cut distinction between the two using illustrations, and emphasizing on the need for lawyers to appreciate the difference when handling personal data, to ensure effective compliance with the Act.
This was followed by an enumeration of data controllers and data processors together with their requisite statutory requirement for registration under Section 18 of the Act. Accordingly, he stressed on the need for organizations falling within the category of data controllers and processors, to register under the Act to ensure smooth transition and compliance with the law.
He further brought out some unique features of the GDPR such as, the territorial scope espoused in Article 3 which is to the effect that the GDPR only applies to EU members. The implication of this provision is that any data collected within the EU, is subject to the GDPR. For instance, any company marketing goods or services to EU residents or any site collecting any of the regulated data from European users, shall be liable to comply with the GDPR. Other unique features of the GDPR mentioned were, the obligation of disclosure of breach by organizations within 72 hours and the right to be forgotten i.e. right of erasure.
Grace Bomu on the other hand, presented on the need for data protection. She made the audience aware of the significance of data protection measures and stated that data should be protected due to; the economic value attached to it, knowledge constructed from it, protection of privacy, geopolitics and protection of business reputation.
On demonstrating the economic value of data, she gave an illustration of companies and data-aggregators capitalizing on individual data by selling to advertisement networks and marketers looking to target specific segments and influence buyer behavior. Constructed knowledge, she said, results from data integrated from different sources to build knowledge/ gather information about an individual or an organization. She added that data is currently used by politicians to influence political opinions and voting patterns and gave an illustration of the Cambridge Analytica scandal.
She also gave an overview of the Kenyan Data Protection Act which has many similar provisions to the GDPR, such as the principles of data protection captured in part 3 of the Act. She however raised concerns on the wide exemptions provided in the Act for law enforcement and other public bodies which may potentially be abused by such bodies.
Rosemary Koech enlightened lawyers on the opportunities that exist for them in light of Section 5 and 24 of the Act that establishes the office of the Data Protection Commissioner and Data Protection Officer respectively. She mentioned that lawyers should take advantage of such opportunities to spearhead protection of data.
She also explained what entails client personal data, and measures to be taken to manage such data. She mentioned, that among the measures that can be taken by lawyers to protect client data is, the designation of a Data Protection Officer as mentioned above. She concluded by listing offences of unlawful disclosure of personal data under the Act and the prescribed penalties.
This was then followed by a question and answer session where questions on; whether an organization can be a data controller and a data processor at the same time, whether organizations need certification to do Data Protection Impact Assessment Test, Whether the Act provides transitional clauses to aid compliance by data controllers and processors, were asked. With regards to the question on whether organizations can be data controllers and processors at the same time, it was answered in the affirmative that indeed organizations can be data controllers and processors at the same time. On whether that Act provides transitional clauses, it was clear that they lack in the Act and this evidenced a lacuna in the Act. It was clear that an organization registered as a data controller or data processor does not need certification to conduct an impact assessment test in accordance to section 31 of the Act.
In conclusion, CIPIT appreciates the
value attached to data and just like the rest of the world, acknowledges it as
the “new oil” of the economy and advocates for sound data protection practices
in Kenya. CIPIT has been creating public awareness on the right to privacy and
protection of personal data under the Data Protection Act as well as digital ID
and national census.
CIPIT will monitor implementation of the new Act and conduct training on data
protection practices. The center will also conduct research to inform policy
for effective protection of personal data.
 CIPIT series on the Principles of Data Protection. Section 25, Data Protection Act, 2019.
 Section 2, Data Protection Act, 2019
“personal data” means any information relating to an identified or identifiable natural person.
 Section 2, Data Protection Act, 2019
“sensitive personal data” means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject.
Section 2, Data Protection Act, 2019
“data controller means a natural or legal person, legal authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.
 Section 2, Data Protection Act, 2019
“data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
 Article 3 GDPR: Territorial Scope
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subject in the Union; or
- The monitoring of their behavior as far as their behavior takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
 Section 72, Data Protection Act, 2019.
 Section 73, Data Protection Act, 2019.
 CIPIT blog on the National Census