This year Kenya celebrates five years since the enactment of the Data Protection Act (DPA), including the establishment of the Office of the Data Protection Commissioner (ODPC), which is a comprehensive privacy and data protection framework for the country.
To reflect on this, KICTAnet, a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation, developed a Policy Brief to assess on Kenya’s progress, challenges and opportunities in its journey towards the implementation of the DPA, and also identify areas for enhancement and reform. The Brief was released at an Africa-wide Data Protection Conference being held in Nairobi.
Speaking during the release of the report, Victor Kapiyo of KICTAnet highlighted some of the positive achievements: “There is a strong policy and regulatory framework with laws, guidelines, regulations and guidelines accompanied by an active ODPC which has undertaken a wide range of measures to operationalize and enforce the Act. This has led to the willingness by other jurisdictions such as the European Union to offer Kenya equivalency status which can enhance trade, investment, cooperation and job opportunities.”
He also highlighted some challenges such as: “Threats to the independence of the ODPC due to limited funding, low staffing, legal structure, political interference, recommendations for a Board appointment, and the existence of competing data protection roles/responsibilities with other sector regulators.” He added that: “while it is important to enable responsible international data transfers to enhance trade and economic opportunities, there is pressure from other jurisdictions for alternative data protection regimes which could affect the sovereignty of ODPC and the effectiveness of the DPA in protecting personal data.”
The report provided a number of recommendations including:
- Parliament should strengthen the independence of the ODPC by amending the DPA to make the ODPC autonomous and separate it from the ICT Ministry, and increase the ODPCs budgetary allocation to enable it to effectively discharge its mandate across the country.
· The Government should formulate a comprehensive national data governance framework to holistically address complimentary data protection issues, including interoperability, data classification, and data security.
· ODPC should issue relevant guidelines, codes, and frameworks to fully operationalize the DPA, including publishing guidance for lawful data-sharing between state agencies, and adequacy rules to facilitate lawful cross-border data transfers; and ODPC should obtain equivalency status with other jurisdictions and collaborate with other government agencies to reap economic benefits.
· ODPC should intensify efforts to regulate and oversee the data processing operations of all data handlers, especially state entities, Big Tech, and the financial sector.
With the Network of African Data Protection Authorities holding their annual conference in Kenya, the report also made recommendations at an African-wide level to enhance regional integration and alignment that would better protect Africans’ data whilst enabling greater trade and opportunities from the Digital Economy.
