Kenya has promulgated a Data Protection Act
The Data Protection Bill that has been a subject of discussion for years, was passed into law on 8 November 2019 when the president assented to it. The Data protection Bill 2019, follows the path taken by the European Union in enacting the General Data Protection Regulation (GDPR) in May 2018 and makes Kenya the third country in East Africa to have legislation dedicated to data protection.

This law was expedited following concerns raised over the Huduma Namba registration exercise, with those
opposed to the process raising concern about the safety of citizen’s personal data collected by the

Purpose of the Act
The Act seeks to:

Data Protection Principles
The Act requires Data Controllers and Processors to process data lawfully; minimise collection of data; restricts further processing of data; requires data controllers and processors to ensure data quality; and that they establish and maintain security safeguards to protect personal data.

Registration of Data Controllers and Processors
The Act requires that any person who acts as a data controller or data processor must be registered with the Data Commissioner. Therefore, once the office of the Data Commissioner is established, organisations meeting the definition of a controller or processor will need to register as such, and renew their registration every 3 years.

Transfer of Personal Data Outside Kenya

The processing of personal data is exempt from the provisions of the Data protection Act if—

  1. exemption is necessary for national security or public order;
  2. disclosure is required by or under any a written law or by an order of the court e.g. Anti Money Laundering (AML) Laws;
  3. the prevention or detection of crime e.g. AML/CFT laws;
  4. the apprehension or prosecution of an offender; or
  5. the assessment or collection of a tax or duty or an imposition of a similar nature