Personal data is more of a commodity in today's digital age than ever. The Data Protection Act 2019 of Kenya controls the processing of personal data, protects the rights conferred on persons concerning their data, and regulates data transfer to third countries. This paper summarizes the key provisions of the Act affecting individuals and organizations.

Scope and Definitions

The DPA applies to processing personal data by processors or controllers in Kenya and data processors outside Kenya who process data of Kenyan subjects. Key definitions include:

• Section 2: "Personal data" is any information about an identified or identifiable natural person.
• Section 2: "Data controller" means a person who, alone, jointly, or in common with others, determines the purpose and means of processing personal data.
• Section 2: "Data processor" refers to the individual who processes personal data on behalf of the data controller.

Protection of Personal Data Principles

According to Section 25, protecting personal data provides some principles concerning data protection. Personal data shall be:

• Processed lawfully, fairly, and transparently.
• Collected for specified, explicit, and legitimate purposes.
• Adequate, relevant, and limited to what is necessary.
• Accurate and kept up to date.
• Kept for no longer than necessary for the purposes.
• Processed securely to maintain integrity and confidentiality.

Rights of Data Subjects

The DPA grants a number of rights to the data subjects over their data:

• Section 26: Right to be informed about the uses their data is being put to.
• Section 27: Right of access to their data held by controllers.
• Section 28: Right to object to processing under certain grounds.
• Section 31: Right to correction of inaccurate data.
• Section 33: Right to erasure under certain grounds.
• Section 38: Right to data portability.

It further provides that data controllers shall respond to requests to exercise these rights within certain timelines.

Obligations of Data Controllers and Processors
The DPA imposes various obligations on data controllers and processors. Section 41 requires registration with the Data Commissioner, section 41(2) requires data controllers and processors to conduct data protection impact assessments for high-risk processing, and section 43 requires notification of data breaches to the Data Commissioner within 72 hours.

• Article 44: Large-scale processing to be undertaken only with the obligation to appoint a data protection officer
• Article 46: Transfers to third countries or international organizations may not occur except to countries with similar protections to safeguard the data.

Enforcement and Sanctions

The DPA establishes an Office of the Data Protection Commissioner to supervise and enforce compliance.

• Article 5: Powers of Data Commissioner to issue orders, conduct investigations, and impose penalties.
• Section 62: Unlawful disclosure of personal data is an offense punishable by fines up to KES 3 million or imprisonment up to 10 years.
• Section 63: Offenses by corporations are punishable with fines of up to KES 5 million, or 1% of the annual turnover, whichever is the lower.

Recent Developments

Since the DPA came into effect in 2021, several developments have taken place:

• The Office of the Data Protection Commissioner was established, and enforcement actions commenced.
• Gazettement of regulations on registration of data controllers and processors.
• Draft guidance on Data Protection Impact Assessments published for public consultation.
• A code of conduct for the digital credit industry involves extensive use of personal data in development.

Among the first steps in enforcing the DPA was when the Data Commissioner ordered Oppo Kenya, in 2022, to pay a fine of KES 5 million for processing personal data without prior consent. The action thus laid down an indicator of the Commissioner's zeal to enforce the Act in no uncertain terms.

Conclusion

Kenya's Data Protection Act 2019 is one gigantic step toward protecting privacy rights in the digital age. Under the Act, people's wide-ranging rights to their data are provided. Yet, it poses a very burdensome regime of requirements and sanctions on controllers and processors of such data. There is, hence, a need for persons to be aware of their rights to data protection and exercise these rights to remain in control over their personal information.

In this regard, organizations must ensure compliance with the Act's principles, registration requirements, security safeguards, and cross-border transfer restrictions to avoid penalties and reputational damage. With growing awareness concerning data protection and increased enforcement actions, the DPA will go a long way in shaping data processing practices. The ability of a controller or processor to turn data protection into a corporate value and a competitive advantage, rather than just another compliance burden, shall be an important factor in succeeding in the new Kenya data protection landscape.