Adequacy of Data Protection Regulation in Kenya
Date
2023-10
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of the Witwatersrand, Johannesburg
Abstract
Article 31 of the Kenyan Constitution provides for the right to privacy. The Kenyan Data Protection Act, 2019 gives effect to Article 31(c) and (d) of the Constitution. This study is about whether data protection regulation in Kenya would inspire any confidence in data subjects who enjoy protection of their right to privacy under Article 31 of the Constitution. Kenya, going with the global trend, in November 2019 enacted the Data Protection Act. Before the enactment, Kenya had debated data protection Bills for over a decade. But even with the enactment of the Data Protection Act, the question remains whether this was sufficient to guarantee the right to privacy and specifically data subject rights.
The main aim of this study is to determine the adequacy of data protection regulation in Kenya by responding to five questions: How has data protection evolved in Kenya? What framework should be used to determine the adequacy of data protection regulations? To what extent is the legal framework on state surveillance adequate? To what extent is the legal framework on commercial use of personal data adequate? How adequate are the available remedies in relation to data protection in Kenya?
To wit, no comprehensive academic discussion has explored the history of privacy and data protection in Kenya. This study fills this gap in the academic literature. It has established, through highlighting constitutional and statutory provisions, that the right to privacy in Kenya has been in existence since Kenya gained independence from colonial rule. Conversations during the clamour for constitutional reforms shaped the current text that provides for an individual right to privacy which has been the springboard for data protection rights to be introduced. There is no immediately obvious framework that would be ideal to determine the adequacy of data protection regulation in Kenya. In light of this gap, this study has presented a simple set of questions used in day-to-day legal practice to be used as the determination-of-adequacy framework. The questions, “who?”, “why?”, “what?”, “when?”, “where?”, and “how?” are iv posed on State surveillance, surveillance capitalism, and access to effective remedies. Responses to these questions are juxtaposed with provisions of the European Union’s General Data Protection Regulation and South Africa’s Protection of Personal Information Act. The responses reveal the level of adequacy of data protection regulation in Kenya. On adequacy in State surveillance, surveillance capitalism, and availability of effective remedies, the study has revealed that while there are provisions of the law that adequately regulate the three issues, there are gaps and ambiguities that must be addressed to raise the level of adequacy and inspire confidence in data subjects. For the gaps and ambiguities, this study recommends law reforms in the form of amendments to provisions of the Kenyan Data Protection Act, Data Protection (General) Regulations, Competition Act, National Intelligence Service Act, and the Data Protection ADR Framework. This study also recommends enactment of new law including an Artificial Intelligence Act, Data Protection (Statutory Database) Regulations, and Regulations on interception of communications under the Prevention of Terrorism Act and other enabling statutes.
Description
Thesis submitted in fulfillment of the requirements for the degree of Doctor of Philosophy (PhD) in the School of Law, University of the Witwatersrand, Johannesburg, South Africa, 2023
Keywords
Kenya, Data protection act, Adequacy, Privacy, POPIA, GDPR, Data principles, Surveillance capitalism, State surveillanc, UCTD
Citation
Laibuta, Antony Mugambi. (2023). Adequacy of Data Protection Regulation in Kenya [PhD thesis, University of the Witwatersrand, Johannesburg]. wIREdsPACE. https://hdl.handle.net/10539/38759