Kenya’s Data Protection Act: Safeguarding Privacy or Hindering Digital Innovation?

Editor's note: In this piece, Benedict Were, a seasoned communication professional, interrogates the complexities surrounding Kenya's Data Protection Act of 2019. Considering its implementation and unintended consequences, Benedict challenges us to rethink how privacy, transparency, and innovation coexist in a rapidly digitizing world. As Kenya navigates this critical policy frontier, it calls for a national conversation that balances protection with progress.

In the increasingly digital age, data has emerged as the new currency of power. Sometimes referred to as "Kenya's Editor's the new oil," it is prized for its capacity to spur innovation, sway judgments, and mould societies.

Protecting personal information

After passing the Data Protection Act in 2019, Kenya moved closer to protecting personal information. Despite enacting it with mixed reactions, we brought the country closer to compliance with international privacy laws. It has generated intense debate since its enactment and implementation, despite hailing it a long-overdue victory for individual rights and privacy. However, despite all the strides made, one key question revolves around the policy.

Has the bill met its goals, or has it unintentionally limited the digital space's innovation, accountability, and openness? The policy did more than just set moral boundaries; it also mandated informed consent as a prerequisite for data collection and introduced clear, enforceable protocols to govern how personal data is gathered, stored, and used.

Before this, data ecosystems were shaped by an unsettling norm in which indiscriminate data harvesting and corporate surveillance went unchecked and often without the knowledge or approval of the people whose data was being commodified. The Data Protection Act, therefore, came in at an opportune moment and broke this status quo, becoming a much-needed ethical compass in a space where profit had too often trumped principle.

While we welcomed the implementation of the bill and the establishment of the Office of the Data Protection Commissioner (ODPC), an oversight body with absolute authority, we not only stumped authority in enforcing compliance but also set up an essential body to help conduct public education, where it ensures that individuals and institutions alike understand their rights and responsibilities under the law. Consequently, the policy also ensured that data protection moved from abstract policy to practical enforcement.

Since its enactment in 2019, the data controller's office has made considerable strides and has held over 20 companies and organisations accountable through warnings, compliance notices, and financial penalties. Some notable sanctions were imposed on WorldCoin, whose operations were suspended and fined, and a sweeping crackdown on digital lenders, several of whom were either fined or deregistered for non-compliance. These actions sent data handlers a chilling, clear message that rights are not optional and breaches will come at a cost.

The Data Protection Act boldly asserts public interest over private exploitation in an era where data is currency and privacy is power. This policy's continued enforcement and evolution will be critical in building a digital future rooted not in exploitation but in dignity and trust.

Despite these strides, the instrument designed to empower citizens now teeters on the edge of contradiction. During a recent debate surrounding access to public interest information, especially in sectors such as health, finance, and governance, highlights a critical tension between privacy and transparency. While the government institutions and private entities often cite the Act to withhold data, even when such data is essential for investigative journalism, academic research, or public accountability, it makes one wonder if the Act has unintentionally enabled opacity under the guise of privacy.

Navigating the digital economy

Furthermore, the Act's stringent requirements disproportionately burden startups and SMEs navigating the digital economy. The Act introduces huge compliance costs, ranging from hiring Data Protection Officers to conducting Data Protection Impact Assessments. Unlike the global organisations that easily absorb these costs, these are often prohibitive for Impact Assessments. These local innovators may find themselves stifled by a regulatory framework meant to protect, not penalise, in the guise of protecting personal data. So, this leaves us wondering, is Kenya's data protection era inadvertently becoming a gatekeeper against its tech-driven growth?

Moreover, considering the question of enforcement poses more questions than answers. While the ODPC has issued fines and undertaken audits, enforcement remains uneven, with many institutions, especially in the public sector, continuing to flout the law without consequence. Some have found themselves facing hefty fines due to the breach of the policy. The result is a patchwork of compliance that undermines the law's credibility and creates a tawdry accountability system. Stop but to query the mechanisms put in place to ensure consistency, especially among state agencies that often hold the most sensitive data.

Enforcing his policy has improved our global standing in the digital economy when viewed from a geopolitical perspective. Additionally, the policy provides a framework in line with the EU's General Data Protection ReguEU'son (GDPR), which in theory,, permits international collaborations and cross-border data transfersHowever, our institutions are readyns to uphold the reciprocity that these frameworks require, though this is still an open topic. Are we building robust systems capable of sustaining long-term data sovereignty, or merely importing frameworks without the capacity to implement them effectively?

We are staring at a crossroads, and as a country, we must re-evaluate the practical realities of our data protection policy. Despite the law being noble in its intentions, it must evolve in application and call for a nuanced approach that demands that we balance the right to privacy with the right to access information. Moreover, it should protect the citizens without paralysing businesses, and its enforcement should be uniformly applied rather than selectively. Finally, we need a candid national conversation with our legal experts, technologists, civil society, and the general public on how we need this data policy to work for our society.

As we navigate the complexity of this new digitised landscape, we cannot cease to acknowledge that data protection cannot serve as a shield for bureaucratic inertia, nor as a sword to cut down progress. We must coil the policy and wield it like a scalpel to be precise, fair, and attuned to the realities of our time. This then invites a disturbing interrogation that it is not just whether the Data Protection Act stands as a legislative achievement, but whether we are ready to use it wisely and boldly. Importantly, do we have the courage to confront the unintended consequences of the policy before we quietly undermine the rights it was designed to protect?

The author is Benedict Were, a communication professional with over eight years of experience in strategic communication, policy analysis, and media engagement.

Views expressed in this article are solely those of the author and do not reflect the official position of TUKO.co.ke.

Proofreading by Asher Omondi, copy editor at TUKO.co.ke.

Source: TUKO.co.ke