This document has been developed to provide a review of the regulatory framework for data protection in Kenya. The report takes a broad view of what constitutes the regulatory framework, going beyond the Data Protection Act, 2019 (DAPA) to include the European General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA).
The inclusion of GDPR and CCPA in the analysis stems from their coverage and applicability. GDPR applies to the processing of personal data of individuals who are residents of the European Economic Area (EEA) regardless of their location. Likewise, the CCPA applies to California’s residents (natural persons) even if they are temporarily outside of the state.
Consequently, GDPR and CCPA will apply to firms based in Kenya that process the personal data of EEA and California residents respectively. As such, the objective of this review is to provide guidance to firms on the impact of DAPA and the extent to which both GDPR and CCPA apply to their businesses and operations. The document provides a detailed regulatory assessment of DAPA against the various articles and recitals in both the GDPR and the CCPA.
This comparison identifies some of the challenges that fintechs and other firms might face during implementation. However, it is not just about identifying the potential challenges. The document goes further to provide policy recommendations to strengthen the regulatory framework and enhance market function. In the analysis of DAPA and its comparison with the GDPR and the CCPA, there are a few issues that either remain open to interpretation or are in need of further clarification.
Such areas are highlighted in the document and additional insights on how other jurisdictions have addressed them are provided.
Data Privacy and Protection in Kenya: A Regulatory Review