Kenya must implement data protection law before 2022 presidential election

A women casts her vote in the Kenyan general elections on March 4, 2013. Photo by Commonwealth Secretariat via Flickr, CC BY-NC 2.0.

This article is part of UPROAR, a Small Media initiative that is urging governments to address digital rights challenges at the Universal Periodic Review (UPR)

Last year, Kenya’s long-awaited Data Protection Act was finally assented and put into force.

The Act, whose comprehensive legislation borrows heavily from the European Union’s General Data Protection Regulation (GDPR), seeks to create an institutional framework and legal guidelines for processing personal data in Kenya and belonging to Kenyans.

It details the procedures that data controllers should follow to collect and process personal data — a move that now sets Kenya on par with 25 other African countries.

As the wheels of implementing the Act start to turn, the data protection commissioner — whose appointment is still pending — will have to speedily work to put the structures and systems in place to register data processors and data controllers and facilitate effective data regulation processing operations.

This could well become a rush against time as Kenya goes into another presidential election in August 2022.  If the Act is not in place before then, the use of big data could be used once again in the country’s upcoming election.

For two consecutive presidential election cycles, the now-defunct Cambridge Analytica helped hijack Kenya’s democracy through its digital interference in shaping public opinion.

Mobile social media and the tyranny of numbers

Out of a population of 53 million Kenyans, 98 percent own smartphones. According to statistics by  Data reportal, the number of mobile connections in Kenya in January 2020 stood at about 52 million. For a majority, the phone is the only device through which they use to access the internet — especially social media. Social media usage in Kenya has steadily risen over the years.  By January 2020, the figure stood at 8.8 million users — an increase of 13 percent from April 2019 with Facebook and WhatsApp.

In 2020, the numbers surged.  Between April and September alone,  mobile data subscriptions rose by 5 percent, according to Kenya’s Communications Authority.

Kenya has earned a reputation as one of Africa’s leaders in connectivity and has become the ideal country for running political campaigns on social media.

Roughly half of Kenya’s 19.6 million registered voters in the 2017 were millennials (ages 18-35) and first-time voters — the 2022 elections are not likely to be any different.

Fake news & Kenya’s political online showdowns

Kenya needs to get its act together on data protection laws fast, not just on paper, but on full implementation. Already, with only 20 months to go, East Africa’s leading news publication, The East African, has reported increasing misinformation as Kenya’s political battles go online.

Speaking to East Africa, Alphonce Shiundu, the Kenya country editor of the fact-checking organization Africa Check, said that current online political wars mirror the toxic messaging attributed to the disgraced British consulting firm Cambridge Analytica during the 2017 election.

During that year's campaign, Kenya's incumbent Jubilee party hired the company to use big data, behavioral micro-targeting and misinformation to pursue victory for incumbent president Uhuru Kenyatta.

This is the deep end that the incoming  data commissioner (DC) will be thrown into and expected not only to swim — but to build a data fortress that will prevent political parties from using data to manipulate their electorate or worse still — incite ethnic tension and violence.

At the basic level, the new office of the DC will become the place where Kenyans go to file complaints on the misuse of personal data not just by commercial businesses but increasingly by political figures.

Kenya ranks in the top three for countries where users receive the most spam texts across the world, data from Truecaller, the Stockholm-based caller identification app, shows.

Kenya’s largest telecommunications company, Safaricom, has, on several occasions, come under fire on Twitter from its customers including a 2019 lawsuit by one of their customers for failing to protect their personal details collected through its popular mobile money service, Mpesa after it was revealed that data from 11.5 million Safaricom customers had leaked and ended up on the black market

A 2018 research study by Myriad Connect, mobile USSD technology specialists, found that over 70 percent of Kenyans have been the victims of digital financial transaction fraud, or know someone who has, with the majority being via phone calls at 73 percent,  followed by SMS at 57 percent.

Kenyan lawyer Ahmednasir Abdullahi tweeted his intention to start a class action lawsuit against Safaricom in September last year for these violations: 

Funding, self-regulation and enforcement

According to Mugambi Laibuta, a Kenyan advocate of the High Court of Kenya, the DC appointment will become the start of a long and complicated journey in enforcing data protection and guaranteeing the right to privacy for Kenyans, one that is already riddled with issues such as funding, resourcing and enforcement mechanisms.

Laibuta’s opinion, shared via his podcast episode, “How Important is the Data Protection Commissioner?” is that a lack of advanced funding for these government entities will pose a challenge. This will further impede the DC office’s efforts to acquire resources — especially personnel such as data analysts and legal experts — to help carry out its functions.

Laibuta also foresees challenges around enforcement mechanisms such as the data controllers’ registration and self-regulation. All data controllers and data processors are required by the Act to be registered with the commissioner.

The DC is then required to prescribe thresholds for mandatory registration and consider the nature of the entity — whether the same rules will apply to private corporate SME (small and micro-enterprises), government and other public institutions and nongovernmental organizations. Until such thresholds are prescribed, mandatory registration, Laibuta opines, does not come into play.

Laibuta wonders how the commissioner, in consultation with Ministry of ICT Cabinet Secretary Joseph Mucheru, will set these thresholds, placing a heavy burden on both roles to come up with fair solutions. Telecommunications companies, banks and learning institutions are likely to comply, but Laibuta wonders about SMEs’ mechanisms for self-regulation.

This continues to be a challenge even for global data protection authorities who continue to face heat over sanctions issued for GDPR violations.

It will also be interesting to see how the DC will handle issues as to how public bodies process and store data. Already, there have been growing concerns and allegations on data leaks from government bodies.

A Global Voices article last year captured reactions from Kenyans online on the ascension of the Data Protection Act, including some concerns by critics who found the timing suspect due to an ongoing government exercise to consolidate all citizens’ databases under a National Integrated Identity Management System (NIIMS).

Although Section 51 of the Data Protection Act creates exemptions for public bodies on matters that are tough on national security, Laibuta hopes that the DC will provide clear guiding principles for public bodies in the public interest as privacy still reigns supreme.

Kenya’s data protection law was long overdue. The 2022 election campaigning has already begun. If not prepared, the ghosts of Kenya’s political past may once again come back to haunt its citizens.

Start the conversation

Authors, please log in »


  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.