Gaps and grey areas: navigating data protection compliance in Kenya

enya’s Data Protection Act, 2019 (DPA) grants data subjects the right to access their personal data that is held by a data controller or data processor. 

In this regard, the Data Protection (General) Regulations, 2021 (General Regulations) provide a wide scope of the particulars that may be requested under a Data Subject Access Request (DSAR), including confirmation as to whether personal data concerning the data subject is being processed, the purposes of such processing, the categories of personal data concerned, the recipients of disclosure, the envisaged period of storage, and the source of collection.

Once this request is received by a data controller or a data processor, the General Regulations require compliance with the request, including providing the data subject(s) in question with a copy of their personal data, free of charge.

Both the DPA and the General Regulations are, however, either silent and/or not sufficiently clear about certain matters regarding the nature and manner of compliance with DSARs. We highlight a few of these matters below:

Lack of exemptions: The legal requirement to comply with DSARs, as contained in the DPA and the General Regulations, is an absolute one. Whereas the General Regulations provide grounds upon which a data handler may decline to comply with the other data subject rights, they are silent with respect to DSARs.

As such, the absolute nature of this requirement fails to consider potentially frivolous DSARs as well as DSARs that are overly general in nature and that may, as a result, require disproportionate compliance efforts on the part of data controllers and data processors. In contrast, the European Union’s General Data Protection Regulation, 2016 (GDPR) permits restrictions on the right of access to personal data where necessary for the prevention, investigation and prosecution of criminal offenses or to prevent breaches of ethics for regulated professions.

DSAR as abuse/circumvention of other legal processes: DSARs may in certain instances be used by data subjects to circumvent other legal processes. This may, for example, be the case where a data subject who is engaged in active litigation with a data handler seeks to circumvent, for whatever reasons, existing processes for obtaining information in an ongoing litigation by framing the same as a DSAR. Both the DPA and the General Regulations fail to provide guidance to data handlers on how to handle DSARs within such contexts.

Responsibilities of data processors: Data processors process personal data on behalf of data controllers, and as such, usually escalate requests such as DSARs to data controllers, who ideally bear the primary responsibilities for compliance. The DPA, however, appears to place the obligation to comply with DSARs equally on both data controllers and data processors, as opposed to, for example, requiring data processors to escalate DSARs to their controllers.

Timelines for compliance: The General Regulations require controllers or processors to comply with DSARs within seven days of receiving them. Aside from the fact that the seven-day period is a fairly tight window, especially for bulky requests, there is currently no clarity on what constitutes compliance within the seven-day window. As a point of reference, the GDPR allows data controllers holding large volumes of a data subject’s personal data to request that the data subject specify the information to which the DSAR relates before the information is provided.

Conclusion

Despite the existing grey areas surrounding compliance with DSARs, compliance requirements remain a legal obligation, contravention of which will likely attract enforcement action. 

To mitigate this risk, data handlers should implement several key measures, including clearly delineating the responsibilities of controllers and processors in response to data processing agreements, verifying the identity of requesters prior to disclosure, establishing a formal DSAR policy, and maintaining comprehensive records (including of the request, decisions made, related correspondence, data disclosed, and timelines) to ensure demonstrable accountability.

While the DPA and the General Regulations provide an important foundational framework for data subject rights in Kenya, legislative amendments are necessary to address the notable interpretative and enforcement gaps discussed above. 

We recommend that data handlers promptly liaise with their legal advisors upon receipt of DSARs to not only meet the statutory timelines but to also devise a strategy aimed at achieving full compliance.

Daniel Mwathe is a partner in Bowmans’ Nairobi office, who specializes in IP, technology, privacy, regulatory & compliance, and more. Ibrahim Godofa is an associate in the Nairobi office with experience in a wide range of technology, media & telecommunications matters; data protection and privacy assignments, etc.