Data law sets Sh5m fine for breach of privacy

Act spells Sh5 million fine for person, agencies in breach of data privacy laws

In Summary
  • Those who give false or misleading information will also be liable for the penalties set in the Act
  • Law applies to foreign entities when handling data given by locals and state bodies
President Uhuru Kenyatta signs into law the Data Protection Bill, 2019, at State House, Nairobi, November 8, 2019
ASSENTE: President Uhuru Kenyatta signs into law the Data Protection Bill, 2019, at State House, Nairobi, November 8, 2019
Image: PSCU

Persons and organisations that use their client’s data without consent now face up to a Sh5 million fine or a two-year jail term.

This is among provisions in the Data Protection Act, 2019, signed by President Uhuru Kenyatta yesterday following approval by Parliament on Thursday.

National Assembly Speaker Justin Muturi presented the Bill for signature at State House Nairobi alongside Leader of Majority Aden Duale.


The law creates the office of Data Protection Commissioner – to be recruited by the Public Service Commission - tasked with ensuring the protection of personal data held by organisations.

The PSC will be expected do the interview and send three names to the President, who shall picks one and send to Parliament for approval.

Part of the provisions says that the Data Commissioner shall, in consultation with the PSC, appoint officers for proper and efficient discharge of the function of the office.

This means organisations that own, manage, and control data will have to register with the commissioner before being allowed to conduct any business with the information.

In the new dispensation, Kenyans will now have a say on the transfer of their data held by organisations – including to foreign entities.

It is therefore anticipated it would end instances where data, especially those held by telcos, have been used by organisations pitching their products or services.

MPs voted to make illegal such actions that have been deemed a nuisance to phone users, especially by politicians and corporate entities.


The new law also sets restrictions for transfer of personal data and introduces compulsory measures to be taken by organisations to ensure data privacy.

Data owners as well as entities – mostly third parties, namely lawyers, government agencies, and individuals who handle personal data - are covered by the new law.

The law also applies to foreign entities when handling data given by locals and state bodies.

Kenyans will also have more powers to access, as well as ask for amendments to their data held by state, including requests for deletion of misleading or editing incorrect data.

The law was crafted amid concerns the country lacks a comprehensive data protection mechanism in the face of the growth of digital economy.

And in what may be the first gains of the law, State House said the President signed the Bill after meeting with the Amazon Web Services executives.

The AWS team led by Vice President Teresa Carlson, a press release said, informed the President of a plan by e-commerce retailer Amazon’s plan to set up an ‘edge location’ in Nairobi, a point from which users access services located on Amazon Web Services.

“I am delighted to welcome AWS’s investment in Kenya. The launch of Amazon CloudFront will put us in the forefront of accelerated innovation - enabling startups, enterprises and our government agencies to focus on building the best user experience,” Uhuru said.

The new law however does not protect data meant for use by security agencies in efforts to maintain public order and national security.

Instances where disclosure is required by any written law are not exempt in the protections spelled by the new Act.

The protection does not also apply to data meant for publication of literary or artistic material and where publication of such information serves the public interest.

Kenyans will have a right to appeal at the High Court in the event they are dissatisfied with fines and penalties spelled by the Data commissioner.