Nairobi News


It’s 10 years in jail or Sh3M fine for misuse of other people’s data

President Uhuru Kenyatta on Friday assented to the Data Protection Bill, 2019, officially making it law.

Once operationalised, one risks spending 10 years behind bars or a fine of Sh3 million, or both, for misusing or abusing other people’s personal data.

Kenyans now will have the right to know how their information is handled and also have the right to ask for the deletion or editing of incorrect data.

The law will regulate the processing of personal data and information. The handling of that information will be bound to the principles of data protection that ape those provided by European Union’s General Data Protection Regulation (EU GDPR). Illegal processing of personal data will effectively be punishable.

The new law will also see the setting up of the office of a Data Protection Commissioner. Currently, such an institution does not exist.


It will also cover people who own and control data, as well as third parties that manage, store, and sort personal data.

Furthermore, it applies to natural or legal persons, agencies and public authorities. Local and global organisations will be guided by the law provided they process data belonging to locals.

Organisations, including the likes of Safaricom, have since faulted the state for failing to provide a reliable data protection framework for shaping ICT policies in the country.

The same sentiments have also been echoed by friends of the industry and people in a country that has been seeing the proliferation of ICTs that require a legal system to be run without data abuses.


The State made vital strides in pursuing the Bill. It was then given the go-ahead by the ICT CS Joe Mucheru.

However, issues arose in July 2019 because the Bills were duplicated in the Senate and Parliament. The harmonisation exercise directed the use of National Assembly’s version to hasten the approval exercise.

Once operationalised, organisations that own, manage, or control data must register their business at the Data Protection Commissioner (DPC).

In the case of the ability to move data among different, also referred to as data portability, Kenyans now have the right to acknowledge or reject their data being transferred to another service.

This will come in handy for mobile subscribers.