Kenya had the opportunity to take notes while observing the western countries grapple with issues on data protection, but that did not happen.

Kenya, like most African countries, borrows a lot from western countries when it comes to making a step to legislate on “new” areas of law.

However, even when having the opportunity to implement useful research and development (R&D) practices and procedures, it terribly fails and merely adopts the copy and paste principle, which is quite fast.

However, it lacks a sense of direction because there is no R&D. While the writing of the Data Protection Act No 24 of 2019 (DPA) has the taste of the United Kingdom’s Data Protection Act, 2018 and 1998, there are other elements from other legislation.

On April 27, 2016, when the European Union (EU) was approving the famous General Data Protection Rules 2016/679/EU (GDPR), it shared a firm conclusion about the directive through its official Journal of European Union.

It stated that the Directive 95/46/EC (the Directive) “objectives and principles of the Directive remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity.”

The EU concluded that there was a need to advance the issue on data protection. As a result, the Directive had to be repealed in favour of the GDPR.

The European Commission Decision 2000/520/EC that was birthed as a result of the Directive, both repealed, in letter and spirit, influenced critical provisions under the DPA.

Therefore, like the Commission Decision 2000/520/EC, the DPA provides that data controllers and data processors can self-regulate.

The idea of self-regulating provided a loophole for data controllers, and data processors in the US have their Government engage the EU on diplomatic terms, which the US did through its Department of Commerce (DoC).

The results of these diplomatic discussions resulted in effecting Commission Decision 2000/520/EC popularly known as the Safe Harbour Regulations.

The Safe Harbour Regulations operated for at least a decade before questions were raised about its legality and whether it was superior or inferior to the Directive. It had occurred that the US-based entities were infringing the data protection laws meant to protect citizens of EU Member States.

The EU was not aware of the breach until whistleblower Edward Snowden raised issues on US-based entities' mass surveillance and data breach activities on the EU.

These data breaches were primary possible since the foreign entities were self-regulating, which is the same piece of cake offered by Kenya to the world. 

Ombo Malumbe, Nairobi