Kenya to go after foreign data privacy violators

Data Commissioner Immaculate Kassait delivering a speech at Vila Rosa Kempinski in Nairobi on November 19, 2024 during celebrations to mark 5 years of Kenya's Data Protection act

Photo credit: Evans Habil | Nation Media Group

Kenya is seeking the assistance of foreign governments to shut down apps that violate data privacy laws in Kenya.

Among those targeted are multinationals that operate in Kenya but store their data on servers in foreign countries beyond Kenya’s jurisdiction.

Data Protection Commissioner Immaculate Kassait said Kenya is seeking to enter into Mutual Legal Assistance (MLA) with other countries on data protection.

This, she said, is to help enhance enforcement of actions against cross-border firms that have violated data protection laws in Kenya.

MLA refers to formal agreements between countries that allow them to cooperate on legal matters, particularly in the investigation and prosecution of crimes. Locally, these agreements are guided by the Mutual Legal Assistance Act, 2011.

The Act designates the Attorney-General and law enforcement agencies as facilitators of MLAs on various issues such as money laundering between Kenya and other countries.

These agreements are usually used to catch criminals across international borders. In the context of data protection, MLAs will help the Data Commissioner to go after international firms that are involved in breach of customer data in Kenya.

“The MLA will assist in investigations when the data controller is based outside Kenya. We would demonstrate that the data controller has violated the local laws, thus (help) us bring down such apps that are in violation,” said Ms Kassait.

This comes at a time when the Data Commissioner has been increasingly fining companies for data protection violations. In September last year for instance, the ODPC fined digital lender Mulla Pride Sh2.975 million for using information obtained from third parties to send threatening messages and calls to defaulters.

Casa Vera Lounge was fined Sh1.85 million for posting a reveler’s image without consent, while Roma School was penalised Sh4.55 million for posting minors’ pictures without parental consent.

“There are some companies that are involved in data breaches in Kenya and believe we cannot pursue them elsewhere,” she said.
Ms Kassait was speaking in Nairobi on November 20 during the commemoration of the fifth anniversary of the implementation of the Data Protection Act, 2019.

The Act was implemented in November 2019 leading to the appointment of Ms Kassait as the first Data Commissioner in November 2020.

The ODPC has so far registered 7,223 institutions that handle sensitive data of Kenyans.

The Data Commissioner says that since the office’s establishment, it has received 6,592 complaints from individuals and firms about data breaches, out of which 5,822 have been resolved while 770 are being processed.

Interestingly, the majority of cases involve Digital Credit Providers (DCPs), which are frequently reported to the Data Commissioner for breaches including harassment of loan defaulters. The other violators are financial institutions, telecommunications companies, individuals, insurance firms, microfinance institutions, hospitality firms, government institutions and other private sector players.

“ODPC continues to receive an increase in the number of informed complaints as more Kenyans are getting aware of their privacy rights,” said Ms Kassait.

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.