In April 2021, the office of the Kenyan Data Commissioner issued draft guidelines which were subjected to public participation before their adoption. These are:
- The Data Protection(Compliance & Enforcement) Regulation, 2021;
- Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021; and
- The Data Protection (General) Regulations, 2021.
Our firm was one of the two firms requested to submit its thoughts and comments on the draft regulations. Below are our thoughts and comments on the draft on Registration of Data Controllers and Data Processors Regulations, 2021 (The Dc/Dp Registration Regulations) Regulations 2021 highlighting areas of concern and our recommendation to the Office of the Data Protection Commissioner to ensure not only a legally sound regulation but also one that would practically enable business in a world of data privacy.
|Area of Concern||Recommendation by|
|Section 6 Registration by public body||This Section exempts State Corporations and County Corporations from registering as data controllers or processors. There needs to be alignment of these entities with the parent statute to better narrow down the description of what a state or county corporation is. |
The State Corporations Act Cap 446 for instance exempts certain state corporations from being state corporations with regards to complying with certain provisions of the State Corporations Act thus leaving its identity under this Section very vague.
|Section 9 (2) –(3) Display of certificate of registration||These Sections require the data controller or processor to display such other information as the Data Commissioner may require from time to time else an administrative fine may be imposed for breach. The DC/DP Registration Regulations does not attempt to specifically provide what type of this “such other information” may include. It does not inform the data controller or processor how the Data Commissioner will notify them and how long they have to comply to be found in breach that warrants a punitive penalty.|
|Section 10 Renewal of Registration||Section 10 places an obligation on the data controller or processor to renew registration 30 days before the expiration of the certificate of registration. In the same 30 days window period after application, the Data Commissioner is supposed to issue a renewed certificate. |
Further to this, if there are new categories the Data Commissioner is supposed to undertake a verification process as initially provided. Further below in Section 11 (1), the Data Commissioner can reject applications in 21 days leaving the application with only 9 days to resubmit.
These timelines cut too close to the expiry of a previously held certificate, and this may negatively grind some businesses to halt if they cannot operate without a valid license. There is need to allow for more time or an earlier application period to facilitate this exchange.
|Section 11(2) Refusal of Registration of Renewal||The Data Commissioner may refuse to grant an application for registration or renewal where the (b) appropriate safeguards for the protection of the privacy of the data subject have not been provided by the data controller or processor. |
What are these appropriate safeguards that the data commissioner will consider at a minimum and will they be the same for all applicants? This cannot be left to a discretion if the consequent effect is to deny a certificate to operate. They are not listed in the Act and are but listed as examples in the schedule to this regulation hence leaving it up to any interpretation.
|Section 16 Regulatory Fees||The Data Commissioner may charge a fee for (a) approval of Data Impact Assessment provided under Section 31 of the Act. The Act in Section 31 only refers to consulting the Data Commissioner for purposes of carrying out the audit and also for the applicant to submit their report. It makes no provisions for any approvals per se but allows the Data Commissioner to make further guidelines. The Data Protection General Regulations in their draft format also do not provide for approvals or fees. If anything it allows for the applicant to continue with their processing activities if there is no communication within 60 days; the submitted report ought to be considered approved.|
|Section 18 Replacement of certificate registration||Section 18 (4) states that the Data Commissioner may require a data controller to provide additional documents of information before issuing a replacement certificate of registration. We recommend that this request for further documents/information be limited to the documents/information that were initially asked for and not new information that may prejudice the application for replacement.|
|Third Schedule Thresholds for mandatory registration||The list of mandatory data controllers and processors who shall register under the DC/DP Registration Regulations under list number 13 is provision of financial services. In the current fin-tech ecosystem we are in there are those who are regulated and licensed to provide financial services under the various acts e.g. Banking Act. There are other players who provide similar services but cannot be legally defined to be providing the same as they are unregulated. They actually operate outside this legal definition and they may look to also be recognized as such for purposes of this regulation. Consider a wider definition.|