Navigating East Africa’s Data Protection Framework: A Guide for Investors in Kenya, Uganda and Tanzania

Kenya: A Comprehensive Approach to Data Protection
Kenya’s Constitution ensures every citizen’s right to privacy. This encompasses the protection of personal information and communications from unauthorised access or exposure. The Kenyan Data Protection Act, 2019 (DPA) further solidifies this right by laying out explicit rules on handling personal data. Kenya’s data protection framework is primarily governed by the DPA), a comprehensive law that sets out the rules for collecting, processing, and storing personal data. The DPA shares several similarities with the GDPR, emphasising accountability, data minimisation, and transparency.

Key Aspects of the Kenya Data Protection Act

• Core Principles: The DPA emphasises purpose limitation, data minimisation, accuracy, transparency, and accountability. Data controllers and processors must collect data for specific, legitimate purposes and ensure it is accurate and up to date.
• Rights of Data Subjects: Individuals have the right to access, rectify, and request the erasure of their personal data. Data controllers must accommodate these rights.
• Registration Requirement: Data controllers and processors must register with the Office of the Data Protection Commissioner (ODPC) unless exempt. Registration is valid for 24 months and can be renewed.
• Role of the ODPC: The ODPC enforces compliance, conducts investigations, and imposes fines for non-compliance. Penalties can be up to KES 5,000,000 (approximately USD 37,879) or 1% of annual turnover, whichever is lower.
• Breach notifications: The DPA requires data controllers to notify the Data Protection Commissioner without delay, within 72 hours of becoming aware of a data breach. Data processors must inform the data controller within 48 hours.
• Cross-Border Data Transfers: If a data processor or data controller plans to transfer personal data outside Kenya, they must ensure appropriate safeguards, such as obtaining approval from the ODPC for transferring civil registration data.
• The DPA mandates specific requirements for cross-border data transfers, including written approval from the ODPC for civil registration data.

Data Protection Officers and Data Protection Impact Assessments
The DPA defines “processing” to include a range of activities, from collection to erasure. Data controllers and processors must register and follow strict guidelines when processing personal data. The DPA also mandates Data Protection Impact Assessments (DPIAs) for activities that pose a high risk to individual rights. DPIAs must be submitted to the ODPC 60 days before starting a high-risk processing activity.

The DPA allows data controllers and processors to appoint a Data Protection Officers (DPO), but this is not a strict legal requirement. Appointing a DPO is considered good practice for organisations handling personal data. The DPO is responsible for ensuring that data controllers and processors comply with data protection laws, implement appropriate security measures, and maintain the integrity of personal data. A DPO can be a member of staff with other roles in the organisation, indicating flexibility in the appointment process.

Cross-Border Data Transfers and Challenges
Transferring personal data outside Kenya requires additional safeguards, including consent from data subjects for transfer of sensitive personal data and approval from the ODPC for civil registration data. Despite the comprehensive framework, challenges remain, such as building capacity for compliance and addressing gaps in enforcement against foreign entities.

Tanzania: A Regulatory Framework for Personal Data Protection
Tanzania’s data protection framework is derived from its Constitution and the Tanzanian Personal Data Protection Act, 2022 (PDPA), supported by the Data Protection and Privacy Regulations, 2021 (the DPP Regulations).

Key Aspects of the Personal Data Protection Act

• Core Principles: The PDPA emphasises similar principles to those in the GDPR, including purpose limitation, data minimisation, and accountability. Data controllers and processors must ensure data accuracy, fairness, and transparency.
• Registration Requirement: Data controllers and processors must register with the Personal Data Protection Commission (PDPC), regardless of whether they are based in Tanzania. Registration is valid for five years.
• Role of the PDPC: The PDPC oversees enforcement, conducts investigations, and has the authority to take action against violations of the PDPA. It can impose fines and other penalties for non-compliance.

Data Protection Officers and Data Privacy Impact Assessments
The PDPA requires data controllers and processors to appoint a DPO to oversee compliance with the Act where an organisation’s processing operations require regular and systematic monitoring of data subjects on a large scale or where the organisation’s core activities involve the processing of sensitive personal data. The DPO ensures that appropriate technical and organisational measures are in place to safeguard personal data. The PDPA mandates DPIAs when processing operations are likely to pose a high risk to data subjects’ rights and freedoms.

Cross-Border Data Transfers and Challenges
To comply with Tanzania’s requirements before transferring data across borders, organisations need to follow the procedures outlined by the PDPA and the DPP Regulations.

Organisations should identify whether their intended data transfer involves personal data or sensitive personal data. Additionally, they should determine whether the recipient country provides adequate data protection measures equivalent to those required by the PDPA.

Organisations must ensure also that the receiving country has adequate data protection safeguards in place. These safeguards must meet or exceed the level of protection required by the PDPA. If the receiving country does not meet this requirement, additional measures may be needed to ensure the security and privacy of the data.

If the receiving country lacks adequate data protection measures, organisations may need to obtain explicit consent from the data subject(s) before transferring personal data. It is essential that the data subjects are fully informed of the risks and purpose of the transfer.

For cross-border transfers, organisations must apply to the PDPC for a permit to transfer personal data. Applications must include the following details in the application:

• The applicant’s and recipient’s particulars.
• The data subject’s information.
• The type of personal data to be transferred.
• The purpose and necessity of the transfer.
• Details of security measures in the recipient country.
• Consent from the data subject(s), if applicable.

To support the application, organisations must also provide proof that the receiving country has adequate data protection measures. This could include:

• An international agreement on personal data protection that the receiving country has ratified.
• An agreement between Tanzania and the receiving country.
• A contractual agreement between the parties involved in the data transfer.

Exceptions for Cross-Border Transfers to Countries without Adequate Safeguards

• The PDPA provides for exceptions to the transfer of personal data to countries without adequate protection. These exceptions include:

1. Data subject consent.
2. Contract performance.
3. Safeguarding public interest.
4. Legal claims.
5. Protecting the data subject’s legitimate interests.

The PDPC reviews the application within 14 days of receipt. They may accept or reject the application based on the information provided and their assessment of data protection safeguards. If accepted, the PDPC will issue a permit for the transfer, which may include certain conditions such as:

• Transferring personal data only to the authorised recipient.
• Ensuring the data is processed solely for the intended purpose.
• Not disclosing or transferring data to another recipient without PDPC approval.
• Ensuring the transfer complies with the laws of the receiving country.

If the PDPC rejects the application, the organisation will receive written notification with the reasons for rejection. Common reasons for rejection include inadequate data protection in the receiving country, risks to national security, or failure to meet the DPP Regulations’ requirements. Organisations should address these issues before reapplying.

Challenges include jurisdictional clarity, where there’s debate about whether cases should be brought before the PDPC or the High Court of Tanzania.

Uganda: Protecting Privacy and Personal Data
Uganda’s data protection laws are rooted in its Constitution and governed by the Ugandan Data Protection and Privacy Act, 2019 (DPPA) and the Data Protection and Privacy Regulations, 2021 (DPP Regulations).

Key Aspects of the Data Protection and Privacy Act

• Core Principles: The DPPA emphasises accountability, fairness, data minimisation, and transparency. It regulates data controllers and processors and establishes the Personal Data Protection Office (PDPO) under the National Information Technology Authority – Uganda (NITA-U).
• Registration Requirement: Every person, institution, or public body collecting or processing personal data must register with the PDPO. Registration is required even for entities outside Uganda if they process or hold personal data of Ugandan citizens.
• Role of the PDPO: The PDPO is responsible for overseeing the enforcement of the DPPA, promoting data protection, and investigating complaints. It can issue fines and pursue legal action against violations of data protection laws.
• Risk mitigation obligations: The DPPA requires data controllers to adopt reasonable measures to secure personal data from loss, damage, unauthorised destruction, or unlawful access. This includes identifying and mitigating foreseeable risks. The DPPA specifies that data processors and controllers should regularly verify the effectiveness of safeguards and update them as needed.
• Penalties for Non-Compliance: The DPPA specifies fines and imprisonment for certain offences. Penalties for unlawful activities, such as obtaining, disclosing, or destroying personal data, can lead to fines up to UGX4,800,000 (approximately USD 1,261) or imprisonment for 10 years, or both. Additional penalties are outlined for selling or offering for sale personal data, with fines up to UGX 4,900,000 (approximately USD 1,287) or imprisonment for 10 years. Additionally, corporations that breach a data subject’s rights and fail to remedy the breach may be required to pay a fine up to 2% of the corporation’s annual gross turnover.

Data Protection Officers and Security Measures
The DPPA makes it mandatory for institutions to appoint a Data Protection Officer (DPO). The DPO must ensure compliance with the DPPA’s data protection requirements, implementing appropriate measures to prevent unauthorised access, loss, or damage to personal data. The DPP Regulations makes it mandatory to conduct DPIAs where the collection or processing of personal data poses a high risk to the rights and freedoms of natural persons.

Cross-Border Data Transfers and Penalties
For data processors or controllers based in Uganda who process or store personal data outside the country, the DPPA imposes additional requirements. Data transfers are allowed if the receiving country has equivalent or greater protection, or if the data subject consents. In addition to the receiving country having equivalent or greater protection, that country must be included in a list of countries considered to have equivalent or greater protection. This list is yet to be gazetted by the PDPO.  The PDPO can impose fines or imprisonment for non-compliance, with penalties for offences such as unlawfully obtaining or disclosing personal data.

Navigating East Africa’s Data Protection Landscape
Compliance with data protection laws in Kenya, Uganda, and Tanzania is essential for investors in East Africa. Legal teams should focus on understanding each country’s unique requirements, and ensuring proper registrations are made in each. Cross-border data transfers require careful consideration of compliance with each jurisdiction’s regulations.

By adhering to the principles and requirements outlined in each country’s data protection framework, foreign investors can mitigate risks and foster a culture of responsible data handling in the region. Legal teams should remain informed about updates to these laws and engage with the respective regulatory authorities to ensure ongoing compliance and business success in East Africa.

---

Should you have any questions regarding this alert do not hesitate to contact Sonal Tejpar or Wangui Kaniaru.

________________

Contributors
1. Caleb Weisiko – Trainee Lawyer
2. Lenhard Kyamba – Trainee Lawyer