Effectiveness of Domestic Data Protection Laws in African Countries-a Case Study of the Data Protection Law in Kenya

Abstract

This study sought to evaluate the effectiveness of domestic data protection laws in African countries, with a particular concentration on the recently gazetted Data Protection Law in Kenya, typically referred to as the Kenya Data Protection Act, 2019. The study aimed at achieving three specific objectives namely, establishing whether the domestic data protection law in Kenya was enforceable, to evaluate whether the domestic data protection law in Kenya conformed to international standards and to explore techniques that could be employed to strengthen the domestic data protection law in Kenya. The study was explanatory in nature because effectiveness of domestic data protection laws in African countries and particularly in Kenya, is still a new concept and has not been adequately explained by previous studies that the researcher was able to evaluate. The researcher settled on Nairobi County as the study area, specifically narrowing down the study area to the Nairobi Central Business District, which was home to the key target population that included policy makers, Internet Service Providers (ISPs) and internet users, as at the time the study was being carried out. Basically, the sample size was made up of Members of the National ICT Steering Committee, Members of the top ten ICT companies in Nairobi, members of the main internet distributors in Nairobi, and the Ministry of ICT in Nairobi County. A structured questionnaire with a mix of open-ended questions as well as closed ended questions was used and complemented by an interview guide. For the purpose of data analysis, the study employed descriptive as well as inferential statistics. Based on findings from the study, it was evident that Kenya's domestic data protection legislation is enforceable and can be properly implemented if a significant number of Kenyans are educated on best practices to be adhered to when handling personal data, including data processing and data protection, and if all relevant stakeholders were actively involved in the process of developing a roadmap for implementation of these laws. The study also found that Kenya's domestic data protection law, that was enacted in 2019 is largely influenced by the General Data Protection Regulation (GDPR) that was adopted by member states of the European Union (EU) in 2016 and currently stands as the gold standard in data protection regulations. The results also show that the Kenya Data Protection Act of 2019, is a thorough data protection law that safeguards individuals' personal data. The researcher was also able to establish that the African Union (AU) Convention on Cyber Security and Personal Data Protection, a treaty developed by member states of the AU to facilitate a unified approach to addressing cyber security and data protection for African states, has only been ratified by a very small number of African nations (seven as at the time of this study), with Kenya among the 48 countries in the AU yet to ratify the treaty. The researcher therefore came to the conclusion that data protection cannot be the responsibility of a single sovereign state, single international agreement, or single global treaty, and that Africa's or Kenya's success in safeguarding personal data of its citizens can only be ensured through one unified AU authority, such as adoption of the AU Convention on Cyber Security and Personal Data Protection, which cooperates with other international authorities like the GDPR in the EU. As part of the recommendations of this study, it would be prudent for policymakers, lawmakers, and all other key industry stakeholders to raise public knowledge about the Personal Data Protection Act of 2019, and to compare it to the worldwide best practices such as the GDPR to create a unified and simple regulatory framework. Overall, the findings support the liberalism theory, which is based on the idea that cooperation among states, as well as between states and non-state actors, can and should be anchored, organized and formalized in institutions, thereby promoting cooperation and conformity to predetermined agreements without the need for a hegemonic player.