The public has been invited to participate in a three-day virtual public participation process to review Kenya’s draft data protection regulations.

The three-day public participation process started on Tuesday and is expected to end today 29th  April 2021 while the deadline for submission of comments has now been extended to May 11 , 2021.

Headed by Immaculate Kassait, the Data Protection Commission, will gather views from stakeholders and public consultations on three sets of data protection regulations namely,

Data Protection (General) Regulations, 2021

Data Protection (Compliance and Enforcement) Regulations, 2021

Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021

Your views are important because:

  • So much gets lost in translation so you are best placed to present your views as they should
  • Your participation as a blogger will really help advance the views of how these regulations will affect your work.
  • Your participation is key towards the realization of the Data Protection (General) Regulations, 2021
  • There are concerns that the Kenyan and Ugandan governments are reducing the online freedoms of its citizens with Covid-19 surveillance
  • In the past, data laws have been used to prosecute bloggers unfairly
  • Prevention is better than cure. As we all know the Bloggers Association of Kenya went to court to fight the Computer Misuse and Cybercrimes Act 2018. Legal processes are not only time-consuming but also quite expensive. This time we can look at the regulations and present any concerns that affect bloggers before they finally become law.

 The taskforce to look into these laws was established on January 15, 2021, by ICT Cabinet Secretary Joe Mucheru to operationalize the Act and report to the ministry in six months.

The team was tasked to take a comprehensive look at the Data Protection Act, 2019 — a law that is expected to protect the personal information of individuals and — identify any existing gaps in the law as well as the Data Protection Policy then propose any requirements for review.

It was also to propose any new policy, legal and institutional framework that may be required to implement the data law, develop the Data Protection (General) Regulations and train stakeholders and the public on the said regulations and undertake public consultation on the regulations and any other activities required for the effective discharge of the task force’s mandate.

Once the virtual public process is done, there will be considerations of stakeholder comments then

consultations with committees of the National Assembly and gazettement of the regulations. All these will be followed by public awareness of the regulations and each sector will have its specific regulations.

The Office of the Data Protection Commissioner was established in November 2020 thanks to the Data Protection Act, 2019, and was mainly tasked with regulating the processing of personal data and processing of personal data as guided by the principles set out in Section 25 of the Act.

Already, stakeholder consultations on the draft regulations are underway where issues such as review of the data localization requirements, cross-border transfer of personal data, duration of renewal of the certificate of registration, and reduction of the registration fees have been raised.

Also presented are automation of the process of the data commissioner, clarification and simplification of the complaints handling procedures as well as harmonisation of the commercial use of personal data with existing legislations.

To send your views go to