Executive Summary


On May this year the chairperson of the committee on information, communication and technology in the Senate assembly proposed Data Protection Bill to the parliament which will require organizations to inform users of any personal data they are collecting, the purpose for collection and how long the same will be stored. The law also gives users the right to decline to have their data collected or processed as well as demand to have false data corrected or deleted upon demand.

On the other hand the Cabinet Secretary of the ministry of information, communications and technology formed a taskforce that led to the development of a draft Privacy and Data Protection Policy and Bill, which was meant to ensure the development of an enabling regulatory framework for privacy and data protection in Kenya.



The two bills majorly focus on the protection of personal data collected, used or stored by both private and public entities and ensuring that the privacy of the information is maintained.

The bills also have the principles of data protection which includes transparency, accuracy confidentiality and integrity

On notification, the two bills stipulates the need for notification when information is being collected, the purpose why it’s being collected and also in case of an occurrence of a data breach.

Third party Access

The bills states that the third parties should be given access to the information at the consent of the data owner.


With almost having the same content, the two bills still have some contracting sections.


The data protection policy does not specify the penalties of the offenses that might be committed but the data protection Bill gives the penalties for any offence committed, for instance any person who interferes with personal data of a data subject or infringes on the right of a person to privacy commits an offence and is liable, on conviction to a fine not exceeding five hundred thousand shillings or to imprisonment for a term not exceeding two years, or to both.

Institutional Framework

Data Protection Policy provides for an establishment of the office of data protection regulator who will be charged with the responsibility of enforcing data protection procedures and other responsibilities, while the data protection bill provides for an establishment of a commission who shall oversee the implementation of and be responsible for the enforcement of the law and to promote the protection and observance of the right to privacy among other duties.


The bills came barely a month after the European Union passed the General Data Protection Regulation (GDPR) which was meant to harmonize data privacy laws and reshape the way organizations approach data privacy.

If the proposed law comes into effect, the agencies will be required to take steps to protect the personal data of subjects in their possession from loss, damage or unauthorized access from third parties.

You can read the entire data protection policy here and data protection Bill here