CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The Personal Data (Privacy) Ordinance (Cap. 486)  (the "PDPO") is a comprehensive set of laws that is technology-neutral and provides a set of Data Protection Principles outlining how data users should collect, handle and use personal data.

2. Data protection authority

The Office of the Privacy Commissioner for Personal Data www.pcpd.org.hk

The Office of the Data Commissioner.

The Data Commissioner was formally appointed on 16 November 2020 and is in the process of setting up its office.

3. Anticipated changes to local laws

The legislation is due for amendment since its last substantive amendment in 2012.

The Constitutional and Mainland Affairs Bureau released LC Paper. No. CB(2) 512/19-20(03), a discussion paper seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the Personal Data (Privacy) Ordinance (Cap.486). The proposed changes follow proposals by the Privacy Commissioner for Personal Data, and include six proposed amendments:

  • Inclusion of a Mandatory Data Breach Notification Mechanism;
  • Requirement for retention policy and specified Data Retention Period; 
  • Provision of Sanctioning Powers to PCPD to impose administrative fines and raise relevant criminal fine levels; 
  • Regulation of Data Processors; 
  • Amending the Definition of Personal Data to cover information relating to an "identifiable" natural person; 
  • Regulation of Disclosure of Personal Data of Other Data Subjects to curb doxing;

Following the Data Commissioner's appointment, a Task Force was convened in January 2021 to develop the Data Protection Regulations under the DPA.

4. Sanctions & non-compliance

Administrative sanctions:

N/A

Criminal sanctions:  

A summary of various offences and penalties under the Ordinance can be found at: https://www.pcpd.org.hk/misc/files/table2_e.pdf

Others:  

N/A 

Administrative sanctions:

The DPA gives the Office of the Data Commissioner the power to impose administrative fines for failure to comply with the DPA.

The Office of the Data Commissioner may impose a fine of up to KES 5m (USD 50,000) or in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower. The fine is payable to the Office of the Data Commissioner.

Failure to comply with an order of the Office of the Data Commissioner is considered an offence under the DPA.

Section 65 of the DPA accords all data subjects the right to compensation from data processors or controllers for damage caused to them.

Criminal sanctions:

There are certain specific offences under the DPA including:

  • Unlawful disclosure of personal data in a manner incompatible with the purpose for which the data was collected;
  • Unlawful disclosure of personal data that the data processor processed without the prior authorisation of the data controller;
  • Obtaining access to personal data without the prior authorisation of the data controller or processor holding the data;
  • Disclosure of personal data to a third party without prior authorisation by the data controller or processor holding the data;
  • Sale of personal data obtained unlawfully. Advertising the sale of such data constitutes an offer to sell under this offence;
  • Failure to register with the Office of the Data Commissioner as a data processor or controller;
  • Provision of false or misleading information during the application process for registration as a data processor or controller;
  • Obstruction of the Office of the Data Commissioner during an investigation. 

On conviction, an offence under the DPA carries a general penalty of a fine not exceeding KES 3m (USD 30,000) or an imprisonment term not exceeding ten years, or both. Obstruction of the Data Commissioner during an investigation is an offence liable to a fine not exceeding KES 5m (USD. 50,000) or imprisonment for a term not exceeding two years, or to both.

5. Registration / notification / authorisation

There is no requirement for notification/registration/authorisation for processing personal data (i.e. no mechanism similar to that in UK Notification to process personal data - GOV.UK (www.gov.uk))

The DPA requires data processors or controllers to register with the Office of the Data Commissioner. The DPA, however, allows the Office of the Data Commissioner to set a threshold for data processors or controllers whose registration shall be mandatory. This threshold is yet to be set, but we anticipate it will be in the upcoming regulations currently in development.

6. Main obligations and processing requirements

Data users shall comply with the six principles set out in Schedule 1 to the Ordinance: 

  • personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user. The data collected should be necessary and adequate but not excessive for such purpose. The means of collection should be lawful and fair; 
  • data users are required to take all practicable steps to ensure that personal data is accurate and not kept longer than is necessary for the fulfilment of the purpose for which the data is used. If data users engage a data processor for handling personal data of other persons, data users should adopt contractual or other means to ensure that the data processor comply with the mentioned retention requirement; 
  • data users shall not use personal data for any new purpose which is not or is unrelated to the original purpose when collecting the data, unless with the data subject’s express and voluntary consent; 
  • data users shall take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use; 
  • data users are required to take all practicable steps to ensure openness of their personal data policies and practices, the kind of personal data held and the main purposes for holding it; and 
  • data users shall provide data subjects with the right to request access to and correction of their own personal data.
Data Processing Principles:

All data processors/controllers are required to follow the data protection principles, which are:

  1. Data processing in accordance with the right to privacy of the data subject;
  2. Fair and transparent processing of a data subject's personal data;
  3. Collection of personal data for specified and legitimate purposes and not further processing beyond those purposes;
  4. Purpose limitation for data collected;
  5. Collection of personal data relating to family or private affairs only where a valid explanation is provided;
  6. Accuracy of collected personal data and every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  7. Personal data is to be kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected;
  8. Personal data shall not be transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject. 
Duty to Notify:

Before collecting any personal data, data processors/controllers are required to notify a data subject of:

  1. Their rights as data subjects under the DPA;
  2. The fact that their data is being collected and the purpose for the collection;
  3. Any third parties that have or will have access to their data including details of safeguards adopted;
  4. The contacts of the data controller/processor and any other entity receiving the collected personal data;
  5. The technical and organisational security measures taken to ensure the integrity and confidentiality of the data;
  6. Whether the data is being collected pursuant to any law and whether such collection is voluntary or mandatory;
  7. The consequences if any, if they fail to provide all or any part of the requested data
Lawful Processing:

Personal data may only be processed on the lawful basis provided under Section 30 of the DPA as:

  1. Consent: the individual has given clear consent for a data processor or controller to process their personal data for a specific purpose;
  2. Contract: the processing is necessary for a contract's performance between a data processor or controller and the data subject or because the data subject has asked the data processor or controller take specific steps before entering into a contract;
  3. Legal obligation: the processing is necessary for a data processor or controller to comply with the law (not including contractual obligations);
  4. Vital interests: the processing is necessary to protect the vital interests of the data subject or another natural person;
  5. Public task: the processing is necessary for a data processor or controller to perform a task in the public interest or the exercise of official authority vested in the controller;
  6. Legitimate interests: the processing is necessary for a data processor or controller's legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the data subject's data which overrides those legitimate interests;
  7. Historical, Statistical, Journalistic, Literature and Art or Scientific research: if the data is required in such pursuits. 

7. Data subject rights

Data subjects are given the right to access and make correction to their data.

  1. Right to be informed of the use to which their personal data is to be put;
  2. Right to access their personal data in the custody of the data controller or processor;
  3. Right to object to the processing of all or part of their personal data;
  4. Right to correction of false or misleading data;
  5. Rights to deletion of false or misleading data about them;
  6. Right to withdraw the consent given to data processor or controller at any time;
  7. Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affects the data subject;
  8. Right to object to the processing of their personal data, unless the data controller or data processor demonstrates compelling legitimate interest for the processing which overrides the data subject's interests, or for the establishment, exercise or defence of a legal claim;
  9. Right to receive personal data concerning them in a structured, commonly used and machine-readable format and the right to transmit such data from one data controller to another

8. Processing by third parties

No direct regulation on data processors.  However, data are required to adopt contractual means to ensure that data processors or sub-contractors adopt measures to ensure the safety of personal data.

The DPA does not prohibit the processing of personal data by third parties but requires that the data subject be informed of any third parties that may have access to their personal data and the safeguards adopted to ensure their data security. 

The data processor or controller is also required to provide the third party's contact details to the data subject. This information should be provided before the data is collected.

9. Transfers out of country

A data user shall not transfer personal data outside Hong Kong unless one of the following conditions is met: 

  • the place is specified by the Commissioner by notice in the Gazette that there is in force any law which is substantially similar to, or serves the same purposes as, the Ordinance – no place has satisfied this condition up to date. 
  • The data user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, the Ordinance;
  • The data subject has consented in writing to the transfer;
  • The data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; it is not practicable to obtain the consent in writing of the data subject to that transfer; but if it was practicable, such consent would be given;
  • The data is exempt from Data Protection Principle 3 by virtue of an exemption under Part VIII of the Ordinance (such as personal data held for news activities, for domestic use, for purpose of prevention of crime etc.); or
  • The data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed, or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the Ordinance. Please note that use of recommended model data transfer clauses to develop an enforceable data transfer contract by data users is one method to satisfy the required due diligence requirement. 

The following conditions must be satisfied prior to a transfer of personal data out of Kenya:

  1. The data controller or processor must give proof to the Office of the Data Commissioner on the appropriate safeguards for the security and protection of the personal data, including the safeguards legislative safeguards commensurate with the DPA in Kenya; 
  2. The transfer must be necessary:
    1. for the performance of a contract between a data processor or controller and the data subject or because the data subject has asked the data processor or controller take specific steps before entering into a contract;
    2. for any matter of public interest;
    3. for the establishment, exercise or defence of a legal claim;
    4. to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
    5. for compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects;
  3. The processing of sensitive personal data out of Kenya may only be done with a data subject's consent and with confirmation of appropriate safeguards. 

10. Data Protection Officer

N/A

A Data Protection Officer, may be appointed where:

  • The processing is carried out by a public body or private body, except for courts acting in their judicial capacity;
  • The core activities of the data controller or processor consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects; or
  • the core activities of the data controller or the data processor consist of the processing of sensitive categories of personal data

11. Security

There is no mandatory requirement.  However, it is required that a data subject is informed of the name or job title, and address, of the individual who is to handle the data access or correction request made to the data user.

Every data processor or controller must implement appropriate technical and organisational measures to effectively implement the data protection principles and integrate necessary safeguards for data processing. 

12. Breach notification

There is no mandatory requirement, but a data breach may amount to a contravention of 

  • Data Protection Principle 4(1); and in Schedule 1 of the Ordinance;

The following action plan is recommended as practice to be adopted by data users: 

  • immediate gathering of essential information relating to the breach; 
  • contacting the interested parties and adopting measures to contain the breach; 
  • assessing the risk of harm; 
  • considering the giving of data breach notification: notifying the affected data subjects, the relevant parties, the law enforcement agencies, the Commissioner, relevant regulators and such other parties who may be able to take remedial actions as soon as practicable after the defection of the data breach.  For notifying the Commissioner, a “Data Breach Notification Form” can be used.

Where personal data has been accessed or acquired by an unauthorised person, and there is a real risk of harm to the data subject whose personal data has been subjected to the unauthorised access, a data controller is required to:

  • Notify the Office of the Data Commissioner without delay: and
  • In certain prescribed circumstances communicate the occurrence of the breach to the data subject in writing. 

13. Direct marketing

The data user must:

  • inform the data subject (i) that the data user intends to so use the personal data; and (ii) that the data user may not so use the data unless the data user has received the data subject’s consent to the intended use – this “consent” needs to be “an indication of no objection to the use or provision” and hence, silence or lack of response will not be deemed to be consent;
  • provide the data subject with the following information in relation to the intended use (i) the kinds of personal data to be used; and (ii) the classes of marketing subjects in relation to which the data is to be used –  the description of such classes should be specific, making reference to the distinctive features of the goods, facilities or services so that it is practicable for the customers to ascertain the goods, facilities or services to be marketed with a reasonable degree of certainty; and
  • provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subject’s consent to the intended use – a data user can only elect a response channel that enables the data subject’s consent to be made in writing.

The DPA does not have specific provisions on direct marketing

14. Cookies and adtech

There are no specific requirements in relation to use of cookies.  

However, the use of cookies to collect personal data needs to be in compliance with Data Protection Principle 1(3) in Schedule 1 to the Ordinance that requires: 

  • the data subject is explicitly or implicitly informed, on or before collecting the data, of (i) whether it is obligatory or voluntary for him or her to supply the data; and (ii) where it is obligatory for him or her to supply the data, the consequences for him or her if he or she fails to supply the data; and 
  • he or she is explicitly informed: (i) on or before collecting the data, of (A) the purpose (in general or specific terms) for which the data is to be used; and (B) the classes of persons to whom the data may be transferred; and (ii) on or before first use of the data for the purpose for which it was collected, of (A) his or her rights to request access to and to request the correction of the data; and (B) the name or job title, and address, of the individual who is to handle any such request made to the data user.

The DPA does not have specific provisions on cookies and adtech

15. Risk scale

Moderate

Severe

Cybersecurity

1. Local cybersecurity laws and scope

  • The most significant laws that cover cybersecurity matters include provisions under: 
  • Crimes Ordinance (Cap 200): (1) s.161 Access to computer with criminal or dishonest intent; and (2) s.60 Destroying or damaging property; 
  • s.27 A (unauthorised access to computer by telecommunications) under Telecommunications Ordinance (Cap 106); 
  • Control of Obscene and Indecent Articles Ordinance (Cap. 390); 
  • Prevention of Child Pornography Ordinance (Cap 579); and 
  • The Unsolicited Electronic Messages Ordinance (Cap 593)
  1. Computer Misuse and Cybercrimes Act, No. 5 of 2018 Laws of Kenya, which provides for cybercrime offences;
  2. Kenya Information and Communications Act, No. 2 of 1998 Laws of Kenya which was enacted to facilitate the development of the information and communications sector and electronic commerce;
  3. Kenya Information and Communications (Consumer Protection) Regulations, 2010 which was passed to protect consumers of ICT services and products;
  4. Data Protection Act, No. 24 of 2019 Laws of Kenya which makes provision for the regulation of personal data, the rights of data subjects and the obligations of data controllers and processors;
  5. Guidelines on Cybersecurity for Payment Service Providers, July 2019 which were passed to create a secure cyberspace and combat cybercrime;

2. Anticipated changes to local laws

There are no anticipated changes to local laws, although there has been more pressure to introduce laws against doxing

There are no anticipated changes in the current cybersecurity legislation in Kenya.

3. Application 

It mainly criminalises conduct around unauthorised access to computer and disseminating obscene, child pornography and unsolicited electronic messages. 

Computer Misuse and Cybercrimes Act (the “Act”)

The Act provides for offences relating to computer systems such an unauthorised access or interference, cyber espionage, cyber harassment, cybersquatting, phishing and cyber terrorism; contains provisions to enable timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes; and facilitate international co-operation in dealing with computer and cybercrime matters.

Kenya Information and Communications Act (the “KICA”)

The KICA was amended in 2019 to provide for the regulation of electronic transactions and cyber-security by requiring the Communications Authority of Kenya (“CA”) to develop a framework for facilitating the investigation and prosecution of cybercrime offences and promote and facilitate the efficient management of critical internet resources.

Kenya Information and Communications (Consumer Protection) Regulations (the “Regulations”)

The Regulations set out the rights and obligations of consumers as well as the safeguards that licensed telecommunication service providers should put in place to protect consumer rights. The Regulations require service providers to take appropriate technical and organizational measures to safeguard the security of its services. 

Data Protection Act (the “DPA”)

The DPA imposes obligations on data controllers and data processors to provide security measures and mechanisms to ensure the protection of personal data against unlawful destruction, loss, alteration and transfer.

Guidelines on Cybersecurity for Payment Service Providers (the “Guidelines”)

Due to the increased cyber threats against banks, the Central Bank of Kenya (“CBK”) issued Guidelines to create a safer and more secure cyberspace and establish a coordinated approach to the prevention and combating of cybercrime. The Guidelines set out the minimum standards that Payment Service Providers (“PSPs”) should adopt to develop effective cybersecurity governance and risk management frameworks. 

4. Authority

Information Commissioner’s Office www.ico.org.uk

The Cyber Security and Technology Crime Bureau (Hong Kong Police) 
https://www.police.gov.hk/ppp_en/04_crime_matters/tcd/tcd.html

The Communications Authority (for reporting spam) Communications Authority - Home (coms-auth.hk)

5. Key obligations 

N/A – There is no prescribed obligation imposed on cyber users or operators to adopt security measures except those involving handling personal data as specified in Personal Data (Privacy) Ordinance (Cap 486) (the “Ordinance”)

Computer Misuse and Cybercrimes Act (the “Act”)
  • The Act creates various cybercrime offences by criminalising acts such as unauthorised access or interference, cyber espionage, false publications, child pornography, computer forgery, cyber harassment, cybersquatting, identity theft and impersonation, phishing and cyber terrorism;
  • A person who operates a computer system or a computer network, whether public or private, is required to inform the National Computer and Cybercrimes Co-ordination Committee (the “Committee”) of any attacks, intrusions and other disruptions to the functioning of another computer system or network within 24 hours of such attack, intrusion or disruption;  
Kenya Information and Communications (Consumer Protection) Regulations (the “Regulations”)
  • The Regulations require service providers to take appropriate technical and organisational measures to safeguard the security of its services. 
  • Where there is a particular risk of a breach of the security of the network, a service provider is required to inform its subscribers of the risk and of any possible remedies where the risk lies outside the scope of the measures that may be taken by the service provider.
Data Protection Act (the “DPA”)
  • Where personal data has been accessed or acquired by an unauthorised person and there is a real risk of harm to the data subject, a data controller must notify the Data Commissioner without delay, within 72 hours of becoming aware of the breach. 
  • The data controller is also required to inform the data subject of the breach unless a restriction is necessary for purposes of prevention, detection or investigation of an offence. 
  • Offences under the DPA include: disclosure of personal data by data controllers, contrary to the purpose for which the data was collected; disclosure of personal data by data processor without the prior consent of the data controller; obtaining access to personal data without the consent of a data controller or data processor; and offering to sell personal data which has been unlawfully accessed or obtained 
Guidelines on Cybersecurity for Payment Service Providers (the “Guidelines”)

The Guidelines impose broad obligations on PSPs requiring them to:

  1. Submit a Cybersecurity Policy, Strategies and Frameworks to the Central Bank of Kenya (CBK) by December 31, 2019, for those Operators registered prior to that date and for prospective Operators to submit the same during the licence application process;
  2. Notify the CBK within 24 hours of any cybersecurity incidents that could have a significant and adverse impact on the PSP’s ability to provide adequate services to its customers, its reputation or financial condition;
  3. Provide CBK with a report concerning its occurrence and handling of cybersecurity incidents on a quarterly basis 

6. Sanctions & non-compliance 

Administrative sanctions:

N/A

Criminal sanctions:

Hong Kong Police will enforce the provisions of the relevant Ordinances.  Penalties will range from a level 4 fine (HKD 25,000) to imprisonment for five years.

Others:

N/A

Administrative sanctions:
  • DPA

Under the DPA, the Data Commissioner may serve an enforcement notice on a person who has failed to comply with any provision of the DPA. 

The Data Commissioner may also serve a penalty notice to a person who has failed to comply with an enforcement notice requiring the person to pay the amount specified in the notice.

The maximum amount of the penalty is up to KES 5m or in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower.

  • KICA

Under the Kenya Information and Communications (Consumer Protection) Regulations, the Communications Authority may impose fines of up to KES 300,000.

Criminal sanctions:
  • Computer Misuse and Cybercrimes Act

Upon conviction an offender may be liable for a fine ranging between KES 3m to KES 25m and/or a jail term of between three to 25 years. 

  • DPA

The general penalty, for commission of an offence under the DPA is a fine not exceeding KES 3m, or to an imprisonment term of ten years, or both.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

No 

The National Kenya Computer Incident Response Team – Coordination Centre (National KE-CIRT/CC) was established by the Communications Authority of Kenya as part of its mandate to develop a national cyber security management framework through the establishment of a national computer response team. 

The National KE-CIRT/CC’s mandate is to coordinate responses, manage cybersecurity incidents nationally and collaborate with relevant actors locally, regionally and internationally. Its functions include:

  1. Implementation of national cybersecurity policies, laws and regulations;
  2. Cybersecurity awareness and capacity building;
  3. Early warning and technical advisories on cyber threats on a 24/7 basis;
  4. Technical co-ordination and response to cyber incidents on a 24/7 basis in collaboration with various actors locally and internationally;
  5. Development and implementation of a National Public Key Infrastructure;
  6. Research and development in cybersecurity;
  7. Promote and facilitate the efficient management of critical internet resource.

8. National cybersecurity incident management structure

N/A

Yes, See above.

9. Other cybersecurity initiatives 

  • Hong Kong Monetary Authority has issued various non-binding cybersecurity guidelines for authorised institutions such as Cyber Resilience Assessment Framework and cybersecurity guidelines with respect to the use of stored value facilities, ebanking systems and artificial intelligence.
  •  Securities and Futures Commission has published guidelines and circulars such as the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading and specific guidelines in relation to the use of external electronic data storage.
  • Insurance Authority has issued the Guideline on Cybersecurity laying down the minimum cybersecurity standards that authorised insurers must observe.
  • The Commissioner for the Electronic Health Record has issued codes of practice regarding the use of the electronic health record sharing system by healthcare providers to access and share patients’ electronic health records. 
  • The Office of the Government Chief Information Office has issued guidelines on cybersecurity controls and measures applicable to various government offices and departments.

The National Cybersecurity Strategy developed by the Ministry of Information Communication and Technology (ICT) defines Kenya’s cybersecurity vision, key objectives, and ongoing commitment to support national priorities by encouraging ICT growth and aggressively protecting critical information infrastructures. 

The Strategy contains four goals:

  1. Enhance the nation’s cybersecurity posture in a manner that facilitates the country’s growth, safety and prosperity;
  2. Build national capability by raising cybersecurity awareness and developing Kenya’s workforce to address cybersecurity needs;
  3. Foster information sharing and collaboration among relevant stakeholders to facilitate an information sharing environment focused on achieving the Strategy’s goals and objectives;
  4. Provide national leadership by defining the national cybersecurity vision, goals and objectives and coordinating cybersecurity initiatives at the national level.

Additionally, the Communications Authority has published the General Information Security Best Practice Guide, which was issued by the CA to be adopted by Kenyan organisations and users across all sectors to enable them to deal with common information security challenges. 

The Guide proposes recommendations for common information security challenges such as online safety, unauthorised access, infringement of intellectual property and trade secrets, malware, cloud computing, wireless networks, mobile security, identity theft and fake news.

Portrait of Jonathan Chu
Jonathan Chu
Partner
Hong Kong (CMS CMNO - Lau, Horton & Wise LLP)
Portrait of Samson Oduol
Samson Oduol
Partner
Nairobi
Portrait of Brian Gatuguti
Brian Gatuguti
Associate
Nairobi
Jessica Mutemi