Following the enactment of the DPA, significant measures have been taken towards its implementation, including the appointment of a data commissioner in November 2020, the establishment of a taskforce for the development of implementing regulations in January 2021, and the circulation of a set of draft regulations for public comments shortly thereafter. In light of the significant momentum that has been exhibited in the journey towards the practical implementation of the DPA, it would be prudent for both foreign and Kenyan based data controllers and processors to note and comply with the obligations imposed upon them under this law. This article, however, focuses on the possible extra territorial applicability of the DPA on foreign based data controllers and processors and analyses the implications that arise in that context.
Extraterritorial applicability of the DPA
Section 4(b)(ii) of the DPA indicates that the extraterritorial applicability of the DPA arises from the fact that it regulates, among other matters, the processing of personal data by “a data controller or data processor who is not established or ordinarily resident in Kenya, but who processes the personal data of data subjects located in Kenya”. As such, where foreign based controllers and processors process personal data of data subjects who are in Kenya, they would need to comply with the requirements of the DPA or face the risk of penalties in the event of default.
The DPA provides for three levels of remedial measures for the breach of its provisions. Firstly, the data commissioner is empowered to apply administrative remedies in the form of enforcement notices and penalty notices. Enforcement notices are essentially directions from the data commissioner citing instances of breach of the DPA by a data controller or processor and requiring corrective measures to be applied by the breaching entity. Non-compliance with an enforcement notice constitutes an offence under the DPA. According to section 63 of the DPA, penalty notices, on the other hand, are administrative fines that could run up to Ksh5 million (currently approximately USD 47,000) or 1% of the annual turnover of the breaching entity for the preceding financial year, whichever is lower. While this figure may appear not to be as deterrent as the possible higher fines provided for under equivalent laws such as the GDPR or the Protection of Personal Information Act 4 of 2013 (POPIA) in South Africa, it could add up and cause significant losses for a controller or processor that lacks proper compliance mechanisms and commits repeated breaches of the DPA resulting in several consecutive fines. By way of comparison, section 109(2)(c) of POPIA provides for an administrative fine of up to R10 million (currently approximately USD 680,000) while the GDPR, under Article 83 (4) and (5), provides for fines of up to Euro 10 million and Euro 20 million respectively.
Secondly, the DPA provides for criminal penalties the stiffest of which is a maximum fine of Kshs 5 million (currently approximately USD 47,000) and a maximum jail term of 10 years. Lastly, the DPA provides for civil remedies in the form of compensation for damage caused, including financial loss or non-financial loss such as distress.
While it is clear how such remedies may be sought and enforced against Kenyan based controllers and processors, the situation becomes a bit more complicated when an infringing controller or processor is based outside Kenya. The law does, however, provide for basic frameworks through which such extra territorial enforcement could be pursued, and remedies and sanctions imposed on foreign based data controllers and processors.
Extra-territorial enforcement of administrative remedies
According to section 8(1)(a) of the DPA, the data commissioner has wide powers under the DPA to undertake “any activity” that is necessary for the fulfilment of the functions of their office, which includes the implementation and enforcement of the DPA.
This power could be relied on by the data commissioner to pursue the enforcement of administrative remedies against any foreign based data controllers or processors through possible co-operation with foreign data protection regulators or comparable government agencies. To this end, the DPA specifically gives the data commissioner the power to “enter into association with bodies or organisations within and outside Kenya as appropriate in furtherance of the object” of the DPA.
The success of any such arrangement would, to a significant degree, depend on the conclusion of intergovernmental treaties and ultimately whether the laws in the relevant foreign jurisdictions have provisions that could be relied on by their regulators to lawfully enforce penalty notices issued by the data commissioner against controllers and processors in those foreign jurisdictions.
Foreign enforcement of Kenyan judgments
The Foreign Judgments (Reciprocal Enforcement) Act confers enforceability within Kenya to both civil and criminal judgments that are delivered by the superior courts of certain designated jurisdictions. The jurisdictions are designated based on whether their laws, in the Kenyan Government’s view, contain (or will at some point in the future contain) provisions for the reciprocal enforcement of judgments that are issued by Kenyan courts. The list of designated jurisdictions presently includes: Australia, Malawi, Seychelles, Tanzania, Uganda, Zambia, the United Kingdom and Rwanda. As such, any relevant Kenyan judgments delivered against data controllers and processors that are based in these eight countries either are or will generally be enforceable under the laws of those countries.
Further, in the context of any criminal breach of the provisions of the DPA, the data commissioner may, by virtue of the provisions of the Mutual Legal Assistance Act, initiate a request for legal assistance from competent authorities in relevant foreign jurisdictions for the purposes of enforcing criminal remedies. Legal assistance could take the form of executing searches and seizures, freezing of proceeds of unlawful activity, recovery and disposal of assets etc. Kenya’s extradition laws do not currently designate offences under the DPA as extraditable offences. As such, the extradition to Kenya of foreign based persons who commit offences under the DPA is currently not possible. However, the amendment of relevant portions of such laws could, in theory, be carried out to include DPA offences among the list of extraditable offences, thereby altering this position.
Foreign based data controllers and processors who process personal data relating to data subjects who are in Kenya would do well to note the Kenyan government’s resolve towards the implementation of the DPA and to monitor further developments in this regard. It will be interesting to observe whether the data commissioner will seek to make use of these extraterritorial enforcement mechanisms in due course and, more particularly, what the general response of such foreign based data controllers and processors to any such enforcement against them would be in terms of compliance with the DPA going forward. There may also be room for amendment of the DPA in due course to adopt GDPR-like workarounds for enforcement against certain prescribed categories of foreign controllers and processors, such as requiring them to designate local representatives within Kenya who could be addressed (in addition to or instead of the foreign controller or the processor) by the data commissioner on all issues related to processing of personal data and for purposes of ensuring compliance with the DPA.