Key Issues arising from the Data Protection (Registration of Controllers and Processors) Regulations 2021.
The Data Protection Act (DPA) introduced the first comprehensive legislation on the protection of personal data. The Act makes provision for the regulation of the processing of personal data, the rights of data subjects, obligations of data controllers and processors and the establishment of the Office of the Data Protection Commissioner (ODPC) under section 6. Implementation of some of the provisions in the Act requires subsidiary legislation. In line with this, the ODPC, through a taskforce established by the Ministry of ICT Innovation and Youth Affairs, published three draft regulations for public comment. Among which was the Data Protection (Registration of Data Controllers and Data Processors) Regulations which provides for :
Registration criteria for the renewal of data processors and commissioners.
Regulatory fees set by the Data Commissioner.
Offences for breaches and attaching penalties.
Imposition of fines by the Data Commissioner.
The registration of data controllers and processors is in line with trends in regulation of personal data, particularly for the parties involved in the processing activities. It is therefore important to understand the different roles controllers and processors play in data processing. Data controllers hold the highest responsibility for compliance as they must demonstrate, not only, compliance with the data protection principles but also compliance of their data processors. “A data controller determines the purposes and means by which personal data is processed, whereas, a data processor processes personal data only on behalf of the controller.” The data protection regulations require registration of both controllers and processors.
A problem that may arise in implementation of these regulations is the exemption of state and country corporations (public bodies) from mandatory registration. Public entities primarily process a large number of personal data owing to the services they offer to the public. The data they process falls under the threshold provided for mandatory registration. There are no regulations or guidelines, save for the regulations applying to civil registration entities that could be used as an oversight mechanism for these entities. Part of demonstrating compliance to the provisions of the DPA requires a disclosure of specific information that is captured at registration and during the validation process. Their exemption from registration eliminates their requirement to demonstrate compliance with the Data Protection Act, thereby leaving the data processed by these entities at risk of being processed contrary to the provisions of the law, and in direct contradiction of the fundamental right to privacy.
Another issue is the registration of foreign processors, a category of processors are not established or ordinarily resident in Kenya, but process personal data of data subjects located in Kenya, for example foreign digital lending apps. Whereas the regulations are clear on the criteria for registration of data controllers and processors, there is an assumption that the regulation only applies to local data processors and controllers. This assumption is based on the fact that, despite the fact that the DPA applies to foreign controllers and processors, as reflected under section 4(b)(ii), the draft regulations fail to provide a criterion for their registration. It would therefore be necessary for the regulations to equally provide for a registration criteria for foreign data controllers and processors.1 Providing for this extended scope of registration ensures that foreign data controllers and processors also demonstrate compliance with the provisions of the Data Protection Act before they can process personal data of data subjects within the Kenyan jurisdiction .
The overall fee payable for registration as provided under the second schedule is determined on the basis of turnover classification. This means that, fee is payable depending on the amount of money made by a business/ organisation (either in terms of goods sold or services provided) within a particular period. This turnover classification encompasses organizations that have an annual turnover of less than Kshs. 2,000,000 to organizations that have an annual turnover of Kshs. 50,000,000. This classification though generalised to encompass all businesses and organizations, it fails to consider the industry specific differences within these organizations in their particular day to day functioning and data processing activities which would be significant in determining the fee payable. A preferred classification would be a combination of industry classification and turn over classification.
This kind of classification would not only make it easier for determination of costs based on data processed but would also aid in a better determination of registration costs for SMEs. ‘Ghana for example has adopted a similar classification criteria where they have large, medium and small data controllers and processors with the large data controllers and processors being further classified into two, the primary criterion and secondary criterion. The primary criterion covers data controllers and processors with an annual turnover of five million Ghana cedis and above or minimum of 250 members or staff whereas the secondary criterion covers specialist industries no matter their turn over. The specialist industries include, upstream and midstream petroleum companies, telecommunication companies or operators, banking/financial institutions, credit bureaus, insurance companies and mining companies with the exception of quarries.’2 A similar three tier classification is also adopted by the UK ICO, tier one – is for micro-organizations, tier two – small medium organizations and tier three – large organisations. The description of tiers are also based on turnover and number of employees which determines the cost of registration.
Since the enactment of the Data Protection Act numerous steps have been taken in order to operationalize the provisions of the Act, the establishment of the office of the ODPC through section 5 and the appointment of the Data Commissioner through section 6. This regulation not only serves to ensure compliance with the provisions of the Act but also serves to continuously uphold the fundamental right to privacy, and will likely have a great impact in the management of data processing activities of Kenyan citizens. The regulation presents significant change for business entities, institutions and organizations alike, in their respective capacities as data controllers and processors, given the continued rise in the adoption of tech which increases the need for processing of personal data, the regulation compels a better understanding of the roles of data controllers and processors, requiring that, processing of personal data be more transparent and mindful of relevant data protection considerations.
1 Section 4b
2 Data Protection Commission: Fees and Charges. (Data Protection Commission, Ghana) <