The Impact of General Data Protection Regulations on Kenyan Data Processing Companies

The GDPR which comes into force on 25 May  2018 replaces the Data Protection Directive 95/46/EC and is designed to support the single market, to harmonize data privacy laws across Europe, to protect and empower European Union (EU) citizens’ data privacy and reshape the way organizations approach data privacy for EU citizens wherever they work in the world.

While GDPR is slated to have global and far-reaching ramifications, a degree of uncertainty looms amongst  Kenyan companies, especially those which are engaged in outsourced data processing activities (whether captive or otherwise) and consequently deal with personal data of data subjects in the European Union (EU). This uncertainty is mainly with respect to the applicability of GDPR and its implications on their businesses. The penalty scheme prescribed under the GDPR is also a cause of concern for such companies since GDPR permits enforceability against a data processor directly.

Are  Kenyan data processing companies subject to GDPR?

The definition of data processor under GDPR has a very wide connotation. It means any operation performed on personal data such as collecting, recording, structuring, storing, using, disclosing by transmission and even includes erasing and destroying. Article 3 (Territorial scope) of GDPR makes it clear that it will be applicable regardless of whether the processing takes place in EU or not.

Therefore, a Kenyan company processing personal data in context of activities of an establishment of a controller or processer in EU, in all likelihood will fall within the ambit of GDPR.

What should  Kenyan data processing companies expect?

Prior to undertaking any processing activity, Kenyan companies will be required to enter into a contract with their customer (generally, a data controller). Such contract will stipulate the subject-matter and duration of processing activity, its nature and purpose and the type of personal data and categories of data subjects.

By way of such contract, a customer (the data controller) will seek from a Kenyan company a flow down of the following obligations:

  • Implementation of appropriate organisational measures to ensure
    • pseudonymisation and encryption of personal data;
    • confidentiality and integrity of processing systems;
    • restoration of availability and access to personal data after a physical or technical incident; and
    • regular testing and evaluation of such measures;
  • In the event of a personal data breach, the same must be notified to the customer without undue delay after it becomes aware of such personal data breach; and
  • Carry out a data protection impact assessment prior to commencement of the processing activity.

It must be noted that GDPR mandates that the contract between data controller and processor will necessarily comprise of the obligations stated above. In addition to the foregoing, a Kenyan company carrying out data processing will also be under obligation to allow the customer to conduct an audit and inspection of its systems to demonstrate compliance with the above. Further, the right of a data processor to subcontract their obligations has been curtailed and made conditional to the data controller’s approval. Therefore, the ability of a Kenyan process outsourcing company to refuse flow-down of contractual obligations has been severely impacted.

Adequacy requirements

A keystone of GDPR is the stipulation of ‘adequacy requirements’ which restrict the transfer of personal data to any third country or international organisation that does not “ensure an adequate level of protection.” In doing so, the European Commission will consider whether the legal framework prevalent in the country to which the personal data is sought to be transferred, affords adequate protection to data subjects in respect of privacy and protection of their data. In Kenya, the current legal framework pertaining to data privacy and protection is far from lucid.

In this era of globalization and integrated product offerings, the generation, use and flow of personal data has been amplified considerably. In the process, both private as well as public entities have acquired access to personal data of individuals, giving rise to concerns with respect to collection, processing, use, storage of such personal data. With the advent of GDPR, many of these concerns in respect of EU citizens will be dispelled to a considerable extent.

Most multinational companies find themselves increasingly dealing with personal data of EU citizens. Kenyan companies that engage in data processing also gain access to such information as a part of their day to day operations, bringing them within the ambit of GDPR. Simultaneously, GDPR casts some onerous obligations on a data processor. Many of these will entail significant time and capital investment to comply with. Further, data controllers now have a statutory basis for claiming contractual protection from data processors. Earlier, such flow-downs were a subject of commercial negotiation between the parties and could be subverted on that ground. Undoubtedly, this will place Kenyan companies in a precarious position in comparison to their standing in the period preceding the enforcement of GDPR.

To add to this, whether or not Kenya will meet the ‘adequacy requirements’ will be discerned by the manner and profundity with which the Forthcoming Legislation deals with these ‘adequacy requirements’.

Notwithstanding, the author  feel that this presents a golden opportunity to  Kenyan data processing companies to revisit their data protection, information security and confidentiality policies and make them compliant with global standards. This pre-emptive step will not only help them in sustaining their businesses, but also in securing compliance with GDPR, Forthcoming Legislation and other global best practices.



Internet Legal Developments To Look Out For in 2018

A preview of some of the Kenya’s internet legal developments that we can expect in 2018.

The commencement of The Finance Act 2017 which introduced increase of Gaming Taxes. The Act enhanced the value of taxes charged on gaming, lottery, betting and firms running competition as follows: Betting from 7.5% to 50%, Lotteries from 5% to 50% and Gaming from 12% to 50%, for competition prizes from 15% to 50.

This seemingly punitive tax is anticipated to attempt to reverse the negative socioeconomic effects that are believed to have resulted out of the gambling undertakings. Nonetheless, the increased gambling taxes that are considered in the same category of “sin” taxes may potentially encourage in-formalization of the activities, thereby leading to tax evasion.

Copyright Amendment Bill 2017

The Bill proposes a number of new measures to strengthen the copyright regime. Some of the proposals have a bearing on the protection of computer programs, circumvention of technological protection measures, broadcasts, royalties and their collection, liability and roles of ISPs, procedures for takedown measures, and so on. The Bill which is on the committee stage, proposes to bring on board ISPs in the fight against online copyright piracy.

Computer and Cybercrime Bill 2016 

The Bill seeks to provide for offences relating to computer systems; to enable timely and effective collection of forensic material for use as evidence, and facilitate international co-operation in dealing with cybercrime matters; and for connected purposes.

Further Regulation of FinTech in 2018

The publication of The Capital Markets (Online Foreign Exchange Trading) Regulations, 2017 which seek to monitor internet based trading systems through which foreign exchange trading is conducted continue to make a choppy voyage through the regulation process of Fintech. The Central Bank of Kenya (CBK) also issued a Guidance Note on Cyber security that outlined the minimum requirements for banks to enhance their cyber security. The Guidelines are mandatory for the banks which are licensed by the Central Bank.

Data Protection Bill

The data protection bill which is still pending before parliament seeks to provide for protection of personal information and hereby give effect to the constitutional right of a person not to have information relating to their family or private affairs unnecessarily required or revealed. It embraces the principles of data protection such as necessity of collecting information, data subjects’ right to access information about them, imposition of duty to ensure information is accurate, updated and complete.

Polygraph Testing for Employees in Kenya

Workers around the world are frequently subject to some kind of monitoring by their employers. Employers supervise work processes for quality control and performance purposes. They collect personal information from employees for a variety of reasons, such as health care, tax, and background checks.

Traditionally, this monitoring and information gathering in the workplace involved some form of human intervention and either the consent, or at least the knowledge, of employees. The changing structure and nature of the workplace, however, has led to more invasive and often covert monitoring practices which call into question employees’ most basic right to privacy and dignity within the workplace. Progress in technology has facilitated an increasing level of automated surveillance. Now the supervision of employee performance, behavior, and communications can be carried out by technological means, with increased ease and efficiency. The technology currently being developed is extremely powerful and can extend to every aspect of a worker’s life. Software programs can record keystrokes on computers and monitor exact screen images, telephone management systems can analyze the pattern of telephone use and the destination of calls, and miniature cameras and “Smart” ID badges can monitor an employee’s behavior, movements, and even physical orientation.

Employee  polygraph  testing  has become a controversial topic, mainly because many people are not aware of what is legal and what is not legal. Employers often use polygraph tests to investigate specific incidents linked to misconduct, particularly where there is reasonable suspicion that the employee was involved. In addition to making use of a polygraph test in cases involving misconduct, notably other forms of polygraph assessment tests are also being used by some employers. Depending on the nature of the employment position being offered by the employer, an employee may be requested to undergo a polygraph assessment test to determine their suitability for promotion, or in the case of a prospective employee, whether the person should be employed by the company at all (pre-employment testing). The  Kenyan  Employment  Act  does not  contain  any   specific provision on  polygraph  assessment.

No employee can be compelled to undergo a polygraph test. Employees must first give their written consent before they may be subjected to polygraph testing. Written consent may be obtained in advance by including a clause[1] in their service contract in terms of which they agree to undergo polygraph testing if required, or the employer can obtain the employee’s consent at a later stage. Then the employee will have the option agree or to refuse. Refusal to undergo a polygraph test may not be considered to be an indication that the person is guilty, neither is it a valid reason for dismissal.

The Kenyan Constitution states that everyone has the right to inherent dignity, moreover the right to have their dignity respected and protected. It also provides that everyone has the right to privacy and freedom, including the right of physical security. Forcing an employee to undergo a polygraph test — without their written consent — can be considered to be an invasion of that person’s constitutional rights.

The Kenyan Constitution also sets out a number of labour rights and — in particular — the right every person’s  rights  to fair labour practices. Accordingly, employers must have regard to rules of fairness, equity and consistency in all of their dealings with their employees, not least also when subjecting them to a polygraph test.

[1] See  Otieno  v Stanbic Bank  Kenya Limited 2013 2 EA

Who should own the copyright to #Githeriman’s photograph?

The Internet has been abuzz since the 8th   August 2017 when Martin Kamotho, now christened #Githeriman whose photo was taken while enjoying his githeri as he awaited to cast his vote during the Kenyan Presidential Elections was taken and posted  online.1613907_0

He has become an overnight celebrity and an Internet sensation. Individuals have resorted to creating hilarious memes while some corporates have jumped onto the bandwagon and have started to use his popularity for the purposes of advertising.2017-08-10-PHOTO-00005529

This blog is however concerned with the Intellectual property issues that have arisen because of the said photo more specifically the ownership of the photo.2017-08-09-PHOTO-00005964

Who owns the Photo?

Under Kenyan law, all that is required for a photograph to be copyright is that it be ‘original’. According to the Copyright Act Section 2(d), it does not have to possess even a modicum of artistic quality. It does not therefore have to involve any ‘creative expression’, ‘creative input’ or ‘artistic skill’, each of which serves only to produce irrelevant ‘artistic quality’. It merely needs to be taken.

That term has a single, simple, very good, indeed main, interpretation that does just that. It is ‘new’. And a photograph that has not existed before is undoubtedly new regardless of whom or what took it. It is therefore protectable by copyright.

Property, even intellectual property, has to have an owner, and that owner must according to the Copyright   Act 2001 Section 2(f ) be an  ‘author ‘. It can only be the ‘photographer’ which   under the Act has been defined as the person who is responsible for the composition of the photograph; The photographer then has the exclusive right to use and sell the image and can enforce their copyright against anyone who infringes upon their rights..

Under the law, it is the photographer who will own copyright on any photos he/she has taken, with the following exceptions:

  • If the photographer is an employee of the company the photos are taken for, or is an employee of a company instructed to take the photos, the photographer will be acting on behalf of his/her employer, and the company the photographer works for will own the copyright.
  • If there is an agreement that assigns copyright to another party.

In all other cases, the photographer will retain the copyright, if the photographer has been paid for his/her work, the payment will be for the photographer’s time and typically an allocated number of prints. The copyright to the photos will remain with the photographer, and therefore any reproduction without permission would be an infringement of copyright.

In this  case  even though the  photographer is   known , he is yet  to come out and  claim ownership of  the photograph by showing  that  he  has registered  the same as copyright. The purpose of registration is to ensure that one has proper, independently verifiable, evidence of the date and content of their work. This ensures that if another party steals your photos you have solid evidence to prove your claim.

Without registration it can be very difficult, and often impossible, to prove ownership if another person claims the photo belongs to them.  When a work is not protected by copyright law, it is considered as being in the “public domain” and any one may use the work without permission.

Time is ripe for the Criminalisation of “Revenge Porn” in Kenya

The internet has changed the landscape in which a breach of privacy, such as non-consensual pornography, may occur. When misused, technology has the ability to aggravate the harm associated with this breach of privacy. Perpetrators can be anonymous, disconnecting them from their victim and the consequences of their actions, at the same time creating a sense of helplessness for the victim.[1]

Revenge porn, also referred to as non-consensual pornography, describes sharing images or video footage, sexual in nature, without the consent of the subject. Such a situation may originate in a number of ways: through non-consensual recording such as a hidden camera,[2] through a consensual recording that is then stolen,[3] for example computer hacking or a consensual recording that is then intentionally transmitted, without the consent of the subject.[4]

Burris (2010) further expounds her definition of revenge porn to include a   description of an intimate image or video that is initially shared within the context of a private relationship but is later publicly disclosed, usually on the Internet, without the consent of the individual featured in the explicit graphic.

The non-consensual distribution of pornography converts unwilling citizens into sexual commodities subjected to public humiliation.[5] Often, the distributor adds an additional layer of harassment and humiliation by including personal information along with the private image.[6] Including identifying information ensures that internet searches of the victim’s name will produce the image, which increases the chance that the victim’s employers, friends, and family will be exposed to the humiliation.[7]

Available   remedies

Enforcement of copyright

Victims of revenge porn may have some recourse under copyright law, although only if they can establish authorship of the image or video.

Generally, photographs and videos are protected as artistic works under the Copyright Act.[8]  In  a  situation  where the victim of the  revenge  porn  has  contributed to the  works of the  image or  video Copyright they will own the copyright of the image in question.

Infringements could also constitute a criminal offence in the event that the infringer has attempted to financially profit from the publication. Moreover, other international law issues may arise due to the non-territorial nature of the internet, meaning that a claimant’s rights are further limited depending on the jurisdiction in which the images were uploaded.

However, copyright is not a panacea. This is because copyright’s remedies are unavailable to victims who did not take the revenge porn photos or videos themselves.

Breach of Privacy 

The common law tort of breach of confidence   may offer remedies   where private images have been published without consent as this   type of civil action protects confidential information within and outside marriage.[9] In addition, those who share such images or videos could be pursued under breach of confidence since it is possible to imply an obligation of confidence on them even if they are not in a relationship of confidence with the victim.

The  issue  the  is  whether  a person  is entitled  to have  his privacy protected  by the court   since the law  protects violation of a  citizens autonomy  dignity and self esteem. Furthermore the court will consider whether the subject had a reasonable expectation that the images would remain private and confidential.

Images taken by the subject (known as “selfies”) or by the partner and shared with each other through a technological medium such as picture messaging, undoubtedly fall within the sphere of confidential or private information.[10] Tugendhat J in Contostavlos v Mendahum observed that it has long been recognised that details of a person’s sexual life are high on the list of matters that may be protected by non-disclosure orders.

One of the greatest problems facing victims of revenge porn in our    jurisdiction is the   inability of the enforcement authorities   to work fast enough to counter the spread at which this images and videos are shared across the internet. This is  because once the  initial post  has  been   uploaded on a  webpage, the same can  be shared through  social media  platforms like twitter, facebook, whatsapp initially  among  friends  therefore  generating  viral   buzz. The dynamic nature of the Internet means that as soon as infringing content is removed from one source, it “pops up” elsewhere.

Furthermore, civil actions require victims to bring claims under their own name while the revealing photos are still available and searchable online. As a result, civil actions may draw further attention to the very photos victims wished were not public in the first place. As it was shown in the   case of Roshanara Ebrahim v Ashleys Kenya Limited & 3 others [2016] eKLR, the High Court considered a petition filed by Ebrahim who was crowned Miss World Kenya 2015 and subsequently dethroned based on nude photographs of her allegedly given to the Miss World Kenya organisers by Ebrahim’s boyfriend. The court did not however award her damages as she was not able to prove breach of privacy.

Victims of non-consensual pornography are currently not adequately protected from these practices and the resulting harm. Especially as the   civil remedies take a reactive instead of a proactive approach, remedies can most often only be sought after the damage has already been done.[11]

Cyber Security and Protection Bill 2016

The proposed Bill under Section 28 provides to wit:

‘A person who transfers, publishes, or disseminates, including making a digital depiction available for distribution or downloading through a ‘telecommunications network or through any other means of transferring data to a computer, the intimate image of another person commits an offence and is liable, on conviction to a term of imprisonment not exceeding thirty years or fine not exceeding three hundred thousand shillings or both.’

The above section 28 of the Cyber Security Bill provides no intent requirement at all while prescribing publication. This provision is unduly broad, restrictive and open to subjective interpretation and abuse.  At thirty years of imprisonment this is a disproportionate punishment.


Due to the severe, far reaching effects non-consensual pornography has on its victims, it is important that issues surrounding it are resolved fast in order to completely prevent it from occurring. Even though there are civil actions open to the victims such as breach of confidence or copyright infringement suits. They have numerous problems, such as the fact that many of the victims do not have the financial means to pursue legal action, let alone finance the entire litigation process in the event of a loss. Criminalizing revenge porn provides stronger deterrence against future perpetrators, shields victims from the publicity of civil cases, and indicates societal condemnation.



[1] Claudia Smith, ‘Revenge Porn Or Consent And Privacy: An Analysis Of The Harmful Digital Communications Act 2015’ (Undergraduate LLB, Victoria University of Wellington 2015).

[2] Ibid pg 5

[3] Ibid

[4] Ibid

[5] Aubrey Burris, ‘Hell Hath No Fury Like A Woman Porned: Revenge Porn And The Need For A Federal Nonconsensual Pornography Statute’ (2014) 66 Florida Law Review.

[6] Ibid

[7] Ibid

[8] Copyright  Act  2001  Laws of Kenya

[9] Mitchell, J., ‘Censorship in cyberspace: closing the net on “revenge porn”’ Entertainment Law Review(2014) 25(8), 283-290 at 284.

[10] Contostavlos v Mendahum [2012] EWHC 850 (QB) at [25].

[11] A v B Plc [2002] EWCA Civ 337 at para. 7.

Admissibility of Electronic Evidence in Kenya

The advent of technological development and the consequent evolution of paperless transactions have permeated every sphere of life, and the legal system is no exception: in the event of disputes involving transactions conducted through electronic means, parties are bound to rely on electronic evidence of such transactions.

The Kenyan Evidence Act (Cap 80 Laws of Kenya) recognizes and endorses the use of electronic evidence in Kenya . Second, it reiterates the conditions for the admissibility of electronic evidence. In determining the admissibility of electronic evidence the Act   provides to   wit  section  78A   which provides:

78A. Admissibility of electronic and digital evidence

(1) In any legal proceedings, electronic messages and digital material shall be admissible as evidence.

(2) The court shall not deny admissibility of evidence under subsection (1) only on the ground that it is not in its original form.

(3) In estimating the weight, if any, to be attached to electronic and digital evidence, under subsection (1), regard shall be had to—

(a) the reliability of the manner in which the electronic and digital evidence was generated, stored or communicated;

(b) the reliability of the manner in which the integrity of the electronic and digital evidence was maintained;

(c) the manner in which the originator of the electronic and digital evidence was identified; and

(d) any other relevant factor.

(4) Electronic and digital evidence generated by a person in the ordinary course of business, or a copy or printout of or an extract from the electronic and digital evidence certified to be correct by a person in the service of such person, is on its mere production in any civil, criminal, administrative or disciplinary proceedings under any law, the rules of a self-regulatory organization or any other law or the common law, admissible in evidence against any person and rebuttable proof of the facts contained in such record, copy, printout or extract.

My understanding of this section is that it makes explicit that electronic messages are admissible as evidence in Kenya provided that they satisfy the other requirements for such admission. This section does not obviate the need for establishing the relevance of the proposed evidence in the same way it does not excuse the need for authentication of the proposed evidence. This section is also helpful in codifying the factors to be taken into account in assessing the weight to be given to an authenticated and admitted electronic message.

The conditions upon which such electronic evidence would be admissible are provided for under Section 106 (B) of the same Act. Section 106 (B) (1) provides as follows: –

“106B(1)  Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied on optical or electro-magnetic media produced by a computer (herein referred to as computer output) shall be deemed to be also a documentif the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein where direct evidence would be admissible.”

Section 106B (2) provides that: –

“The conditions mentioned in sub section (1) in respect of a computer output, are the following-

  1. the computer output containing the information was produced by the computer during the period over which the computer was used to store or process the information for any activities regularly carried out over that period by a person having lawful control over the use of the computer
  2. during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in ordinary course of the said activities;
  • throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly was out of the operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and
  1. the information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities.”

Section 106 (A) and (B) means that any information stored in a computer which is then printed or copied to optical media such a CD in this case, shall be treated like documentary evidence and will be admissible as evidence without production of the original. However, Section 106B also provides that such electronic evidence will only be admissible if the conditions laid out in that provision are satisfied, Section 106B (4) provides: –

“In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following –

(a)    identifying the electronic record containing the Statement and describing the manner in which it was produced

(b)    giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer;

(c)    dealing with any matters to which conditions mentioned in subsection (2) relate; and

(d)    Purporting to be signed by a person occupying a responsible position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate and for the purpose of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge of the person stating it.”

This provision is clear that, for electronic evidence to be deemed admissible it must be accompanied by a certificate in terms of Section 106 B (4).

Communications Authority of Kenya Guidelines on SIM Cards

The Communications Authority of Kenya has issued new directives with regards to sim registration stating that members of the public should not use unregistered sim cards. They also state that they should not purchase sim cards from hawkers and if the event that they purchase a sim card, they have to demand that the sim card be registered with their particulars including the ID card. Members of the general public are further asked to ensure they report their lost sim cards to the police and obtain an abstract for the same. The authority further states that failure to comply with these rules would lead to a six month jail term or a fine of Kshs. 100,000.

Here is the statement:




Tips to prevent a SIM-Swap Fraud


1. If you stop receiving calls or texts, and you don’t know why, check in with your mobile operator immediately
2. Never disclose your Internet banking password or personal identification number (PIN) to anyone. Even your bank will never ask for this.
3. Keep personal details – such as your phone number, date of birth or things like your first car and maiden name – off social media like Facebook. This means scammers can’t impersonate you easily.
4. Ask your bank to give you details of every financial transaction through two channels – for instance, SMS as well as email alerts.
5. Use a separate email address for your Online Banking account and financial transactions from your social media accounts.
6. Never switch off your smartphone in the event of you receiving numerous unknown calls.It could be a ploy to get you to turn off your phone and prevent you from noticing a tampered network connection.Even if you are frustrated by such events, do not switch off your smartphone.

What to do in the event you become a victim of SIM swap fraud

In  my previous  blog post I  spoke about the process of SIM swap and how it is  used to  defraud unsuspecting  individuals of moneys  from their account without their knowledge.

Today  i’ll be talking  about  what to do in the event that  you suspect that  you’ve become a victim of SIM swap. These are just stop gap  measures since there is no foolproof plan to prevent  the same

If you suspect you are the victim of a SIM swap scam, immediately call your mobile network operator for assistance. Be sure to call the right department. They may also have a form on their website for dealing with cases of fraud, which you can fill in, and they will assist you in an investigation of the matter.
Also make sure to call the appropriate department at your bank, and suspend all activity on your bank account, essentially locking it, so that nobody is even able to log in to your online banking profile.
If you are able to, you may consider accessing your online banking account, and changing your password, as well as changing your associated email address and mobile phone number, so the notifications and confirmation SMSes would arrive at a new number and email address. So even if the criminals succeed with the SIM swap operation, the number they have is no longer linked to your bank account. But I would more readily recommend that you just suspend activity on your account, especially in a panic situation or if you are unsure on how to go about doing all of that.
If money ends up getting taken out of your account, then you need to open a case with the police for theft, preferably within 48 hours of the fraudulent transfer or withdrawal of funds having taken place. During this process you may receive documentation from your bank’s claims department, which will aid in the investigation.

You might get your money back, and you might not. The banks claim that recourse depends on the circumstances of each case. In fact, some flat out refuse to reimburse a client, often claiming that it was the client’s fault – that they did something in order to help facilitate the theft. If you are fighting an uphill battle, it may be a good idea to get legal advise on the matter.