By late November, as most individuals and businesses shift into holiday mode, data compliance might not be top of mind. However, in November 2024, the High Court of Kenya issued a landmark ruling that jolted the compliance world awake, spotlighting the critical importance of adhering to data protection laws when transferring sensitive personal data beyond Kenya’s borders.

This ruling is a game-changer for organizations handling personal data in Kenya, setting a precedent that reverberates across industries. The court provided long-overdue clarity on Section 48 of the Data Protection Act 2019, making it unequivocally clear that obtaining prior approval from the Data Commissioner is mandatory when transferring sensitive personal data outside Kenya—regardless of whether the data subjects have provided consent or whether any complaints have been raised.

Case in Point

The High Court judgment in the case of Federation Of Kenya Employers V Cabinet Secretary, Ministry Of Foreign Affairs And International Relations & 4 Others; Law Society Of Kenya (Interested Party) (Petition E085 Of 2023) [2023] KEELRC [3067] (KLR) (30 November 2023) (Judgment) cemented the legal interpretation of Section 48. The case revolved around the transfer of sensitive personal data outside Kenya without the necessary approvals from the Data Commissioner. The court ruled that such actions violated the core principles of the Data Protection Act 2019, which seeks to safeguard the rights and privacy of data subjects.

<aside> ➡️

FKE vs. Ministry of Foreign Affairs and International Relations & 4 Others

</aside>

This ruling confirms Kenya’s commitment to aligning its data protection framework with global best practices. It also signals to businesses operating within the country that compliance with local laws is not negotiable.

What Does This Mean for Compliance Professionals?

For compliance professionals and organizations handling sensitive personal data, the implications of this ruling are significant. It is no longer sufficient to simply rely on the consent of data subjects or the absence of complaints. The onus is squarely on organizations to ensure full compliance with the law, particularly with regard to cross-border data transfers.

Here’s how compliance professionals can adapt to this evolving landscape:

  1. Understand your obligations: Compliance starts with a clear understanding of the legal requirements under the Data Protection Act 2019. Section 48 specifically mandates that approval from the Data Commissioner must be obtained before transferring sensitive personal data outside Kenya. This requirement applies regardless of:

    <aside> 💡

    Compliance professionals must review their organization’s data handling processes to identify areas of risk. For instance:

  2. Seek Approvals Proactively.

    One of the most critical takeaways from this ruling is the need to secure approvals from the Data Commissioner before transferring sensitive personal data internationally. This step is often overlooked or underestimated, but it is now a legal necessity.

    When applying for approval, organizations must ensure their application explicitly addresses the requirements of Section 48. This includes providing detailed information about:

    Proactive compliance not only minimizes the risk of legal penalties but also builds trust with customers, partners, and regulators.

  3. Educate your teams.

    Compliance is not a one-person job; it requires a collective effort across the organization. Key stakeholders, including IT, legal, and operations teams, must be educated about the requirements of Section 48 and their role in ensuring compliance.

    Some practical steps include:

    Building a culture of compliance is critical to mitigating risks and ensuring long-term success.

  4. Engage Experts

    Navigating the complexities of data protection laws can be challenging, especially for organizations with limited legal or compliance expertise.

    Engaging external experts, such as legal advisors or data protection consultants, can provide valuable guidance on how to: Interpret the requirements of Section 48.

    1. Draft and submit approval applications to the Data Commissioner.
    2. Implement robust data protection measures to minimize risks.

    Investing in expert advice can save organizations from costly legal battles and reputational damage in the long run.

<aside> 💡

Looking for expert guidance on data protection compliance?

At MZIZI Africa, we specialize in helping organizations navigate the complexities of data protection laws, including Kenya’s Data Protection Act 2019. Whether you need assistance with obtaining approvals for cross-border data transfers, training your teams on compliance, or developing robust data protection strategies, our consulting and training services are here to support you. Let us help you stay compliant and protect your business.

📧Contact us today at info@mzizi-africa.com to learn more.

</aside>

A Wake-Up Call for Businesses

This ruling is a wake-up call for businesses operating in Kenya and those managing Kenyan data from abroad. It emphasizes that compliance with data protection laws is not optional—it is a fundamental requirement for operating in today’s data-driven world.

As organizations scramble to align their practices with Section 48, the following questions must be addressed:

Failure to answer these questions affirmatively could expose organizations to significant legal and reputational risks.