Your Privacy Matters: Data Privacy Day 2025

Data Privacy Day is observed on 28 January to raise awareness about online privacy and data protection and encourage individuals to protect personal information globally. It reminds us of our privacy rights and the necessity to protect our information from misuse. Data protection is essential because it helps to protect data and prevent loss through unauthorised access or theft. It also ensures the confidentiality and integrity of data.
The law
According to the Constitution of Kenya, the right to data protection is enshrined in Article 31(c) and (d), which guarantees the right to privacy, including the right not to have information relating to one’s family or private affairs unnecessarily revealed. This provides the legal foundation for data protection laws in Kenya. The Data Protection Act of 2019 gives effect to Article 31(c) and (d) of the Constitution to establish the Office of the Data Protection Commissioner, to make provision for the regulation of the processing of personal data, to provide for the rights of data subjects and obligations of data controllers and processors.
Data protection must be considered alongside equality and non-discrimination principles. When protecting personal data, measures should ensure no individual is unfairly disadvantaged based on age, gender, disability, culture, health status, or social status, effectively upholding the right to equality and freedom from discrimination in the digital space.
Katiba Institute’s work around Data Protection
In November 2024, Katiba Institute filed a Petition challenging the constitutionality of the public notices issued by the Communications Authority of Kenya (CA) and Kenya Revenue Authority (KRA) posted on their websites on 24 October 2024 and 5 November, respectively. In the notices, the agencies required all individuals to register their International Mobile Equipment Identity (IMEI) Numbers. IMEI numbers are uniquely and irrevocably tied to the hardware of a mobile phone. The numbers allow mobile phone providers to pinpoint an individual’s location within a 100-meter radius and give insight into a person’s communication history. KI urged that the move was against the Data Protection Act—section 31 of the Data Protection Act Cap. 411C requires a data controller or a data processor to conduct a data impact assessment before processing personal data where the processing might pose a right to a data subject’s fundamental rights and freedoms. The Respondents were thus obligated to conduct a data impact assessment before publishing the notices/regulations. Without a data impact assessment, the risk of violating the right to privacy and other fundamental rights and freedoms remains unmitigated.
Katiba Institute also challenged the implementation of Huduma Namba, arguing that it violated the Data Protection Act.
Emerging Technologies and Data Protection
Emerging technologies have significantly impacted data protection. While they offer new ways to secure data, they raise privacy concerns and regulation complexities. Katiba Institute’s Executive Director, Nora Mbagathi, emphasises the need for safeguards to protect data.
“With emerging technologies, the importance lies in privacy by design because the law can’t fix what technology has broken, so the safeguards have to be built into the system,” Nora notes.
“A strong data protection framework can empower individuals, restrain harmful data practices, and limit data exploitation. It is essential to provide the much-needed governance frameworks nationally and globally to ensure individuals have strong rights over their data, stringent obligations are imposed on those processing personal data (in both the public and private sectors), and strong enforcement powers can be used against those who breach these obligations and protections.”
– From A Guide for Policy Engagement on Data Protection, Privacy International
By Kevin Mabonga