How to not commit a crime: Specific criminal sanctions in data privacy

Privacy laws obligate certain responsibilities to certain individuals in their areas of focus in the trust that they will perform as required. To imagine going against the established trust is thus of less importance in the pursuit of punishing those who wrong the data subjects. The penalty for the commission of an offence under the Data Protection Act (DPA) is a fine not exceeding KES. 3 million or to an imprisonment term of ten years, or both subjects. All you need is to break the law for a stipulated reward in the form of penalties. This paper seeks to inform all players of the actions that may land them into the trap.

Data Protection Act, 2019

The venture into protection of data subjects’ rights is a cumbersome one. The issues of compliance are of great concern and the law is hard on perpetrators of breaches. The law requires that those entrusted with personal data and to the extremes, sensitive personal data handle them in accordance with the principles enlisted in Section 25.[1] The principles correspond to the requirements of Article 31 (c) that guarantees citizens the right to privacy of information relating to their personal affairs and those of their family.[2] Therefore, the Office of Data Protection Commission (ODPC) as the custodian of privacy rights has the power to fault non-compliance to the extent that the provisions permit.

 A quick glance at the Act reveals some offences whose penalties are not specified. However, Section 73 addresses all sanctions and similar bearings.[3] The rest are labelled with the kind of punishment that each action attracts away from the general penalty. Also, some of the sanctions are provided for in the regulations that are effectuated by the prescribed relevant authority.

Charity begins at the ODPC, Section 11 prohibits unwarranted disclosure of any information by the Data Commissioner or any other employee, collected to furnish the purpose of the Act.[4] To ensure that only compliant data controllers and data processors are on the web, registration with the Office of Data Protection Commissioner is vital. It so proceeds that they have to be truthful in stating the measures in place to ensure data privacy. They have to explain the kind of personal data to be collected, targeted data subjects, the purpose of collection and security measures among other things. Providing false information in regard to section 19 (2) knowingly is considered an offence.[5] The Data Commissioner may cancel registration in that case. Another non-disclosure provision is directed towards data processors, who disclose personal data to third parties without the approval of the data controller.  Disclosure of data that the processor acted upon without knowledge of the controller is also an offence. Gaining access to personal data without the approval of the controller is also an offence. The take-home point is ensuring or guaranteeing confidentiality in tandem with the law.

Processing personal data is only permitted within the confines of the law. According to the regulations, processing personal data without registering in accordance with the regulation or providing false information to aid registration is a crime.[6] Data subjects are entitled to the right to know the use of their data, access to it and correction of misinformation to the same. They can also halt processing of their data where it is authorized and necessary. Be it as it may, the data controller or data processor has to win the consent of the data subject before processing such data or there has to exist reason that gives greenlight as discussed in Section 30 (1).  It is the responsibility of the data processor to show that consent was freely given. Any unlawful processing of someone’s personal data is an offence. In the same vein, there is limited space for excuse as all data processors are required to ensure that all the employees are compliance sensitive.

In accordance with the Data Protection Act, if the Data Commissioner has reasonable grounds to believe that a provision of the Act has been contravened, they may issue an enforcement notice directing the responsible party to comply with the Act. Failure to comply with an enforcement notice without reasonable excuse is considered an offense under Section 58 of the Act, and upon conviction, the offender may be subject to a fine of up to KES five million or imprisonment for a term of up to ten years, or both. It is important for all data handlers to understand and abide by the provisions of the Act to avoid any legal consequences. The enforcement notice should be acted upon before the expiry of the stated duration.[7]

Obstructing the Data Commissioner while performing his statutory duty of investigation without proper reasons is also deemed to be an offence. The Data Commissioner other than bearing the powers to storm into premises for the purpose of conducting investigations, may also invite a person through a notice to aid in the same. It then follows that the officer must have his way in the quest for privacy of data subjects.

The health sector

Article 46 of the Data Protection Act gives grounds for processing personal data relating to the health of data subjects.[8] Largely, those engraved in the processing of health-related data are the health service providers. Even prior to the enactment of the Data Protection Act, there existed laws that urged practitioners to ensure confidentiality. Section 11 of the Health Act for instance requires that information relating to facility users be kept confidential unless the court orders disclosure or informed by due reasons.[9] The HIV and Aids Prevention and Control Act specifies that any breach of the provisions related to confidentiality is an offense, without a prescribed penalty. Pursuant to the act, a person convicted of such an offense, for which no other penalty is specified, may be subject to imprisonment for a term not exceeding two years or a fine not exceeding KES 100,000. Health workers who have privileged access to patients’ records shall be accountable to maintain the highest level of confidentiality and ensure that shared confidentiality is only practiced in the interest of the patient.[10]

National Payment System Act

Under this Act, payment service providers are under obligation to ensure the confidentiality of the customers’ related data. Undue disclosure of such information other than allowed by the Act under Section 42 attracts a monetary penalty of not more than KES 1,000,000.[11] The use of such personal information for personal gain is also prohibited and commission of the same will be met by a fine of up to KES 500,000 or an imprisonment of up to one year or both. Failure by the service provider to put in place setups that ensure confidentiality in the service provision may lead to revocation of the operation license.

Kenya Information Communications Act

The Kenya Information Communications Act and regulations issued under it impose penalties for various offences. A licensee who violates the requirements of any of the regulations, including those on privacy, commits an offence and is liable upon conviction to a fine not exceeding KES 300,000, imprisonment for a term not exceeding three years, or both. According to the Sim Card Regulations, any telecommunications operator who commits an offence regarding SIM Card registration will be liable upon conviction to a fine not exceeding five million Kenyan shillings. Additionally, a person who commits an offence for which no specific penalty has been provided for in the Kenya Information Communications Act and regulations issued under it, will on conviction be liable to a fine not exceeding KES 300,000 Kenyan shillings, imprisonment for a term not exceeding six months, or both.[12]


It’s important for data processors, data controllers, and others involved to keep their noses clean and avoid breaking the law in the areas outlined above. The goal of this paper is not to give anyone ideas about how to commit crimes but to highlight potential pitfalls. It’s best to err on the side of caution and play it safe.

[1] Data Protection Act, 2019

[2] ibid

[3] ibid

[4] ibid

[5] ibid

[6] The Data Protection (General) Regulations, 2021

[7] Data Protection Act, 2019 Sec

[8] Data Protection Act, 2019 Sec 46

[9] Health Act, 2017 Sec 11

[10] Standards and Guidelines for Electronic Medical Records Systems in Kenya at pg. 82

[11] National Payment System Act, 2014 Sec 42.

[12] Nzilani Mweu, Kenya-Data Protection Overview, One Trust Data Guidance, March 2023

Guest author The Platform Magazine