The Draft Data Protection (Amendment) Bill, 2025—developed by the Data Privacy and Governance Society of Kenya (DPGSK)—marks a bold and timely step towards reinforcing privacy rights, enhancing oversight, and aligning national standards with international best practices. Here is what you need to know and why it matters.
The proposed Amendments
The definition of sensitive personal data is proposed to include political opinions and trade union memberships. This proposal aligns with Article 9(1) of the GDPR, hence the adoption of international best practice.
Section 8(1) is proposed to include additional subsections (l), (m) & (n), adding more powers to the ODPC to develop a framework for data protection training, accreditation of data protection trainers and offering of advisory roles. This proposal will have the effect of harmonising existing institutional autonomy in matters of accreditation and capacity-building as relates to players in data protection.
Section 8(2) is proposed to be repealed to exclude the collaboration of the ODPC with security organs. This means that the ODPC cannot, in exercise of its statutory functions, collaborate with national security organs at will, hence accord additional protection to consumers.
Section 25 is proposed to include additional subsections (i) and (j). If the proposal goes through, data controllers and data processors will be compelled to show appropriate security measures and demonstrate compliance with the Act. The implication being that this is a new compliance requirement.
Section 26 is proposed to include new subsections (f) and (g) to include data portability and the right to profiling by automated decision-making. This proposal assures additional safeguards for the data subjects.
Data security and privacy of consumers are enhanced by the proposed repeal of Section 30(1)(b)(v), which provides for access to data by public authorities for any performance of a duty. The proposal thus seeks to curtail this wide scope available to public authorities and only limit their access to data for specific reasons allowable by a statutory requirement.
Section 54 is proposed to be repealed and instead be replaced by a provision limiting the Commissioner’s power to exempt compliance with any provisions of the Act, allowable only as provided by Regulations. This proposal will strip off the commissioner of the discretion that is currently enjoyed in exempting compliance with provisions of the Act.
Section 56 is proposed to be amended to replace the words “data subject” with “any person”, thus broadening the scope of those who can lodge a complaint to the Commissioner to include legal persons in addition to natural persons.
Section 63 is proposed to be amended to replace the word “lower” with “higher” in order to impose the maximum financial exposure to those guilty of violation of any provisions of the Act.
There is a proposed establishment of a Data Protection Appeals Tribunal by the introduction of new Sections 64A- 64F. This tribunal will be clothed with powers, including punishing for contempt of its orders. The tribunal will ensure efficiency in the resolution of matters since it is contemplated to dispense with matters under 60 days. This tribunal will also reduce the number of matters at the High Court and Court of Appeal arising from the decisions of the Commissioner.
Conclusion.
The proposals are welcome, and if they go through, they would definitely shape the data protection and privacy ecosystem.
This article is provided free of charge for information purposes only; it does not constitute legal advice and should be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary as set in the article should be held without seeking specific legal advice on the subject matter. If you have any query regarding the same, please do not hesitate to contact Data Protection & ICT Department at WAICTLaw@wamaeallen.com
Virginiah is a promising transactional advocate specializing in Real Estate and SeVirginiah is a seasoned Advocate with great expertise of more than three years in Real Estate, Banking and Finance, Commercial and Corporate Law. She is a focused and self-motivated advocate successful at strategically managing operations with proven team performance. She is a highly organized, excellent communicator, detail-oriented, leader skilled in directing high-performing teams to develop solutions and solve operational and technical problems. Her prowess has benefitted the firm by way of greater client acquisition, client management, and client retention.curitization, Banking and Finance.
Najib is an Associate in the Real Estate and Securitization Department.
He has knowledge and understanding in Real Estate Financing and Securitization, Corporate M&A, Company Restructuring, Regulatory and Compliance Solutions, Corporate Governance Advisory and Support Services, Investments and Financial Markets as well as ICT law. He also has special interest in Cyber Security & Data Privacy, AI & Data Governance and Smart Contracts & Blockchain Technology.
Loading...
Reload document 
Open in new tab 
