Kenya’s Data Protection Act, 2019, provides legal guidelines on how collected data should be handled when the data controller or apps are about to shut down.
The act, in coordination with the the Data Protection (General) Regulations, 2021, enforces strict enforceable obligations on the company behind the app to ensure that the consumer rights are observed.
Under the Data Protection Regulations, 2021, issued by the Office of the Data Protection Commissioner (ODPC), all Kenyan apps, whether operating locally or abroad, are subject to the law.
Apps that process data belonging to Kenyan residents, upon shutting down, are not supposed to process the data for any reason other than the specific purpose for which it was initially collected, according to Section 25 of the act.
Additionally, the storage limitation principle in the act requires that personal data be retained only for as long as necessary for the original purpose and be removed once the app ceases operations.
“A data controller or data processor shall … erase, delete, anonymize or pseudonymize personal data upon the lapse of the purpose for which the personal data was collected,” Regulation 19 of the Data Protection Regulations, 2021 states.
In addition to deleting the data, the data controller is obliged to maintain a written data retention schedule, conduct periodic reviews, and permanently delete or anonymize any information that no longer serves a lawful purpose.
Rights of App User
Under Section 40 of the DPA and Regulation 12 of the General Regulations, a user has the right to erasure, which entails the complete deletion of user data.
A company is expected to respond to a request to exercise the right to erasure or rectification within 14 days, and the continued retention of the user’s data once consent is withdrawn is unlawful.
Additionally, all app users are entitled to the right to data portability, allowing users to receive their information in a structured, machine-readable format before deletion.
Further, the law states that users should be informed in advance of the app’s shutdown so they can decide how to handle their data.
The user’s rights apply even when the app’s privacy policy claims otherwise, as the Data Protection Act overrides any conflicting contract terms.
Also Read: How New M-PESA Feature Will Reduce Data Exposure in Money Transfers
Apps Shutdown Procedure
A compliant shutdown follows a predictable sequence according to the law, which involves the company notifying the users via email, in-app messages, or a public statement.
The notification should have the details explaining the closure and how user data will be handled following the closure.
In addition to the notification, the company is expected to offer users a reasonable opportunity to download or export their information.
Once the service ends, the company should, under the law, stop all further processing by either deleting the data or rendering it permanently anonymous.
However, if the company is being liquidated or wound up, the liquidators or administrators remain fully bound by the Data Protection Act.
Despite the law advocating for the deletion of data, limited retention is permitted for legal obligations, such as tax records required under the Kenya Revenue Authority rules or accounting documents.
During data retention, only minimal data can be retained for a limited time, during which the data is securely protected and anonymized.
Also Read: 184 Kenyans to Be Compensated as ODPC Cracks Down on Data Breaches
Penalties for Data Breaches
Any complaint about data breaches by the data controller is investigated by the ODCP, and law enforcement may be initiated, during which the app user may pursue action against the perpetrator.
An administrative fine of up to KSh 5 million or 1% of the company’s annual turnover may be imposed by the Commissioner if a company does not comply with the law.
In other instances, the company must compensate the affected user for distress or loss resulting from data breaches.
The ODCP advises app users to review the app’s privacy policy to avoid data violations and promote accountability.
