In March of 2019, the active number of mobile subscriptions in Kenya stood at 51 million, up from 49.5 million in the previous quarter (and over and above the country’s population of 47.6 million). By June, the Kenyan government allocated 12 billion shillings ($117.8m) to the Konza Technopolis project, a world-class smart city with commercial and residential housing, a data center, and universities for science and information technology.
Then, in November, Kenyan President Uhuru Kenyatta approved the country’s first data protection law. This is one of the most significant developments in the Silicon Savannah this year, protecting citizens online and further readying the Kenyan tech ecosystem for an opportunity. The move also shows that protecting private data is now considered a sign of global readiness. How ready? The Silicon Savannah tech ecosystem is valued at over $1 billion.
Kenya’s First Data Protection Law
Kenya’s Information Minister Joe Muchero has stated the new data protection law complies with the EU’s General Data Protection Regulation (GDPR). In reality, such a claim has little practical meaning without a formal adequacy decision for the EU Commission, which currently remains a distant prospect until more detailed legislation is introduced. The law shares a lot of the same features as GDPR, including an independent office to investigate infringements and a maximum fine: 3 million shillings ($29,283) or two years in jail.
Like GDPR, the law governs how consumer data can be collected, shared, and stored. Reuters mentions companies like Kenya Airways, as well as the country’s hospitality and technology sectors will be among those that need to comply with the law.
Where there is data, there will inevitably be data misuse, and the East African nation is no exception. As Kenya’s digital ecosystem has grown, particularly the digital loan and payments market for which it is most widely known, so too have the reports of companies collecting consumer data without consent to make decisions about creditworthiness, etc. The new law provides more robust protection for Kenyan citizens from predatory and exploitative practices involving their personal data.
Attracting Tech Investment Like AWS
In addition to consumer protections, Kenya’s data privacy law aims to attract investment from other parts of the world in its burgeoning ecosystem. Already, Amazon Web Services (AWS, and an Auth0 partner) has announced it will set up an ‘edge location’ in Nairobi, its first outside of South Africa.
Edge locations deliver content at the edge of the network to customers with lower latency connections. AWS has already established two of these locations in Johannesburg and Cape Town, and announced plans to open a data center in South Africa next year. The latter will give African companies more choice, and ultimately greater control over where personal information is stored and processed, a demand that is being driven by the continent’s nascent data sovereignty requirements.
Auth0 is also making Kenya and Africa a focus area for 2020, delivering robust, yet simple identity management capabilities to entrepreneurs across the continent. Auth0 looks forward to leveraging its relationship with AWS as its cloud infrastructure provider, to be able to offer African customers a more regional choice in respect to data center locations.
Setting the Standard for a Continent
Kenya’s law is the latest in a global movement toward data privacy. All around the world, the proliferation of consumer data protection legislation is raising the bar for tech companies to design their products with privacy in mind. We expect Kenya’s startup ecosystem with its heavyweights like Safaricom M-PESA and solar energy company, M-KOPA, will embrace this challenge. When mobile subscriptions outpace the total population, investing in privacy is key to growth.
About the author
Jonathan Keen
Associate General Counsel