Analysis of The Data Protection Act, 2019 Vis-à-Vis the Law Governing CCTV Surveillance Systems in Kenya

Analysis of The Data Protection Act, 2019 Vis-à-Vis the Law Governing CCTV Surveillance System in Kenya


The introduction of Kenya’s first Data Protection Act, 2019 (“the Act”), brought an end to the era of navigating the murky waters of the previous disjointed frameworks of data protection legislation.

The Act is a comprehensive statute that governs the collection, processing and storage of personal data by the government and private entities. It establishes an ecosystem of rights and obligations that operationalizes the Right to Privacy enshrined in the Kenyan Constitution under Article 31.

The importance of the Act in Kenya cannot be overstated. The Act provides legal protection for personal data and ensures that individuals have control over their personal information. The following are some of the key reasons why the Act is important in Kenya:

  1. Protecting the Privacy of Individuals – The Act provides legal protection for the privacy of individuals by ensuring that their personal data is processed (including storage, dissemination and transfer) lawfully, transparently and in the spirit of Article 31 of the Constitution of Kenya, 2010. This means that entities that process personal data must provide individuals with clear information on how their data is being collected, processed, and used.
  2. Regulating the Use of Personal Data – The Data Protection Act 2019 regulates the use of personal data by both private and public entities, known as data controllers and data processors. It requires the data controllers and processors to obtain consent from individuals before collecting and using their personal data. Additionally, the Act provides individuals with the right to access their personal data and request that it be deleted if they so choose.
  3. Promoting Business and Economic Growth – The Act promotes business and economic growth by providing legal certainty for data controllers and processors that collect and use personal data. It enables these entities to build trust with their customers by demonstrating that they are handling their personal data in a responsible and transparent manner. This can lead to increased customer loyalty and repeat business.
  4. Strengthening Cybersecurity – The Act also strengthens cybersecurity by requiring public and private entities to implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, or destruction. This includes measures such as encryption, access controls, and regular data backups. Furthermore, the Act seeks to protect any personal data transferred outside Kenyan borders by ensuring that entities integrate appropriate safeguards to protect any personal data transferred outside Kenya.
  5. Aligning with Global Standards – The Data Protection Act, 2019 aligns with global data protection standards, such as the General Data Protection Regulation, and ensures that Kenya is keeping pace with international data protection best practices. This is important for businesses that operate across borders and need to comply with multiple data protection laws.


A legitimate aim being pursued by the Act is national security. The Act regulates the use of CCTV cameras both privately and publicly.

The abbreviation CCTV stands for Closed Circuit Television and constitutes a number of video cameras that transmit a signal to a particular place on a specific set of monitors. From the definition, the CCTV cameras do capture information of each and every person as they move around public places and in the private sphere where they are often used for domestic needs such as watching over children also famously known as nanny cams.

The Law on CCTV Surveillance

  1. Consent

The concept of consent strikes a nerve when it comes to data protection. ‘Consent’ to the processing of personal data by the data subject must be an express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by a clear affirmative action.

Processing of personal data must first seek the consent of the data subject and the specific purpose for which the data was collected. Any additional purposes will require fresh consent.

Section 32 of the Act provides that:

“(1) A data controller or data processor shall bear the burden of proof for establishing a data subject’s consent to the processing of their personal data for a specified purpose.

(2) Unless otherwise provided under this Act, a data subject shall have the right to withdraw consent at any time.

(3) The withdrawal of consent under sub-section (2) shall not affect the lawfulness of processing based on prior consent before its withdrawal.

(4) In determining whether consent was freely given, account shall be taken of whether, among others, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

It is clear that data controllers and data processors no longer rely on implied consent to process personal data.  It is not yet clear however, whether or not a company may be able to rely upon pre-ticked boxes or any other default method of consent, or whether or not a positive opt-in will be required instead. A perfect recommendation would be for the data controllers and data processors to review their existing consent practices.

Further, Section 25 of the Act provides that personal data is required to be processed in accordance with the right to privacy. To wit, in a lawful, fair and transparent manner. Data controllers and processors can retain data only for as long as reasonably required for the original purpose for which it was collected with certain exceptions carved out by Section 39.

The purpose for which any personal data is collected is required to be “explicit, specified and legitimate”. The Act requires personal data to be accurate, updated, and not to be kept in a form which identifies the data subject for any longer than necessary for the purposes for which it was collected.

2. Individual Rights

Data subjects enjoy a range of rights under the Act. Section 26 of the Act provides that data subjects have the right to be informed of the use to which their data is put to, access their data that is in the custody of the data controller or processor, object to the processing of personal data and correct or delete false or misleading data.

Data subjects also enjoy the right to request a data controller or processor to rectify data that is inaccurate or misleading and to delete data that has outlived its authorized use or was collected illegally.

The Act applies to the processing of personal data by a data controller or data processor who use automated or non-automated means. Where personal data is processed by non-automated means, the Act applies where the recorded data forms a whole or part of a filing system by a data controller or data processor who:

(a) is established or ordinarily resident in Kenya and processes personal data while in Kenya; or

(b) not established or ordinarily resident in Kenya, but processes personal data of data subjects located in Kenya.

The previous versions of the Act applied certain geographical provisions and qualifications to processing by both automated and non-automated means.  The geographical restrictions now only expressly and specifically apply to processing by non-automated means.

As a result, and in the absence of these clear geographic references, there is arguably some ambiguity as to whether or not the Act applies to foreign data processors or data controllers. 

This therefore calls on all data controllers and data processors carrying out any processing activities involving the personal data of Kenyan data subjects, ensure that they comply with the provisions of the Act.

Notably, all data controllers and data processors (processing by both automated and non-automated means) must hold a valid registration with the Data Commissioner.  This is provided for under Part III of the act. It further specifies the information to be provided by the data controller and data processor in the application for registration.

There are clear indications throughout the Act that data controllers and data processors must have adequate and sufficient safeguards, security measures and mechanisms in place.

Included within the application requirements is a new proviso requiring the applicant (i.e. the data controller or data processor) to indicate what measures are in place to indemnify the data subject from unlawful use. The indemnification obligation is a further sign that data controllers and data processors will be held accountable for any encroachment of a data subject’s rights and interests to his or her personal data.


The means applied in using CCTV cameras, however, do not all seem to be rationally connected to ensuring national security, and neither do they impair privacy in the least way possible. To begin with, the act applies to all CCTVs, both private and public. This is problematic seeing as not all CCTV installations may be geared toward national security, especially in the private sphere where they are often used for domestic needs such as watching over children. For instance, the reader may recall several instances where CCTVs, popularly known as the nanny cams, have brought to fore child abuse by caregivers. Further, it provides for liaison between all CCTV systems and law enforcement agencies who should be granted access, connection and interrogation mechanisms. All CCTV owners maintain documentation detailing their cite plans showing CCTV placement. These measures give law enforcement unfettered access to CCTVs, as there are no guidelines given as to when such access may or may not be granted.

Notably, the requirement that cite plans be maintained and shared is also intrusive, especially for private owners. The policy requires all businesses and premises within public areas to have CCTVs. Kenya has a variety of businesses ranging from informal establishes, (known as jua kali) to small and medium enterprises and big corporations. Given the disparity between different businesses in the country, it may not be able for many to meet the compliance cost of installing and maintaining CCTVs in their premises- nor equitable to require them to.

This leaves room for abuse and arbitrariness.


The UK has a Data Protection Act whose purpose is to ensure that the data collected by CCTV cameras is used solely for the purpose which it was collected for. The purpose therein being referred to is that of helping in finding out the identity of a person or for monitoring.

The first principle of the data protection principles provides that data collected should be processed fairly and lawfully. It further provides that the data collectors should have legitimate grounds for collecting and using individual’s personal data in this case especially data collected form CCTV footages. They should also not use the data in ways that have unjustified adverse effects on the individuals concerned or in the CCTV footages.

The data controllers should also be transparent about how they intend to use the personal data collected and give the concerned individuals appropriate privacy notices when collecting their data as is required during the installation of CCTV cameras in public places. They should also handle the personal data only in ways that they would reasonably expect and make sure they do not do anything unlawful with the data.

Secondly, any organizations involved in collection of personal data should be open about their purpose for obtaining personal data. The Data Protection Act provides that “personal data should be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.”

This principle means that organizations should be clear from the onset about what they intend to do with the personal data they are collecting especially that form CCTV footages in our case.  They should also be able to give privacy notices to individuals when collecting their data. After that they should lodge a notice with the office of the information commissioner so as to cover the purpose of use. They should ensure that if they wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.

Thirdly, personal data should be adequate, relevant and not excessive in relation to the purpose or purpose for which they are being processed. The data protection principles provide for the adequacy of the data collected. In practice it means that data controllers should hold personal data about an individual that is sufficient for the purpose which they are holding it. For instance, the people who are in a CCTV control room should hold only footages that are necessary and delete the unnecessary footages. They should not hold more information than they need for the purpose of security purposes.

Data controllers should not retain personal data longer than is necessary. This practically means that data controllers only hold personal data for a short period of time. In cases of CCTV footages, the data collected should possibly be stored for an approximate period of the months on a maximum although the Data Protection Act is silent on that. However, they can keep the data for a longer period if it is needed as evidence in a case which is ongoing in court.

Data controllers should securely delete any personal data once they are done with it and when the purpose for which they had collected it is done. The Data Protection Act gives rights to individuals in respect of personal data that organizations hold about them. It provides that “personal data shall be processed in accordance to the rights of the data subjects under the act.”

This principle provides that data subjects have a right to access the copy of information which is being held about them. They also have a right to object to any processing of their personal data if they have reasons to believe that it is likely to cause damage unless in instances when their data is being used as evidence. The data subjects have a right to claim for compensation for damages caused by a breach of their rights under the act.

Principle seven of the data protection principle talks about security. The Data Protection Act provides that “appropriate technical and organizational measures shall be taken against unlawful processing of personal data and against accidental loss or destruction of or damage to personal property.”

In practice this means that organizations that have CCTV cameras installed in their premises should have in place appropriate security to prevent the data from being accidentally or deliberately compromised. They will need to have in place specific security measures as to what persons should access the CCTV control room and that there is adequate security. They should also be ready to respond to any breaches of the security swiftly and effectively.

Personal data shall also not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of their personal data. In practice data controllers should consider whether it is possible to achieve their objective without sending personal data abroad.

They should ensure that they comply with all the other data protection principles before sending personal data abroad. They should also check to ensure that the country or territory where they are sending the personal data provides for adequate protection of the processing of personal data.

The location of the cameras is also an important aspect to ensure that the images captured are in a manner which is specified. In achieving this, the CCTV should only be used to monitor the intended space. Domestic owners also need to be consulted in cases where they border premises which are bring surveyed. The camera systems should be restricted where possible so that they cannot overlook what they are not intended to view. Signs informing the public that they are entering areas covered by CCTV cameras should be clear, visible and legible for all to see. These signs are meant to ensure that the public is informed of the presence of CCTV cameras so that they cannot claim later that their right to privacy was infringed yet they impliedly consented by getting into the areas which are under CCTV surveillance on their own.


To sum up, the use of CCTV surveillance cameras is only beneficial to curb crimes in the country. Any unwarranted use of the same places undue limitation on the privacy of the people of Kenya. Article 31 of the Constitution of Kenya as read together with Article 2 states that Kenya’s international obligations, such as its commitment to the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights, which include privacy rights, are part of Kenyan domestic law.

By Mwanga M.

This Article is provided free of charge for information purposes only; it does not constitute legal advice and should be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary as set in the article should be held without seeking specific legal advice on the subject matter. If you have any query regarding the same, please do not hesitate to contact us on

Leave a Comment

Your email address will not be published. Required fields are marked *