By Immaculate Kassait, Commissioner, Office of the Data Protection
Commission, via LinkedIn
During the drafting process of the Data Protection Regulations, data
localization was one area we received many queries about. Initially, we had
very stringed regulations that required data to be stored locally. But upon
receiving feedback from the stakeholders, we adjusted the requirements from
processing information in Kenya to having just a copy stored in the
country. The key questions we received on data localization were: 1. How do
you insist on data localization in an era of Cloud Computing with the
services not available in Kenya? 2. Does Kenya have the pre-requisite
infrastructure i.e. tier three and above data centers, can we guarantee
electricity flows, back-up, security, and safety of people’s data?
The rationale behind data localization from a national security standpoint
is purely about the data sovereignty of a nation. Imagine going to your
bank to urgently get your statement for visa application, then you’re told
you cannot access it because the undersea cable is down and hence it will
take about 2 weeks to be fixed! Such challenges in accessing information as
and when needed makes it difficult for business continuity and could result
in revenue loss and reputational damage.
As a sovereign state, there’s critical information unique and important to
our country such that if the information is not available, the country will
be grounded. In order to balance between the concerns raised on accessing
this information and the sensitivity of the information, we resolved to
have at least a copy of the information stored locally. This helps protect
personal information created in Kenya, national security, law enforcement,
and competitiveness of domestic market hence creating job opportunities for
It is important to note that data localization does not apply to all
information. It only applies to categories of information on civil
registration and legal identity management systems for national security
(your identity as a Kenyan), facilitating the conduct of elections,
representation of Kenya, public finance by state organs, running systems
designated as protected computer systems in terms of section 20 of the
computer misuse and cybercrime act, information about children, healthcare
among others.
Some of the myths around data localization include all information being
processed even for private businesses should be stored in the country;
organizations are not supposed to use cloud services and lastly, data
localization is expensive compared to cloud services. I trust that we have
addressed these misconceptions most of you might have about data
localization. What misconceptions did you have before reading this post?