Kenya: Adopted Data Protection (General) Regulations including data localisation requirement

On 7 December 2021, the Cabinet Secretary, Ministry of Information, Communication, Technology, Innovation and Youth Affairs signed the Data Protection (General) Regulations, 2021. According to the regulations, data controllers or processors handling personal data for strategic state interests must process the data through a server and data centre in Kenya or store a copy locally. These strategic interests include civil registration, elections, public finance administration, protected computer systems, education services, and primary or secondary healthcare. The Cabinet Secretary may also require compliance if a data controller processing data abroad fails to address breaches, violates the Act, or obstructs investigations by authorities.