Data protection is emerging as one of the spaces to watch in Kenya’s legal arena. For starters, the Kenya  Data Protection Act, a statute that gives effect to the constitutional right to privacy, only came into effect in November 2019. 

Also, interesting developments like the WorldCoin case, filed by the ICJ (International Commission of Jurists) Kenya Section, and the Katiba Institute at the High Court, raised issues of citizens’ rights violations. Such violations include lack of informed consent, inadequate public awareness, the high risks of biometric data misuse, and the need for clear guidelines on personal data use in Kenya.

Other significant data protection and data privacy-related cases since then include the Huduma Namba Case in 2021, whereby the High Court ruled Huduma Namba was unconstitutional. Second, there’s the WPP Scangroup Data breach case of 2024, filed by the company’s former CEO. Moreover, various plaintiffs have challenged the Data Protection Commissioner’s rulings via appeals at  the High Court.

Data is emerging as a highly sought-after commodity in this digital age, with the capacity to make data predictions influencing decision-making in diverse areas of life, from social media analytics to elections. So, what promise/opportunities do Data Protection and Data privacy laws hold for the legal professionals expanding into this rapidly expanding legal frontier? What value do Kenyan lawyers bring into the data protection space, and which opportunities does this space present for them?

To learn more about data protection as a practice area, we spoke to Nelson Okeyo, an Advocate of the High Court of Kenya and a research fellow at  Friedrich-Alexander University of Erlangen-Nuremberg, a Research University in Germany. He is also the Data Protection Team Lead at Munyao Muthama & Kashindi Advocates. Nelson unpacks his journey into data protection and data privacy, his particular areas of interest in the diverse practice area, what it takes to excel as a data protection expert, and potential challenges often experienced in this niche area.

Pivoting into Data Protection and Data Privacy

Nelson was admitted to the Kenyan Bar in 2019, after which he proceeded to pursue his LL.M at the University of Dar es Salaam in Tanzania, and later his doctorate studies in Germany.

Initially, he was keen on pursuing his first undergraduate degree in economics. ”I was always curious about public interest activities in Kenya, such as public appointments and elections.  However, a semester in law school proved to me that I was in the right place.”

After his admission to the bar, Nelson practiced law, dabbling in various practice areas, including tax law, employment law, and land law. So, why did he choose data protection as his focus area? 

“Data protection does not exist in isolation. It intersects with other practice areas. For example, if you talk about tax law, tax bodies must be honest about their reasons for collecting subject data and protect the data from unauthorized access. Dabbling in various practice areas primed me to understand data protection better.”

After linking the  threads between data protection and other practice areas, Nelson chose to pursue his master’s on the subject in 2019 at the University of Dar es Salaam. While there, he focused on Kenya’s Computer Misuse and Cybercrime Act, which was passed into law in May 2018. “As a result, I got to understand how the cybersecurity law was developing the landscape, which developed my interest in the subject matter.” 

Nelson’s newly found interest in cybercrime inspired him to pursue his doctorate degree in data protection when the opportunity arose. He concludes that his prior experience in other practice areas, coupled with his academic and research interests in cybersecurity, business and digital rights, are the foundations of his expertise as a data privacy and data protection expert.

However, he is quick to point out that data protection and data privacy are broad subjects. “When we talk about data protection, it’s just an aspect of the larger right to privacy, which is a very broad right that has since been recognized in various constitutions and regional human rights instruments developed in Europe, Asia, and Africa.” Therefore, in this piece, we focus on data protection law and its impact on social justice, which translates into data justice. 

Data Protection Law and Data Justice

So, what is Data Protection Law, and how does it impact social justice? Why is data justice relevant?

According to Nelson, data protection entails safeguarding personal information. However, to understand data protection as a practice area, we need to begin by deciphering:

• Who is safeguarding this information?
• Why is it being safeguarded?
• How is it being safeguarded?

The highlighted standards and requirements have been reduced to instruments developed at the international, regional, and domestic levels in whatever capacity a person finds themselves. As highlighted earlier, Nelson is passionate about human rights. Second, data protection and data privacy as a discipline draws from diverse practice areas, including human rights. Therefore, below is an overview of how human rights and data protection fuse to form data justice.

A Focus on Data Justice 

Data Justice is one of the subfields in the data protection and data privacy spectrum. It is the intersection between data protection and social justice. According to Nelson, the whole concept of protecting personal data and the standards of protecting and safeguarding personal information provided in the law might be inadequate to ensure that we achieve the ultimate social justice for the people. He cites an example of marginalized groups, like refugees who must give their data to receive certain benefits. 

“They only do so because they’re marginalized. So, if their data is processed without recognizing the underlying reasons why they’re volunteering their data, they might end up being refugees forever.  Another example in the Kenyan context is the Huduma Namba digital IDs under development. If we just allow the State Department for Immigration and Citizen Services and the National Registration Bureau to access the citizenry’s data as it is, then the historical injustices that have visited populations who have not been getting IDs for a long time risk being cemented.” He highlights the case of the Aadhaar System in India, which exacerbated marginalization among previously marginalized communities.

Data Protection from a Practice POV

So, what does a Data Protection and Data Privacy lawyer do daily? Second, if you were to position yourself as a data protection lawyer, which kinds of clients would you target, and what value would you pitch to them?

Nelson points out that data protection work is significantly broad primarily because it does not stand alone. However, he offers the following insights from a business and a day-to-day perspective.

First, regarding the clientele, clients include international clients seeking guidance on how to comply with the Kenyan data protection and data privacy laws. Such clients include foreign businesses setting up bases in Kenya as well as foreign embassies. Below are some of the services data protection officers offer their clients:

• The registration of data controllers.
• Advising clients to comply with the data protection principles, including the practical steps they must take to ensure they uphold the data subject rights.
• Advising clients on how to do their incident response & planning, especially during instances of personal data breaches that also happen in diverse contexts.
• Data protection impact assessment and privacy assessment. (It is also a huge space for advisory roles.)
• Review reports, especially local Data Protection Impact Assessments (DPIA) done in other countries. Such reviews ensure that they comply with applicable templates and regulatory frameworks.
• Advise on cross-border transfer of data, especially outside Kenya. 
• Clients needing representation in the courts and before the Data Protection Commissioner when faced with adverse claims by data subjects.
• Representing the Data Protection Commissioner, especially in appeals in matters where they made a determination.
• Alternative Dispute Resolution
• Advancing thought leadership in the area by making responses to public calls for participation, especially in the development of strategic plans, e.g, the Kenya AI strategy launched through the Ministry of ICT and Digital Economy in March 2025.
• Conducting data protection compliance audits, an emerging area as such audits are a new requirement under the Data Protection Act,  and the general regulation for the conduct of audits. 

Setting Yourself up for Success in the Data Protection and Data Privacy Space

1. Cross-sector Collaborations

Nelson points out that while data protection lies predominantly in the field of law, cross-sector collaborations are vital for success in this practice area. For starters, he cites collaborations with ICT practitioners as crucial because they bring technical expertise to the table. 

“As data protection and data privacy lawyers, we advise clients on the adequacy of the mechanisms put in place to ensure there’s integrity, confidentiality, and availability of data. However, when talking about technical terms like hashing, anonymization, & synonymization of personal data, there’s always a need for inquiry on how to implement them in practice.” Non-legal technical experts(e.g., data engineers, cybersecurity specialists, human rights & ethics experts, etc)facilitate the proper execution of assignments.

2. Top-up  knowledge with Vocational Courses

Besides engaging with expertise, he encourages those interested in IP law to pursue some vocational courses available on learning management systems like Udemy, Coursera, etc. They can also find courses offered by regional institutes, including the Centre for Intellectual Property and Information Technology Law (CIPIT) at Strathmore University. Other Kenyan institutes offering such courses include the Kenya School of Internet Governance (KeSIG) – KICTANet, and Africa Nazarene University. Such courses help with achieving/ improving/ showing adequate expertise on data protection.

However, you don’t have to limit your scope to Kenya. Various institutes and organizations in Africa, such as the University of Pretoria, and global institutions also offer such courses. Once you set out to seek knowledge, you will find it and grow in the practice.