KENYA Law and Practice Contributed by: Sammy Ndolo, Njeri Wagacha, Brian Muchiri and Sara Ndei, Cliffe Dekker Hofmeyr incorporating Kieti Law LLP
rights of data subjects and the obligations of data controllers and data processors. Any fintech that processes any personal data that is resident in Kenya or that processes per - sonal data relating to natural people in Kenya would be required to comply with the Data Protection Act and the following obligations, amongst others: • registration with the Office of the Data Protec - tion Commissioner (ODPC) as either a data controller or data processor; • obtaining the consent of a data subject prior to processing any personal data; • only processing the personal data to the extent necessary; and • reporting and documenting personal data breaches. If a fintech breaches the provisions of the Data Protection Act, it may be subject to administra - tive penalties from the ODPC of up to KES5 mil - lion (approximately USD35,000) or 1% of annual turnover for the preceding year, whichever is lower, or it may be subject to criminal sanctions of up to ten years in jail or a fine of up to KES3 million (approximately USD20,000). Consumer Protection The Consumer Protection Act provides for the protection of consumers and the prevention of unfair trade practices in consumer transactions. Under the Consumer Protection Act, businesses are strictly prohibited from making false, mis - leading or deceptive representations to describe their products or services. This includes things like claiming a product has features it does not, that it is of higher quality than it is, or that it is available for a hidden reason. Companies cannot go back on promises made in previ -
ous advertising and must be truthful about any special offers or price advantages. In addition, they must clearly explain the customer’s rights, remedies and obligations within a transaction. Using exaggeration, vague language or hidden information to deceive a customer is also illegal. Moreover, the Consumer Protection Act forbids businesses from taking advantage of vulnerable consumers and making unconscionable repre - sentations. It is considered unconscionable for a business to make claims knowing (or where they should know) that the consumer is unable to fully protect themselves due to factors like a disabil - ity, lack of understanding or illiteracy. The law also prevents deals that are heavily one-sided in favour of the business or contain extremely unfair terms for the consumer, or where the con - sumer was pressured into making a decision. If a fintech makes a false, misleading or decep - tive representation or an unconscionable repre - sentation, any agreement entered into between the fintech and the customer can be rescind - ed by the customer, who would be entitled to apply for other remedies available under the law, including damages. Cybersecurity The Computer Misuse and Cybercrimes Act, Cap 79C of the Laws of Kenya (CMCA), seeks to enable the timely and effective detection, prohibition, prevention, response, investigation and prosecution of computer and cybercrimes in Kenya. Under the CMCA, any entity that gives users of its services the means to communicate by use of a computer system (ie, a service provider) is required to:
460 CHAMBERS.COM
Powered by FlippingBook