THE RIGHT TO BE FORGOTTEN

1. Right to privacy

Article 31 of the Constitution of Kenya, 2010 explicitly protects individuals’ right to privacy. This includes the right not to have information relating to their family or private affairs unnecessarily required or reveled

The Data Protection Act 2019, serves as Kenya’s primary legal framework governing data privacy. The Act outlines the principles of Data protection, the rights of data subjects, and the obligations of data controllers and processors.

2. Right to Erasure

One of the rights of data subjects is the right to erasure where individuals can request deletion of their data when it is no longer necessary for its purpose. In Kenya Data Protection Law, the “right to erasure”, also known as the “right to be forgotten”. This allows individuals to request the deletion of their personal data held by a data controller or processor when its no longer necessary for the purpose it was collected. This right is enshrined in Section 40 (1) (b) of the Data Protection Act, 2019 which states that;

“a data subject may request a data controller or processor to erase without undue delay personal data that the data controller or data processor is no longer authorized to retain, irrelevant, excessive or obtained unlawfully.”

3. Exceptions to the right to Erasure

However, there are exceptions to this right. Requests for erasure can be refused if the personal data is processed for the following reasons: to exercise the right of freedom of expression and information; to comply with a legal obligation for the performance of a public interest task or exercise of official authority; for public health purposes in the public interest; for archiving purposes in the public interest, scientific research, historical research, or statistical purposes; or for the exercise or defence of legal claims.

• Conclusion

For businesses operating in Kenya, the recognition of the right to be forgotten under the Data Protection Act introduces significant compliance obligations, requiring the establishment of robust procedures for data erasure, updates to data retention policies, enhancement of data security measures, and employee training on data protection principles. Organizations must navigate these requirements while balancing competing legal and operational interests, such as statutory data retention obligations and the need to preserve freedom of expression and public access to information. Although the right to be forgotten marks a substantial advancement in empowering individuals to control their digital identities and safeguard their privacy, it also presents complex challenges in aligning this right with broader societal and regulatory considerations. As digital technologies continue to evolve, achieving an appropriate balance between personal data erasure and the public interest remains a critical issue for legislators and regulators globally.