In September 2023, Kenya’s Office of the Data Protection Commissioner issued fines totaling KES 9,375,000 (more than $60,000 USD) to three institutions for contravening the Data Protection Act. The highest penalty of KES 4,550,000 (more than $30,000 USD) went to an educational facility for using minors’ pictures without consent from parents or guardians. These were the first penalties given since the law came into effect in 2019.
Churches and church organizations are not exempt from these regulations. Data Privacy places legal requirements on institutions (including churches and other faith-based communities). It affects how churches collect, store and use member’s data such as names, addresses and contacts of congregants. It also has ramifications for filming or taking photos of members during church services or other events which might require the consent of the attendants.
Dr. Nelson Makanda, the General Secretary of the Evangelical Alliance of Kenya (EAK), shared his support for laws and regulations that ensure that personal information is not used for commercial gain or to cause personal harm. However, he cautioned that it is difficult to discern how far reaching the application of these laws should be.
“When is it wrong and not wrong? When the media finds people in a public gathering, for example, a football match, political rally among other such public events – how far should privacy rules apply?” he said. “If it’s okay to take and circulate photos of fans in a match by commercial media houses, why would it be an anathema for a church to use photos of congregants?”
He further explained that churches in Kenya are largely unaware of these laws, and he urged for more civic education to ensure that they are not caught infringing these laws. This lack of awareness is likely to be true for church congregations in other African countries.
Thirty-six African countries have implemented or strengthened data protection regulations in line with the African Union Convention on Cyber Security and Personal Data Protection (also known as the Malabo Convention). The convention, adopted by the AU in 2014, seeks to create a comprehensive legal framework for electronic commerce, data protection, and cybercrime and cybersecurity for the entire continent. It also sets out principles of transparency, accuracy, consent, fairness, relevance and confidentiality.
“The challenge for churches is how to remain faithful to the call of ‘making disciples’ in an environment that places a premium on protection of personal data even in the context of corporate worship,” said Mr. Kimathi Kamencu, the President of Advocates Africa – a continental association of Christian lawyers. “Online services … are just one of many aspects of faith expression that will be impacted by the growing regulation of data privacy.”
While the application of data privacy laws varies in each country, church operations will be impacted by data privacy regulation. Current procedures and policies outlining who has access to user data and how it will be used will need reviewed. But the full implications of the laws remain unclear. “Much thought and engagement (between faith-based groups and regulators) is necessary to bridge the gaps that exist,” said Kamencu.
