Written by: Pheona Wall SC
In our hyper-connected world, data is the new oil. It fuels innovation, drives economies, and shapes our daily lives. But with this immense power comes immense responsibility, particularly when it comes to the personal information that defines us. Protecting this data isn’t just about cybersecurity; it’s about safeguarding fundamental human rights. At the core of this crucial mission lies a powerful entity: the Data Protection Agency (DPA).
And if there’s one word that defines the effectiveness of a DPA, its independence.
For nations in East Africa, on the cusp of remarkable digital transformation, establishing and maintaining a truly independent DPA isn’t just a regulatory checkbox. It’s the bedrock for building public trust, attracting vital foreign investment, and ensuring that technology serves humanity, rather than the other way around.
Why Independence is the DPA’s Superpower
Imagine a referee overseeing a game, but beholden to one of the teams. The game’s integrity would crumble, right? The same principle applies to data protection. An independent DPA operates without undue influence from government, political parties, or powerful corporations. This autonomy is its superpower, enabling:
- Impartial Enforcement: A DPA under political or corporate thumb might shy away from investigating powerful entities. Independence ensures fair, consistent application of data protection laws to everyone.
- Protection Against State Overreach: Governments are massive data collectors. An independent DPA acts as a vital check, preventing misuse of personal data for surveillance, political profiling, or other rights infringements.
- Building Public Trust: When people know there’s an impartial body safeguarding their data, they’re more likely to engage with digital services, fostering a thriving digital economy.
- Facilitating Global Data Flows: International data transfers often hinge on a country having “adequate” data protection standards, and a truly independent supervisory authority is a non-negotiable part of that assessment.
- Expertise and Long-Term Vision: Free from short-term political pressures, independent DPAs can attract top talent and develop forward-thinking strategies to keep pace with rapidly evolving technology.
East Africa’s Journey: Laws and the Quest for Independence
East African countries have made commendable progress in enacting
data protection laws, largely inspired by the EU’s gold-standard GDPR.
- Kenya: The Data Protection Act, 2019, created the Office of the Data Protection Commissioner (ODPC), explicitly outlining its independence. However, the practicalities of limited funding, staffing, and potential political influence in appointments remain ongoing challenges that the ODPC continually navigates.
- Uganda: The Data Protection and Privacy Act No. 9 of 2019 established the Personal Data Protection Office (PDPO) as an independent entity under NITA-U.
- Tanzania: The Personal Data Protection Act No. 11, 2022, led to the formation of the Personal Data Protection Commission in May 2023, tasked with overseeing the Act’s implementation.
- Rwanda: Rwanda’s Government Law on Protection of Personal Data (PPD), 2021, places its data protection office under the National Cyber
Security Authority. - Somalia: The Somalia Data Protection Act of 2023 declares the Somalia Data Protection Authority independent. Yet, the multi-tiered appointment process involving ministerial and presidential approval often raises questions about potential executive influence in practice. While the legal frameworks are strong, the degree of true, operational independence for these DPAs remains a crucial area of focus and continuous development.
Global Precedents: What the Courts Say The principle of DPA independence isn’t just theory; it’s a legal cornerstone affirmed by leading courts worldwide, particularly the European Court of Justice (ECJ).
- The “Complete Independence” Mandate (ECJ): Cases like C-518/07, Commission v Germany (2010), and C-614/14, Commission v Austria (2016), are foundational. The ECJ unequivocally ruled that DPAs must be “free from any external influence, whether direct or indirect,” and “neither seek nor take instructions from anybody.” These judgments highlighted that independence isn’t just about what the law says, but how the DPA operates, from appointment to daily decision-making.
- The Schrems II Ruling (ECJ, 2020): This landmark decision, while famous for invalidating the EU-US Privacy Shield, also powerfully reaffirmed the DPA’s independent role. The ECJ explicitly stated that supervisory authorities “must act with complete independence in the performance of their tasks and the exercise of their powers.” This means DPAs have the independent power to halt data transfers if they deem protections inadequate, acting as crucial guardians of fundamental rights.
- DPA vs. EDPB (General Court of the EU, 2025): Recent cases, like the Data Protection Commission v European Data Protection Board, where the Irish DPC challenged EDPB directives, further illuminate DPA independence within a multi-jurisdictional framework. While the DPC’s challenge was dismissed, affirming the EDPB’s role in ensuring consistent application of GDPR, the case underscored that DPA operational autonomy must ultimately serve the broader goal of effective data protection across borders.
Best Practices for a Truly Independent DPA Drawing from these global lessons, here’s how to ensure a DPA is genuinely independent:
- Explicit Legal Guarantees: The law must unambiguously state the DPA’s independence from political, governmental, and commercial interference.
- Independent Appointment & Removal: A transparent, merit-based process for DPA leadership, involving parliamentary oversight and strict legal grounds for removal, is essential to prevent political influence.
- Adequate & Independent Funding: A DPA is only as strong as its resources. Sufficient, ring-fenced budgets, free from ministerial control, are vital for investigations, enforcement, and public outreach.
- Immunity from Directions: The DPA must be legally shielded from receiving instructions from any external body regarding its operational decisions.
- Transparency & Accountability: While independent, a DPA must be accountable to the public through transparent operations, published decisions, and clear reporting mechanisms.
The Unseen Guardian
The journey towards robust data protection in East Africa is dynamic and inspiring. Yet, the ultimate strength of these efforts lies in the unwavering independence of their data protection agencies. By continuously striving for and fiercely safeguarding this independence, East African nations can not only protect the fundamental privacy rights