Introduction
The International Covenant on Civil and Political Rights Treaty in Article 17 advocates for privacy and protection of personal information by the State. Similarly, the Constitution of Kenya 2010 guarantees the right to privacy as a fundamental right. To safeguard individual privacy, the Data Protection Act, 2019 was enacted and came into effect on 25th November 2019. The law applies to data controllers and data processors, and it defines the parameters for legitimate data processing practices. This comes at a time when citizens’ digital footprints have expanded with the adoption of digital technologies.
The Act has several provisions that deal specifically with several facets of data protection, including the right to privacy, rights of rectification and erasure, and freedom from discrimination. For instance, every data controller or processor including the Internet Service Providers and their agents, government agencies, and other consumer-heavy organizations such as supermarkets must ensure the subjects’ privacy rights are protected. The data is collected in a transparent manner and for a legitimate purpose, the data is limited to the minimum necessary for the purpose it was collected for, and the rights to correction and erasure are preserved.
Data protection includes the right to privacy, rights of rectification and erasure, and freedom from discrimination. For instance, every data controller or processor including Internet Service Providers and their agents, government agencies, and other consumer-heavy organizations such as supermarkets must ensure the subjects’ privacy rights are protected, the data is collected transparently and for a legitimate purpose, the data is limited to the minimum necessary for that purpose, and the rights to correction and erasure are preserved. This is outlined as the principles of data protection in Section 25 of the Act. The Act needs to consider emerging privacy issues such as biometric technology and artificial intelligence. Further, there is need to specify the data retention period to allow deletion when it is no longer necessary for its collection.
This blog aims to delve into Kenya’s existing data protection framework, examining its strengths and identifying areas that require enhancement.
Data Protection Practices in Kenya
In recent years, Kenya has seen substantial expansion in the adoption of digital technologies, transforming how citizens interact with the government, businesses, and other institutions. From mobile banking to e-government services, the digital footprint of Kenyan citizens has expanded significantly, bringing about undeniable benefits in terms of efficiency and accessibility. However, this digital transformation raises concerns about the protection of sensitive personal data, making it necessary for the nation to recalibrate its approach to data privacy. Data protection is growing in importance as governments adopt digitization of services and increasingly require citizens to have an online presence to access them.
The Data Protection Act in Kenya applies to both government entities and private organizations. The institutions are expected to register with the Data Protection Commissioner and have a policy on data protection, appoint a Data Protection Officer to handle all data protection matters, obtain the consent freely of data subjects before processing their data, have a backup, recovery, and access the control system for data security. Organizations must also report any breach to the Data Protection Commissioner and, in certain cases, to the affected data subjects. Organizations must also conduct Privacy Impact Assessments for certain processing activities to assess and mitigate potential risks to individuals’ privacy.
The Kenya National Bureau of Statistics (KNBS) is mandated to collect, analyze, and disseminate statistical household data. However, they must adhere to the Data Protection Act, 2019. Moreover, sharing customer data by Safaricom is subject to the provisions of the Data Protection Act, 2019. The Act typically includes restrictions on sharing personal data with third parties unless certain conditions are met, such as obtaining explicit consent or if there is a legal obligation to share the data.
The requirement for researchers to declare data privacy when collecting, analyzing and publishing in journals aligns with the principles outlined in the Data Protection Act. The Act emphasizes transparency, accountability, and responsible handling of personal data. Research ethics is very key for any research to ensure scientific integrity, uphold human rights and dignity. By linking the requirement for data issue declarations to the principles of the Data Protection Act, the country ensures that research activities adhere to legal and ethical standards, thus enhancing trust and confidence in data handling processes within the academic community.
Worldcoin, a blockchain company gained popularity in Kenya with long queues to give biometric information in exchange for tokens worth KSh 7,000. Some crypto firms in Kenya, such as Nuzo, took advantage of the popularity of the Worldcoin and helped people convert their tokens to cash. However, Worldcoin did not give clarity on the security and storage of the collected sensitive data.
Emerging Issues on Data Protection
Kenya has developed laws and policies that serve as frameworks on how personal data is collected and used. Organizations and people to which these frameworks apply tend to devise new ways of avoiding compliance with the policies and laws to which they are subjected.
The office of the Data Protection Commissioner lacks guaranteed independence due to its reliance on the compulsory involvement of the cabinet secretary for ICT and national security organs. This dependency introduces potential conflicts of interest and undermines the autonomy of the Data Protection Commissioner. This lack of independence could compromise the effectiveness and credibility of the Data Protection Commissioner in enforcing data protection laws and ensuring accountability in data handling practices.
The Data Protection Commissioner in Kenya faces a significant challenge due to inadequate resources, thus hindering the effective execution of its mandate on data protection and enforcement of the laws. Insufficient funds leave the commission to struggle with implementation of its mandates and investment on proper infrastructure to address the evolving data breach issues to ensure sufficient data protection. To address these resource constraints, it is imperative for the Kenyan government to allocate sufficient funding and support to the Data Protection Commissioner, allowing them to safeguard individuals’ data privacy rights effectively
The dynamic technological advancement poses challenges for data protection laws, as these laws often struggle to keep up with the evolving landscape of technology, for example, biometric data capture (Worldcoin), artificial intelligence, increase in Internet of Things devices and social media platforms that bring about new ways of personal data sharing and processing. The law may not have guidelines to address these emerging technologies.
M-Pesa has become a game-changer for mobile money transactions. However, there is a worry about how personal data is handled within M-Pesa agent shops. People share their personal information, such as names and ID numbers, but it is not clear how this data is protected. These details end up in books accessible to all agents, which raises concerns about who can access and share them. Moreover, there have been cases of unauthorized use of personal data, leading to unwanted marketing and even people being signed up for things such as political parties without their consent. This does not only apply to M-Pesa only but other entities such as supermarkets. When one uses the phone to make payments, you could get advertisements on the phone which you did not subscribe to. Also, many hotels and buildings capture information about their guests as they check in and check out. However, where this information recorded in books and systems is stored is not clear. To fix this, Safaricom PLC needs solid data protection rules, clear access controls, and secure storage methods. They should also get explicit permission from users before using their information for marketing and make it easy for people to report any misuse.
Conclusion and Recommendation
Strengthening data protection is a central endeavor at the intersection of technological progress and individual rights. As Kenya strides forward into a digital future, the commitment to fortifying data protection practices becomes paramount. The opportunities for innovation, economic growth, and enhanced trust in the digital ecosystem are abundantly clear. The establishment of the Office of the Data Protection Commissioner underscores the dedication to enforcing these principles, yet challenges persist.
There is need to prioritize capacity building initiatives to enhance understanding and implementation of data protection principles across government agencies, businesses, private sector, and the broader public. These initiatives will significantly contribute to a culture of responsible data stewardship.
The Office of Data Protection may consider recognizing the dynamic nature of the digital landscape and commit to regular reviews and compliance checks of existing data protection policies. Moreover, organizations need to promote integration of data protection impact assessment as standards of practice in handling personal data. There is need to ensure that the legal framework remains agile, responsive, and aligned with international best practices to effectively address emerging challenges. There is also need for increased collaboration between the public and private sectors to create a unified front against data breaches and cyber threats. Shared intelligence, collaborative initiatives, and joint efforts in research and development can contribute to a more resilient data protection ecosystem. The Office of Data Protection could encourage the development and adoption of technologies that integrate privacy by design. This approach ensures that privacy considerations are embedded into the development of new systems and technologies from the outset, promoting a proactive rather than reactive approach to data protection. The government could engage in international collaborations and partnerships to share insights, best practices, and expertise in the realm of data protection. Learning from global experiences can enrich Kenya’s approach and contribute to a more interconnected and secure digital environment. By prioritizing these recommendations, the country could chat a path forward that not only strengthens data protection but also positions the nation as a leader in innovative digital data management practices.
Authors: Mary Kageni and Yvonne Odhiambo, KIPPRA Young Professionals
