OUTDATED DATA IS DATED: Kenya’s Data Protection Law

OUTDATED DATA IS DATED: Kenya’s Data Protection Law

By Silas B Owiti

The open secret in the advertising industry is that it is built on exploiting our data. Like when you mention something to a friend and before you know it, you are being bombarded by adverts about it. Everything we are doing online is being tracked to follow our movements and understand our behaviour. Then they collect this information and sell it.

Have you ever seen the word ‘cookies’ in the websites that you visit and in most of them, it’s a mandatory press to click in. This ‘cookie’ is one of the best tricks that is used in the marketing industry and I am sure most of us have never bothered looking out on what it means just like the way we accept terms and conditions so fast when registering for a site just because we are curious to know what more the site offers. A cookie means a tracker so when you go to a website and see that annoying popup that says “allow us to drop a cookie on you”; what they really mean is “allow us to drop a tracker on you». Basically, if you see the number of companies that you have allowed to track you in oblivion, you will definitely be surprised. The burning question that we have in our minds right now is do we have an option?

Yes, the introduction of Kenya’s first Data Protection Act 2019 (the Act), brings a halt to the era of revolving the uncertain path of the previous disjointed framework of data protection legislation.  The Data Protection Bill has been a subject of discussion for years, was passed into law on 8 November 2019 when the president assented to it.

This Act introduces new requirements and challenges for legal and compliance functions. Many organisations will require a Data Protection Officer (DPO) who will have a key role in ensuring compliance. If the DPA is not complied with, organisations will face the heaviest fines yet –they will be liable to a fine not exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both.. A renewed emphasis on organisational accountability will demand proactive robust privacy governance. This will require organisations to review how they write privacy policies to make these easier to understand, and enforce compliance. The Act is a significant milestone of which all Kenyans should be proud. It is testimony to the country’s commitment to being one of the continent’s leaders in promoting innovation and at the same time, it recognises the fundamental importance placed on protecting the personal data of individuals.

The laws indicate that we as data subjects must be provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. It is unfortunate how organisations use wavering language when it comes to asking for consent for our data.i This reminds me of how Alcohol beverages manufacturers complete their ‘beware’ advertisements very fast at the end even though it’s the most important detail in the advertisement. The organisations notwithstanding the size, influence and what they offer should be very clear when requesting for our data and we, as citizens should have options whether or not our personal data is being processed, where and for what purpose. Additionally, we can request to be forgotten, which entails the removal of all the data related to the data subject.

It is actually not surprising that with the growth of the digital economy, the users who accumulate and share data will be entitled to various rights for proper management of their privacy. These rights include:

  1. Right to ‘data portability’. This means that individuals are entitled to request copies of their data in a readable and standardised format. The interpretation of this requirement is debatable, but taken broadly the challenges could be numerous – amongst them achieving clarity on which data needs to be provided, extracting data efficiently, and providing data in an industry-standardised form.
  2. Right to be forgotten. This is further evidence of the consumer being in the driving seat when it comes to use of their data. Depending on regulatory interpretation, organisations may need to perform wholesale reviews of processes, system architecture, and third party data access controls. In addition, archive media may also need to be reviewed and data deleted.
  3. Data subjects have a right to know what data the companies they hold, where it is stored, and who it is shared hence mandates companies to create and maintain an inventory of data processing activities. Data leads will have to work closely with privacy colleagues to ensure all necessary bases are covered. A thorough system for maintaining inventories needs to be implemented.

The most surprising part of this Act is that it was expedited following concerns raised over the Huduma Namba registration exercise, with those opposed to the process raising concern about the safety of citizen’s personal data collected by the Government. Politics is an emotional issue in our country Kenya and Political data is obviously sensitive. Particularly, elections in Britain, United States of America and Kenya reveal use of personal data to invasively profile voters and manipulatively persuade or dissuade them from voting in a certain way. While opinion is divided on the effect of manipulation campaigns, it is clear that this kind of propaganda has resulted in polarisation of societies.

In Kenya’s case, the government IPRS databases contain personal data collected for purposes of identification and other government service delivery. This data should not be profiled for political purposes. Instead, the government should state the purposes for which data in its custody is being used and also update citizens. And where practicable, seek their consent, when the data is repurposed. Given that political parties form the government, there should be an independent data authority to oversee data protection.ii

As our digital world continues to develop, we recommend the development of a consolidated framework to provide for more data protection principles. The establishment of an independent authority to promote data protection and enforce the law is a great step for us as a country and it’s a sign that a lot of the scrupulous activities by organisations will not be tolerated and will be dealt with accordingly.

  1. https://www2.deloitte.com/content/dam/Deloitte/ke/Documents/risk/Kenya%20Data%20Protection%20Act%20-%20Quick%20Guide%202021.pdf
  2. https://www.apc.org/sites/default/files/Data_protection_in_Kenya_1.pdf