Efforts to have in place a privacy and data protection framework in Kenya commenced with the introduction of the right to privacy under Article 31 of the Constitution of Kenya 2010. The provision guarantees every person the right not to have their person, home or property searched; their possessions seized; information relating to their family or private affairs unnecessarily required or revealed; or the privacy of their communications infringed.
Following this, the first Data Protection Bill was published in 2012, and it lapsed owing to inaction, and was republished again in 2013, with no subsequent action. The inaction by Parliament on the Bill proceeded till May 2018, when the Senate published a fresh Data Protection Bill, 2018, which was proposed as a private member’s bill. During the same month, the Ministry of Information, Communications and Technology constituted a Taskforce to develop a Data Protection Policy and a Data Protection Bill for public comments.
The two Bills despite their shortcomings and the confusion that they created, were welcomed by stakeholders as a positive step, especially coming a time when there were widespread concerns around privacy in the country. These concerns included the limited understanding of privacy by the public; the fragmented oversight over privacy and data protection; the increased mass data collection programmes by the government; the enhanced state surveillance capacity of the government; rampant privacy breaches by business entities; and limited dispute resolution mechanisms and remedies in case of breach.
Stakeholders were subsequently provided opportunities to provide input into the development of the two Bills, which were after several consultations with Senate, consolidated into the Data Protection Bill, 2019. On November 8 2019, the Bill was signed into law by the President.
Implications of the Data Protection Act, 2019
One of the key concerns prior to the enactment of the law, was the weak regulatory frameworks for the enforcement of privacy rights in the country. The new law addresses this issue as it provides the most comprehensive framework to regulate the processing of personal data and the protection of the privacy of individuals in Kenya. It also consolidates the law on privacy in the country, and more importantly, articulates several principles of personal data protection under section 25, as the minimum standard which all data controllers or processors are required to abide by. These principles include lawfulness, transparency, fairness, legitimate purpose, data minimisation, accuracy, transparency, anonymization, confidentiality and consent.
Also worth noting, is that it grants power back to the individual, by defining what constitutes consent, and by making its requirement mandatory. This will address situations where personal data is collected arbitrarily and without the explicit consent of users. The law also prohibits the use of personal data for commercial purposes without the consent of the data subjects. It also places the burden of proof for establishing a data subject’s consent on the data controller or processor, while allowing the subject to withdraw consent at any time. Data controllers and processors will therefore, have to modify their agreements, contracts and practices to ensure that they seek prior informed consent, and obtain it explicitly.
The other important development is that this law in its Second Schedule, amends other legislation that have an impact on privacy and requires that the principles under the act are observed in the management of personal data. The affected laws that it amends include: Births and Deaths Act, Capital Markets Act, Independent Electoral and Boundaries Commission Act, Kenya National Examinations Council Act, Employment Act, 2007, The Kenya Citizenship and Immigration Act, 2011, Basic Education Act, 2013, Universities Act, 2012, The Central Depositories Act, 2000, Anti-Money Laundering and Proceeds of Crime Act, Kenya Information and Communications Act, 1998, and the Insolvency Act, 2015. This requirement addresses the various data collection programmes by government. It will therefore require that the relevant institutions responsible for the handling of the registration of individuals at birth and death, issuance of national identity cards and passports, Huduma Namba registration, registration of students at all levels, and the registration of telecommunication services consumers to review their current policies, practices and procedures to ensure compliance with the principles set forth in the Act.
The lack of an oversight body and the fragmented oversight of privacy in the country, meant that every institution collecting personal data was responsible for its own data collection. Further, in the case of abuse, there was no oversight body to report such cases to. The law addresses this challenge by establishing the office of the Data Protection Commissioner, with independence to exercise its powers and carry out its functions under the Act. Its key functions will include oversight of the implementation of the act; the registration of data controllers and processors; promotion of self-regulation; conduct of assessments of public and private bodies; receipt and investigation of complaints; civic awareness; inspection of public entities among others. In the conduct of its functions, it shall have power to conduct investigations; facilitate dispute resolution; issue summons to witnesses; impose administrative fines; and provide assistance to the public. The Data Commissioner can also carry out periodic audits of data controllers or processes.
Prior to the enactment of the law, many aggrieved persons lacked adequate dispute resolution mechanisms and remedies in case of breaches. Under this law, the Data Protection Commissioner is empowered to receive and investigate complaints and issue enforcement notices. Further, the law has increased the cost of non-compliance to its provisions as it empowers the Data Protection Commissioner to impose penalties of upto 5 million shillings or 1% of the annual turnover of an undertaking. Aggrieved persons can also proceed to seek compensation from the data controller or processor for damages, which include both financial and non-financial losses. However, it provides an exemption to data controllers or processors from complying with its provisions where it is necessary for national security or public interest, or where disclosure is required under the law or by a court order.
Whereas the Act spells out several important and positive features, its implementation remains key. The establishment of the Office of the Data Protection Commissioner is a priority for action to ensure the swift implementation of the law. Further, all data controllers and processors will need to take critical steps to ensure compliance with the Act. This will include mapping their data, enhancing the security of the data, and reviewing their policies, procedures and processes of handling personal data; and designating Data Protection Officers. This also creates an opportunity for innovation and employment opportunities.
Lastly, capacity building of data controllers and processors will be critical moving forward to ensure that the principles set out in the Act are widely understood. Greater conscience of the public with respect to their privacy rights will be critical, and civil society can play an important role in making this possible.
While there shall be persons opposed to the law, they should realise that data is the new gold. The new law creates an opportunity for all stakeholders to assess and recognize the value the privacy of the data that they hold; be transparent and accountable about how they use it; and, to design and implement new ways of managing that data, while maintaining the trust of the owners of the data.