By Meshack Masibo
One of the reasons behind the enactment of the Data Protection Act, 2019 and its attendant regulations was to create a framework that safeguards the right to privacy in the ever-increasing world where personal data is being monetised. Privacy is increasingly under threat with the introduction of new technologies, platforms like the metaverse all of which lead to the exponential growth in cross border data transfers.
As the saying goes, if you are not paying for the product then you are the product. You are worth just over KES 18,000 to Google and KES 15,000 to Facebook. This is hard to notice as you click away to Facebook photos or google affordable restaurants in Nairobi without knowing you have a price tag on your head and it is not cheap.
A lot of companies, domestic or foreign, are therefore on a persistent hunt for your personal data. These companies design apps to keep you hooked on your phone, and then track your preferences, movements, and activities based on information that you agree to share with them through your digital devices, and send you tailor-made advertisements right to your inbox and social media feeds. These practises, now dubbed ‘surveillance capitalism’ are a growing threat to privacy worldwide. Some of these entities will monetize your data at all times, often in total disregard of your right to privacy, and without transparency and accountability.
In September 2021 Ireland’s Data Protection Commission (DPC) fined WhatsApp a mind-boggling €225 million (KES 29 Billion) for failing to properly explain its data processing practises in its privacy notice as required under the EU data protection regulations (GDPR). Similarly, in January 2022, the French Data Protection Office slapped Google with a €90 million (KES 11.6 billion) fine for failing to deploy proper cookie consent procedures on YouTube. In the rush to monetize data, most of these corporate entities do not take measures to safeguard their user’s privacy and thus end up on the pointy end of a Data Protection Commissioner’s dagger.
One of the main challenges for corporations is their ignorance and disregard for their data protection obligations under the data protection law. For instance, a 2021 survey conducted in Kenya found that only 36 percent of Kenyan businesses were aware of privacy laws governing their marketing activities. The survey also found that while 77 percent of the businesses indicated that they had policies on customer data protection, only 56 percent were strictly applying those policies.
Monetisation of data is not illegal, however, it should only be done with due regard to the right to privacy of personal data. This is especially true considering that we are living in the golden age of technology innovation and data revolution. Imagination is coming to life at a speed faster than the speed of right(s). Scenes that had for the most part been relegated to sci-fi movies are now slowly becoming the new reality. Take for instance Mark Zuckerberg’s long-term plan to create a global virtual community called the metaverse which is a “virtual environment” that allows individuals to use a virtual presence to enter and interact with people beyond the device screen.
Essentially, it’s a world of endless, interconnected virtual communities where people can meet, work and play, using virtual reality headsets, augmented reality glasses, smartphone apps or other devices. The metaverse is likely to have an impact on all areas of life all across the globe and locally in Kenya.
Before the name change, Meta was still knee-deep in allegations of data mining and illegal data sharing. The company had been accused of deliberate data breaches including selling private user information to advertisers.
In a world where the digital meets reality, there is a legitimate concern over the protection of personal data. This is especially important when one considers the cross-border nature of the metaverse. If someone in Nairobi uses their virtual presence to shop in an accessories shop in Dubai, their data is transferred through different cloud servers across the world from the point of logging in to the metaverse, the point of purchase, and back.
Section 37 of the Data Protection (General) Regulations 2021 regulates the cross border transfer of data from Kenya. It requires the data controller or data processor who is a recipient of personal data to provide a standard of protection that is at least comparable to the protection under the Act. This is our statutory adoption of the principles set out in the adequacy decision. It will be critical for the ODPC to have the manpower and resources to enforce this provision.
The regulations also require the data subject’s consent to be obtained prior to their data being transferred outside Kenya. The transferring entity must take reasonable steps to ensure that the personal data that is transferred is not disclosed by the recipient for an unintended purpose such as advertisements. The regulations also require the transferring entity to inform the data subject of the safeguards and implications including the risks involved in cross-border transfer of their data. The transferring entity commits an offence if it obtains a data subject’s consent for cross-border transfer by providing false or misleading information, or by using other deceptive or misleading practises concerning the transfer.
What this means is that there is a need for stakeholders to work towards putting in place a cross-border legal framework to address the privacy concerns likely to arise from such data transfers in the metaverse and beyond. Also, the Office of the Data Protection Commissioner and other stakeholders should work towards ensuring regional and global standards towards regulating and providing oversight of cross-border data transfers. There is a need for more research on the import of the adequacy decision on Kenya’s Data Protection atmosphere and a public awareness drive on the law on cross-border data transfers. Lastly, as the metaverse and online trade become mainstream, the need to safeguard privacy is now, even more than before, critical.
Meshack is a Legal Fellow at KICTANet