By Francis Monyango.
Today is the 28th of January. Data Protection Day or Privacy Day. The day when we all commemorate the 1981 signing of the Council of Europe’s Convention 108 for the Protection of Individuals with regard to automatic processing of personal data, quite a mouthful.
While it is was initially a European celebration, data privacy is now a global issue and we now have a reason to celebrate Data Protection Day in Kenya. The Kenyan Data Protection Bill assented to the law on the 8th of November, 2019 and its date of commencement was on the 25th of November, 2019. This is Kenya’s first data protection law, promulgated 9 years later after the Constitution which enshrines the right to privacy in Article 31. The Data Protection Act law gives effect to article 31(c) and (d) which recognize the people’s right to informational privacy.
In recent times, privacy concerns among Kenyans have included the arbitrary misuse of personal information, unsolicited marketing messages by entities and the need for identification at entrances of buildings. Therefore, on this auspicious Data Protection Day, we want to highlight 4 good things in the Data Protection Act.
Gives people control
The Data Protection law came with new names and rights for people. The Act defines Data subject as a natural person whose personal information is processed. The rights in the Act include the right to be informed on the use of their data and the right to access their data which is in custody of the data controller or processor. Other data subject rights include the right to object to the processing of their data, the right to correction and the deletion of false or misleading data about them.
Data subjects are supposed to give informed consent to data processing. For them to give informed consent, they need to understand all privacy-related agreements which means these agreements have to be written in plain language. With informed consent, a data subject can know which types of data processing they can opt-in and out of.
Independent Data Commissioner
Another goodie in the Data Protection Act is the office of the Data Protection Commissioner. (It is yet to be set up but it is a huge leap to accountability). This commissioner will oversee the implementation of the Data Protection Act and its enforcement. The Data Commissioner will have to establish and maintain a register of data controllers and processors and exercise oversight on their data processing operations. Sometimes the Data Commissioner may have to conduct an assessment on a public or private body on its own initiative or at the request of a private or public body. Because of the nature of the role, we hope the Data Commissioner will be independent. The Commissioner will also be required to investigate complaints from any person on infringements of the Act and action taken.
Obligations to Data Controllers and Processors
The Data Protection Act christens entities that collect and use personal information data controllers and processors. These two entities now have new obligations. They are required to ensure that personal data is processed in accordance with the right to privacy of the data subject. The data processing has to be lawful, transparent and limited to what is necessary. Data processors and controllers are supposed to collect data for explicit, specified and legitimate purposes. The processing should not be incompatible with the agreed purposes.
The Act prohibits data transfer outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject. Other duties are to keep the data anonymous and to exercise privacy by design in their data processing systems. The Act requires entities to be transparent and accountable in their privacy practices and in the unfortunate event of a breach. In the event of a breach, data handlers must do their best to contain the harm, give appropriate support to help those affected, and ensure timely notification of any violations to the Data Commissioner.
Works Globally
The world is now a global village that is connected and the Act is not rigid in its requirements for cross border data transfer. A data controller or processor is allowed to transfer personal data to another country only where they have proved to the Data Commissioner the other country has appropriate security and data protection safeguards. For the processing of sensitive personal data outside Kenya, this was to be after obtaining the consent of the data subject and confirmation of appropriate safeguards in the destined nation.
This section initially required data controllers and processors to get consent from every data subject but Members of Parliament during legislation felt it would be ambiguous for an entity like the electoral body with servers outside Kenya to get consent from every voter, hence delegating the role to the Data Commissioner. This section enables interoperability between different jurisdictions while protecting the privacy of personal information without undermining the Internet’s global nature.
There are many other good things in the Act that I have not mentioned. However, I have to acknowledge that the law was drafted collaboratively, in the spirit of public participation. Stakeholders such as KICTANet, CIPIT, Article 19, KEPSA gave their views and the National Assembly ICT Committee considered all their points in the report that they tabled in parliament during the legislation.
The next big challenge is the implementation of the law. Will 2020 be a decade of privacy compliance by Kenyan entities? Will we celebrate Data Protection Day 2021 with a Kenyan Data Commissioner? Only time will tell.