By Meshack Kukubo & Victor Kapiyo
If data is the new oil, then it is akin to the age when Rockefeller stumbled upon his first oil refinery. Data has become the main commodity that businesses worldwide are using to inform, shape and execute their strategies, growth, and sales. Currently, 2.5 quintillion bits of data are processed every day as people make electronic and mobile payments through MPesa, shop online on Jumia, sell their cars on Jiji, register to vote in the upcoming elections, use digital IDs, access government services on eCitizen, learn through e-platforms, binge watch series on Netflix, follow celebrities on Instagram, watch videos on Tik Tok and YouTube, connect with friends and family on WhatsApp and Facebook groups, travel across town guided by Google Maps, send deliveries through Sendy, or order tasty meals from their favourite restaurant through Glovo or Uber Eats.
It is projected that data will top the agenda of conversation, regulation and debate in both this and the coming decades. Indeed, there is growing cutthroat competition in the data market and it is increasingly a big threat to the right to privacy.
Today, 28 January marks the Data Privacy Day, which is of great significance for Kenya, coming almost three years since the enactment of the Data Protection Act, 2019. The day commemorates the right to data privacy and provides an opportunity to create awareness of the universal right to data privacy. It also provides an opportunity to reflect on the developments that have occurred locally in the past year, and consider what more could be done to realise the right.
The journey to put in place a legal framework for the protection of the right to privacy traces back to 2009, when the first Data Protection Bill was published. The right to privacy was subsequently embedded in the Bill of Rights under article 31 of the Constitution of Kenya, 2010. Notably, the constitution grants every person the right to privacy, which includes the right not to have: their person, home or property searched; their possessions seized; information relating to their family or private affairs unnecessarily required or revealed; or the privacy of their communications infringed.
It took a decade after the first Data Protection Bill was published, for Kenya to enact the Data Protection Act in November 2019. The law provides an elaborate legal and institutional framework for the protection of the right to privacy and regulates the processing of personal data.
In November 2020, Ms. Immaculate Kassait (pictured) was appointed the first Data Protection Commissioner. Her office has the mandate to among others, enforce the Data Protection Act, oversee operations relating to the processing of data, and to receive and investigate complaints relating to infringement of the right to privacy. In the course of 2021, the Office focused on setting up shop and putting in place measures to enable it discharge its responsibilities.
Likewise, in May 2021 three draft regulations to give effect to some provisions of the Data Protection Act, 2019 were birthed. These include: the Data Protection (Compliance & Enforcement) Regulations, 2021, which set out the procedures for lodging, admitting and responding to complaints and enforcement provision; the Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021, which outlines the procedures and fees for the registration of Data Processors and Controllers; and the Data Protection (General) Regulations, 2021, which set out the procedures for enforcement of the rights of the data subjects as well as elaborating on the duties and obligations of Data Controllers and Data Processors.
In January 2022, the momentum towards an enabling legal framework grew with the coming into force of these regulations. These regulations respond to the increasing trends of massive data harvesting that some businesses have been engaging in. The regulations restrict the commercial use of data by corporate entities and organisations without consent of the data subject. They also elaborate and give life to the concept of privacy by design and by default. This principle requires data-based entities to not only preemptively secure data privacy, but also to adopt and deploy privacy respecting technology by default. Further, the regulations provide the framework for the transfer of personal data outside the country and for data protection impact assessments.
A Case in Point…
It is also during this period that the first major litigation that touched on the Data Protection Act, 2019 was concluded. This was in ground-breaking case which pitted the Katiba Institute and Prof. Yash Pal Ghai against the Government through its Agents, the Attorney General, and the Cabinet Secretaries for ICT and Interior and Coordination of National Government over the validity of the National Integrated Identity Management System (NIIMS) and the national enrolment for the Huduma Namba in light of the Data Protection Act, 2019.
In his landmark decision made in October 2021, Justice Jairus Ngaah quashed the decision to roll-out of the Huduma Cards, and faulted the government for violating section 31 of the Data Protection Act, 2019 by failing to conduct a data protection impact assessment before processing personal data and rolling out the Huduma Cards. In Shakespearean prose, the Judge criticised the government for not appreciating the potency and importance of the Data Protection Act, 2019. The court also ordered the government to conduct a data protection impact assessment before processing of data and rolling out the Huduma Cards.
Despite the developments in the data privacy law and jurisprudence in Kenya, there are still numerous challenges that continue to limit the enjoyment of the right to privacy. One such limitation is the low level of public awareness on the right. Indeed, a recent poll commissioned by Amnesty International on the level of public awareness on data protection laws revealed that 67% of Kenyans were unaware of the Data Protection Act and only 18% of Kenyans were aware of the existence of the office of the Data Protection Commissioner. This means that a significant number of Kenyans are still unaware of their rights and as data subjects, many are unlikely to recognise or report data breaches.
Secondly, the content of the Data Protection Act, 2019 and its regulations are still too technical for the layperson to understand. Further, given its nature, it may also present challenges for data processors and collectors to appreciate their obligations and responsibilities and the law.
Thirdly, the Office of the Data Protection Commissioner lacks the requisite capacity to discharge its mandate fully both in terms of funding and personnel. The budget allocated to the Office in the 2021/2022 financial year was just over 50 million shillings, yet it is expected to attend to over 50 million Kenyans, equating to 1 shilling per person, which is a far cry from the obligations of the Office. This deficit is likely to constrain its activities.
In conclusion, the Data Privacy Day provides an opportunity for all stakeholders to pull their resources, efforts and strategy towards creating public awareness on the right to privacy; promoting compliance with the data protection laws; and ensuring broader understanding of the functions of the Office of the Data Protection Commissioner, the obligations of data controllers and processors, and the remedies available for data subjects.
Efforts need to be put in place to sensitise the public, including by leveraging social media platforms to spread the gospel of privacy and data protection in content that is simple, clear and locally relevant. Also, both state and non-state actors should identify data protection champions within their organisations and build their capacity to enhance compliance with the data protection laws. More importantly, the Office of the Data Protection Commissioner should be adequately resourced and supported to ensure it effectively discharges its mandate.
On our part, KICTANet remains committed to the promotion and protection of the right to privacy, including through its advocacy, research and stakeholder engagements.
Happy Data Privacy Day!
Meshack Kukubo is a Legal Fellow at KICTANet, while Victor Kapiyo is a Trustee.