Ideas & Debate

Kenya’s move to enact data privacy legislation timely

data

The current set of laws glosses over protection of personal information. FILE PHOTO | NMG

Do you give out your personal information randomly and willfully? Do you inquire why the information is being collected and the purpose for collecting it? More interestingly, does your business collect personal information from clients? Do you seek consent before collecting it? Do you explain the purpose for collecting such information? How long do you store the information?

Victim or villain, this one is for you because the days of using consumer’s personal information in a laissez faire manner are numbered, the writing is indeed on the wall. Article 31 of the Constitution of Kenya 2010 guarantees the right to privacy which includes the right not to have information relating to one’s family or private affairs unnecessarily revealed or the privacy of one’s communications infringed.

The world has become a global village. Technology has come of age in many a country and Kenya has not been left behind. As a matter of fact, a recent study shows that Kenya is leading globally in share of internet traffic coming from mobile phones overtaking Nigeria, which was at the top in 2017.

At 83 per cent, Kenya is now at the top, with Nigeria coming in second at 81 per cent. The technological wave has been gradual but consistent. Massive volumes of data are being collected, stored and transmitted at the click of a button across a wide spectra including the telecommunication, hospitality, banking and retail sectors. In spite of Kenya’s credentials at technological dexterity, the reverse is true when you begin discussing the legal and institutional framework specifically touching on personal data protection.

Kenya has neither enacted any piece of legislation specifically touching on personal data protection nor ratified any convention on the same. We have the Kenya Information and Communication Act, 1998 which glosses over the aspect of personal data protection. This Act having been passed in 1998 before the 2010 Constitution does not reflect the aspirations of ‘Wanjiku’ which are encompassed in Article 31 of the Constitution. We equally have the recently passed Computer Misuse and Cybercrimes Act, 2018 (whose legislative intent was to nip in the bud bloggers and other ‘keyboard activists’ but this is a discussion for another forum)which is more of a penal law aimed at punishing Cybercrimes than it is a substantive law addressing inter alia Personal Data Protection.

All is not lost however and this may well be Kenya’s watershed moment in personal data protection. First, the African Union (AU) which Kenya is a state party recently adopted the African Union Convention on Cyber Security and Personal Data Protection. The AU adopted the convention in the Twenty third Ordinary Session of the Assembly, held in Malabo, Equatorial Guinea, 27th June 2014.

READ: Data protection is key in age of digital economy

Kenya being a partially Monist and Dualist state is required to either ratify the convention or pass a domesticating statute for it to be binding Law. This is in accord with Article 2(5) and (6) of our Constitution. Some of the salient features of the Convention are the principles of data protection, the rights of a data subject and the corresponding duties of a data controller. It provides for five key principles which form the basis for the rights and duties.

In common parlance these principles are: Processing of personal data shall be done with the consent of the data subject; collection, processing, storage and transmission of personal data shall be done in a lawful and non-fraudulent manner; personal data shall be collected for a specific purpose and shall not be stored for longer than is necessary; data collected must be accurate and up to date; transparency in disclosure of personal data held by a data controller; and confidentiality and security of personal data processing.

Some of the noteworthy duties of an organisation collecting personal data are; ensuring that the processing of personal data shall be confidential and that the data controller must put in place appropriate measures to ensure the security of personal data. We are yet to ratify the convention hence it still does not form part of our laws but if the current legislative mood on data protection is anything to go by, then it may not be long before we domesticate it.

Secondly the Data Protection Bill, 2018 is currently going through the legislative process before the Senate having been sponsored by Baringo Senator and Chairperson of the Committee on Information, Communication and Technology, Gideon Moi. The Bill’s maturity date was 30 May 2018 and it is awaiting presentation before Senate for its first reading. It has nine principles which are hook, line and sinker similar to those of the AU treaty above. These principles govern how personal data shall be utilised.

All principles bespeak of the need to protect one’s personal information from misuse. Some of the salient principles are the requirement to obtain consent from the data subject before collecting personal data; collecting data in a manner that does not intrude on the privacy of the subject; organisations shall also not keep personal information for longer than is necessary; unfettered access by the data subject of the information held by an organisation.

EDWIN MUNGA, Legal consultant and advocate of the High Court of Kenya.