Kenya has an opportunity to create a model data protection framework

In  traditions of many Kenyan communities, spy missions were sent to establish the characteristics of the standing and ancestry of couples before a potential marriage. For example, a boy who had identified a girl whom he wanted to marry would send spies to establish issues such as the generic traits, known habits, skills, diseases and other characteristics in the family of the prospective wife’s family and vice versa. Even in pre-colonial societies, such information was not readily available.  An expectation of privacy norms and expectations are thus not something new to African societies.

Today, few spies need to be deployed (in most urban African contexts at least). Potential wives or grooms can be measured, weighed and assessed by simply switching on an Internet-enabled device and doing some basic ‘due diligence’. His or her income can be inferred from their mobile money transactions, movements deduced from their phone location, their friends, likes and dislikes from social media platforms, and their political interests from articles they read online.

As people navigate digital spaces, masses of data about their habits, beliefs and preferences are generated. While it is possible for such navigation to be done anonymously, governments – especially in Africa – are increasingly enacting laws that compel the identification of every Internet user through requirements such as mandatory SIM card registration. In Kenya and Uganda for example,mobile network operators must register and verify their subscribers with the government’s national identification database.  In addition, governments are transferring many of their services to citizens online, in the process producing digital datasets.

But very few African governments have enacted laws to ensure that as personal data is collected, it is recorded, stored and used in a manner that protects and promotes the privacy of the people to whom it relates. To date, only about 22 African countries have data protection laws. And of those 22, it is debatable how many actually implement or enforce such laws. Although a relatively new field, there are now established principles for data protection. These include requirements about how data should be processed and stored, for what it may be used and collected for, how it should be maintained and updated, whether data should be portable from one device to another, and how and when it should be deleted.

In practice, data collection and processing is occurring at a massive scale across both the private and public sectors of sub-Saharan African countries. Sets of personal data such as telephone numbers and details of voters were up for sale during Kenya’s last elections. These were obtained from sources such as registers kept in building entrances and information collected during voter registration drives. Where data sets were incomplete for a required function, they were correlated with other data sets to produce more comprehensive information that was used to send personalised messages to voters.

Kenya’s proposed Policy and Regulatory Framework on Privacy and Data Protection now seeks to remedy the situation. It elucidates the rights of data subjects to information about use of their personal data, access to the data, objection to processing of their data and collection and deletion of data about them. The bill establishes the office of the data protection commissioner to oversee the realisation of these rights and other aspects of the law.

However, there are potential pitfalls in the Bill that stakeholders have termed as “giving with one hand and taking away with the other”. Research ICT Africa made a submission to the Bill, where among the points made are: the lack of independence of the data protection commissioner who in the bill is appointed and removed by the Cabinet Secretary. Best practice  would be to create an independent supervisory mechanism.

The Bill also contains some provisions that exempt certain state agencies from some of its provisions on grounds such as national security and assessment of taxes. This presents at least two problems: first,  it sets up these offices as exempt from protecting and promoting the rights of the data subject. Second, the law creates an avenue for revenue authorities and law enforcement to access third party data for purposes other than what it was collected for. This is contrary to the objective of protecting privacy.

National security exceptions have been the bane of human rights in Africa for many years. Experts in 1995 developed guidelines on incorporation of national security in media law. They recommended that whenever national security is to be used to limit a right, it should be as specific as possible and, the limitation must be necessary, proportionate and legitimate. These standards should be applied to the proposed limitations in the bill.

The data economy is one where both public and private sectors need independent oversight. Kenya has a golden opportunity to produce a model data protection framework if the law is made with the primary objective of protecting the privacy of the person. This goal ought to be placed above that of policing of the population.

About: Grace Mutungu’s work revolves on the intersection of technology, human rights and culture. She researches on tech policies in Africa and has interest in digital rights, digital governance and digitalisation. She was a 2017 Open Technology fellow at the Berkman Klein Center for Internet and Society (Harvard University) studying information controls at election times in Uganda and Kenya. She is an associate at the Kenya ICT Action Network (KICTANet) where she does policy and legal advocacy.

Read Research ICT Africa’s comments on Policy and Regulatory Framework for Data Protection in Kenya here.