Expert Commentary Kenya follows the path of European-style Data Protection World Privacy Forum Skip to Content Javascript must be enabled for the correct page display Home Connect With Us: twitter Vimeo email Main Navigation Hot Topics

Expert Commentary Kenya follows the path of European-style Data Protection

Guest Post

By Dr Isaac Rutenberg Director and Senior Lecturer Centre for Intellectual Property and Information Technology Law Strathmore University Nairobi Kenya

cipit org @StrathCIPIT

On the 8th of November, the President of Kenya signed into law the Data Protection Act 2019. This action completed a process that spanned more than a decade, and allows Kenya to enter a new phase with respect to the evolving centricity and treatment of data in society. This article looks at the content of the Act, highlights important and interesting provisions, and concludes with predictions as to the implementation. Viewed from a high level, Kenya’s Data Protection Act (DPA) has many similarities with the General Data Protection Regulation (GDPR) in the EU, but also some notable features that have been localized for the Kenyan context. Without question, the DPA will satisfy Kenya’s obligations with respect to data protection under the African Union Convention on Cyber Security and Personal Data Protection, to which Kenya is a signatory. Also without question, the DPA is a major development that will require significant changes to the operations of private and public entities. The similarities with GDPR are very clear. Section 25 of the DPA lists the principles of data protection that apply to data controllers and processors: Respect of the right of privacy; Data is collected for explicit, specified, and legitimate purposes (purpose limitation); Data is processed lawfully, fairly, and transparently; Data is adequate, relevant, and limited (data minimization); Data is accurate and kept up to date; Data processing is explained to the data subject; Data is kept not longer than necessary for the purposes for which it is collected; and No transfers outside Kenya without proof of data protection safeguards, or consent. Each of the above principles is supported by additional provisions throughout the Act, with some more effectively supported than others. A thorough analysis of these provisions is provided in a series of blog posts at www.cipit.org. Data processing must generally be done in compliance with the above principles. There are, however, numerous exceptions, and one exception in particular will require attention as the Act is implemented. Section 30 states that personal data shall not be processed unless the processing is necessary “for the performance of any task carried out by a public authority.” This appears to be a blanket authorization for any and all activities by the government. The provision is greatly worrying, even though such activities may still be limited by other provisions of the DPA (such as the need for a risk assessment as described below). A few other provisions of the DPA are worth discussion. Companies may choose to have a Data Protection Officer, but unlike the GDPR, the DPA never requires such an officer. Given the complexities of data protection in the global context, it is inconceivable that any large company would elect not to have a Data Protection Officer, and it is advisable that many smaller companies (particularly tech companies) should also seek the services of a full or part-time Data Protection Officer. An intriguing aspect of the DPA is found in Section 31, which states that any data processing that is “likely to result in high risk to the rights and freedoms of a data subject” must undergo a data protection impact assessment. The requirement appears to apply to both private and public activities; government projects as well as private sector projects involving data will require impact assessments. The highly controversial “Huduma Namba” digital ID program currently being introduced in Kenya seems to be exactly the type of project that would require an impact assessment under this provision. Much like all major construction projects now routinely undergo environmental impact assessments, it is hoped that the data protection impact assessment will become a normal part of project planning. As a side note, it is unclear whether the skills and experience for carrying out data protection impact assessments are widely present in Kenya. Another intriguing provision is found in Section 35: “Every data subject has a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affects the data subject.” Many telecom companies and startup companies in Kenya are making microloans to consumers based on various credit scoring methods (some of which, incidentally, involve algorithms using artificial intelligence). It appears that, with some exceptions (such as when the data subject consents), such products are no longer legal unless a human is involved in the final decision as whether to grant a loan. Now that the process of enacting data protection legislation is over, the details of implementation are now center stage, and will ultimately be just as influential in Kenya’s commitment to data protection. Favorably, the law provides for an Office of the Data Commissioner that is a state office. This means that the Data Commissioner will be relatively independent of the executive branch of government. Most importantly, funding for the Data Commissioner will be provided directly through Parliament. The Data Commissioner will be appointed by the President from three candidates selected by the Public Service Commission, so the executive will still have a large influence over the philosophy of the Office of the DC. The Data Commissioner receives a six-year term, and the selection of the inaugural Commissioner is a critical step that will determine much about the implementation and impact of the law. There is, however, a more pressing concern. Recently a private individual brought a lawsuit in the High Court to halt implementation of the Data Protection Act. The petitioner argues that the DPA resulted from the merger of two bills, one of which originated in the Kenyan Senate. Since the DPA itself was never sent to the Senate for approval, the lawmaking process was improper. Bypassing the Senate is a method that has been used by the government to shorten the lawmaking process in other pieces of legislation, and this lawsuit tests the very fundamental question of when such a method is consistent with Kenyan constitutional democracy. The DPA merely appears to be the battlefield upon which this issue may finally be decided. Implementation of any aspect of the DPA requires appointment of the Data Commissioner. In view of the pending litigation, this appointment may be substantially delayed, and data protection for Kenyans will have to wait. One final thought: when Europe implemented the GDPR, which was more favorable to data subjects than any other legal framework existing at the time, some American tech companies modified their activities. It was reported that Facebook, for example, moved non-European data to servers located outside the EU. But, due to the size of the market, most major tech companies continued to engage with Europe and Europeans. Considering the vastly smaller market in Kenya, it will be interesting to see whether the similarly strict provisions of the DPA will result in some global tech companies deciding that the Kenyan market is not worth engaging. —Dr. Isaac Rutenberg, Centre for Intellectual Property and Information Technology Law, Strathmore University Publication information: Posted 22 November, 2019 Posted November 22, 2019 in International Privacy, Privacy Law, Region: Africa Tags: Huduma Namba Next »WPF to testify before NCVHS on emerging privacy concerns in health privacy — Beyond Digitization: Artificial Intelligence, APIs, and health privacy « PreviousWorld Privacy Forum named as a top ten digital identity influencing organization globally WPF updates and news CALENDAR EVENTS

WHO Constituency Meeting WPF co-chair

6 October 2022, Virtual

OECD Roundtable WPF expert member and participant Cross-Border Cooperation in the Enforcement of Laws Protecting Privacy

4 October 2022, Paris, France and virtual

OECD Committee on Digital and Economic Policy fall meeting WPF participant

27-28 September 2022, Paris, France and virtual more Recent TweetsWorld Privacy Forum@privacyforum·7 OctExecutive Order On Enhancing Safeguards For United States Signals Intelligence Activities The White House https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/Reply on Twitter 1578431679592427526Retweet on Twitter 1578431679592427526Like on Twitter 1578431679592427526TOP REPORTS National IDs Around the World — Interactive map About this Data Visualization: This interactive map displays the presence... Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974 This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process. COVID-19 and HIPAA: HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic The COVID-19 pandemic strained the U.S. health ecosystem in numerous ways, including putting pressure on the HIPAA privacy and security rules. The Department of Health and Human Services adjusted the privacy and security rules for the pandemic through the use of statutory and administrative HIPAA waivers. While some of the adjustments are appropriate for the emergency circumstances, there are also some meaningful and potentially unwelcome privacy and security consequences. At an appropriate time, the use of HIPAA waivers as a response to health care emergencies needs a thorough review. This report sets out the facts, identifies the issues, and proposes a roadmap for change.