Airtel, Amazon, Apple, Buyrent Kenya, Data Protection, Data Protection Bill 2012, Facebook, Google, JUMIA, Kenya, LinkedIN, M-Pesa, Online Protection of Privacy Rights, Privacy, Snowden, T&Cs, Terms and Conditions, UDHR
By Perpetua Mwangi
In 2013, when Snowden brought to the world’s attention how US government agencies had been accessing and analyzing personal information of both its nationals and foreigners, the international debate on right to privacy protected by Constitutions of most countries and the Universal Declaration of Human Rights was ignited. Since then, numerous international and national forum, discussion, debates and polices have sought to address the right to privacy particularly in the digital space.
That same year, in December, the UNGA adopted resolution 68/167 affirming individual rights to privacy in the digital age and called upon states to respect and protect this right.
In this post, we consider the privacy concerns raised in a recent article in the New York Times titled ‘When a company is put for sale, in many cases, your personal Data is too’. This article brings to light an issue that ought to be of concern to Kenyan consumers who have given their information to a company that may later change ownership.
The article analyses data from the top 100 websites in the US as ranked by Alexa, an internet analytics firm. Out of the 99 sites with English language Terms & Conditions (T&Cs) relating to privacy, 85 made provision to the effect that users’ information might be transferred if a merger, acquisition, bankruptcy, asset sale or other transaction occurred. Some sites with such provision included companies such as Amazon, Apple, Facebook, Google and LinkedIn among others. All these companies are popularly used in Kenya.
A look at the T&Cs of some companies in Kenya that collect consumer information/data, reveals that there are no provisions on transfer or handling of customer information in the event of mergers, acquisition, bankruptcy, asset sale or any other transaction that involves change in ownership.
Safaricom’s MPESA T&Cs reads in part:
• ‘Safaricom recognizes the importance of protecting the privacy of all information provided by users of M-PESA. This statement is meant to affirm our utmost respect for your rights to privacy.
• Save as provided hereunder, Safaricom does not share your personal information with unauthorized persons and adequate safeguards have been put in place to prevent unauthorized access and to ensure confidentiality of your personal information’.
Meanwhile, Airtel Kenya T&Cs reads;
• ‘airtel will not monitor, vet, edit or knowingly disclose the contents of any emails transmitted or received by you using the Service, except that you agree that airtel may do so:
a. if required to by law;
b. if necessary to enforce any of these Terms and Conditions;
c. to respond claims that such contents violate or infringe the rights of third parties; or
d. to protect the rights or property of airtel
• You acknowledge that airtel will have to process all emails in the normal course of providing the Service and may identify at the foot of each email that it has been sent using the Service, but will not alter the content of any email messages.
For further details on how airtel collects and uses your data please contact our customer service’.
The online shopping platform Jumuia has terms and conditions that relate to customer information which read in part as follows:
‘Certain services and related features that may be made available on the Site may require registration or subscription. Should you choose to register or subscribe for any such services or related features, you agree to provide accurate and current information about yourself, and to promptly update such information if there are any changes. Every user of the Site is solely responsible for keeping passwords and other account identifiers safe and secure’.
Buyrent Kenya, a company that helps people to buy, sell or rent out property also collects user information in order to facilitate the service its offers. Buyrent Kenya T&Cs on privacy reads in part;
• ‘We intend using any personal or organizational particulars you submit to us via email, telephone, or the submission forms on this site only to respond to any specific request for information you have made on the site, and, with the exception of possible communication and use of this information in terms of 2.3 and 2.4 below, will not use this information in any other way or disclose it to any third party without your express written consent, unless forced to do so by law.
• If we offer or supply a service to you that is provided on our behalf by a third party we may have to pass your Information to them in order to deliver the service. By using this site you consent to us providing your Information to the third parties licensed by us to provide such services. We may also use third parties to provide services on our behalf which may include processing (but not using themselves) your Information. In any case, we will not pass your data to anyone who is not also registered with the Data Protection Act or is not subject to these or similar provisions in our contract with them, and we will not allow the third party to use your Information commercially without your consent’.
It is interesting to note that there is currently no Data Protection Act in Kenya; rather it is the Data Protection Bill of 2012 which is yet to be published by the Attorney General for debate in Parliament.
Whereas there is an appreciation of the protection of privacy as highlighted in most T&Cs, that guarantee promised at the initial point of engagement should continue to be guaranteed. At the very least companies should address how consumer information will be handled in the likely event of a new owner. It is opined that failure to make such provision may be tantamount to a violation of the Constitutional right to privacy.