Data protection is definitely in vogue in Africa. This may be a response to the economic potential of having robust data protection safeguards, and the fear of being left behind by other states that have implemented such laws.
The intricacies involved in establishing a functioning data protection regime, mandate Kenya’s legislators to comprehend the full gamut of parties involved in the data life-cycle, and accruing rights and duties.
What is the data life-cycle? A report by the Centre for International Private Enterprise (CIPE) defines it as the four stages data goes through, from initial collection to disposal. These stages are data collection and processing, storage, transfer, and disposal.
Why is it important? Regulation should adequately modulate the actions of various persons in the data cycle and the processes involved.
1. Data Collection and Processing
CIPE posits that the limits of the law are the main issue in data protection. Thus, the law should delineate the data it will be adjudicated upon, and conversely, any exempted data. This is determined by the definition of data, and other associated sub-species such as sensitive personal data and critical personal data. Thereafter, consent should be defined. This concerns the initial interaction between the data subject (the customer/consumer) and data processors. For the data processor to do anything with consumer data, it is necessary for the consumer to agree to it.
There are degrees of consent as well. Beyond basic consent, exists informed consent, where the data processor/controller needs to ensure that the data subject knows what they are agreeing to. Is it necessary for legislation to require informed consent as a basic prerequisite? Which increases the burden on data processors and controllers to adequately inform the data subject on what they intend to do with their data and ensure that they understand what is happening to a reasonable degree. This could force all of us to read the terms and conditions of every single application we used. One shudders at the thought!
Some applications that have implemented software that ensures that users read the whole terms and conditions clause (the OONI probe application for instance). This requirement might not be absolutely necessary; there are other means of informing the data subject, such as dialogue boxes which explain features of applications.
2. Storage of Data and Localization
Once the data processor has managed to obtain both consent and data, they need to store the data in an appropriate medium. This obliges the processor to store the data safely. The data subject expects their data to be used for the purpose which was initially advertised. The obligations should be delineated in state policy. With room for redress in case of misuse or negligent handling of data.
Regarding localization, the principal players in this dichotomy are the state and data processors. Kenya may consider local storage as a means of improving the safety of data, whereas the local storage requirement may be a great financial burden on processors who will be forced to set up the infrastructure to meet this demand. Other factors come into play here, does Kenya have the base infrastructure to support multiple servers? The high cost of electricity and the lack of regulation present impediments to this dream. Furthermore, multinationals would argue that their existing servers are adequate for a (relatively) small Kenyan market. Localizing these servers, they posit, would not make economic sense. Could cloud computing provides a viable solution to this conundrum? Regulation must account for the near-term situation of the state and long-term considerations. This article by John Walubengo provides a primer on the application of cloud computing and server farms in Kenya.
Regulations must consider risk factors concerning data and its use. Data transfer to other jurisdictions does carry some risk, not due to the delocalization of the data, but other more nuanced situations such as the data protection regime of the other state, or the prevalence of data related attacks within that territory. The Kaspersky global threat map indicates that Russia is the most attacked country in the world, whereas Kenya is 52nd on the list. Interestingly, other African countries that have taken the lead in implementing data protection laws, such as Ghana and Mauritania are 117th and 154th on the list respectively. This is a cursory analysis, however, as other factors such as the size of a state’s internet economy and internet penetration must be taken account to have a clearer picture as to why a state is more prone to cyber attacks.
In this regard, the regulation could take the European Union’s (EU) functional equivalence approach, which seeks to remedy the prevalence of discordant data protection laws and the lack of international consensus on the same. Thus, the EU only allows the transfer of data to states with policies that will ensure that data of EU data subjects are protected to a similar degree as the General Data Protection Regulations (GDPR). This provision also has a positive effect on multinational data processors, for they can streamline their business model and internal policies to suit one very large jurisdiction, and still manage to operate in other jurisdictions with similar provisions.
Kenyan policy should consider the implications of imitating provisions of other regions, while there might be an immediate benefit, not considering bespoke provisions that account for unique economic phenomena in Kenya (such as our large unregulated economy) could potentially be detrimental.
“Yet, all things must die…” said Alfred Tennyson, British Poet. In the same way, once data has served its purpose, it should be disposed of. Throughout this article, the main response proposed to the data life-cycle are regulation based, however, it also makes sense for small and medium-sized enterprises to delete large amounts of data due to the costs of storage. Hence, an internal corporate policy could play a part in the data protection policy. Larger companies have an immense capacity for storage, and as such can monetize stored data that has already passed its shelf-life. This is potentially problematic, for the law must consider the power large corporations hold and seek to regulate them, while SME’s should be encouraged to self-regulate instead of being encumbered with heavy-handed regulation. This implies that a tiered system of provisions should also be considered, regarding registration and other administrative demands.
An efficient data cycle is guaranteed by legislation that provides for rights and obliges data controllers/processors. Kenya’s Data Protection Bill is about to reach assent. It is understood that the best interests of the data subject and the data processor are balanced within a law that obliges the processor to collect data based on informed consent, safe storage of collected data, limiting transfers of the data to strictly use-based scenarios such as the fulfillment of contractual obligations consented to by the data subject, and finally disposal of data once its purpose has been served.