By Grace Bomu*
CIPIT welcomes the publication of the Data Protection Bill by Kenya’s National Assembly. The center has been involved in policy development for the digital economy in Kenya and Africa at large. In 2014, CIPIT gave input to the African Union Convention on Cybersecurity and Personal Data Protection, emphasizing on the need to protect and promote the right to privacy. Since then, there has been massive development in the data economy in both the public and private sector. CIPIT has previously recommended a comprehensive data protection framework for Kenya.
The Centre has reviewed the proposed law and submitted comments to the Clerk of the National Assembly. From our interaction with micro, small and medium enterprises (MSMEs) in the digital space, we have observed that these entities work in extremely different circumstances from traditional enterprises. Some of them are one-person operations that outsource services such as accounting on a need basis. It would be difficult for them to comply with the registration requirements, compared to larger entities that have dedicated compliance departments. We, therefore, propose that as the Bill requires registration of data processors and controllers, the data protection framework be tiered, and that consideration be given to the type of data being handled by data processors and controllers.
CIPIT in previous submissions supported the creation of an independent oversight office to implement the data protection law. We laud the provision for a Data Protection Commissioner and have made several proposals on the office. This includes enhancing the predictability of decision making while reducing discretion.
In 2017, we carried out research on the privacy implications on the biometric voter registration in the elections process. We found that there was an abuse of personal data such as voter registration details and phone numbers by government agencies who for example shared and sold personal data. Other reports have also found that law enforcement carries out surveillance on phone data sometimes resulting in extrajudicial killings. We, therefore, recommend that all proposed government programs involving personal data collection and processing by any government entity be submitted to the Data Commissioner for review and approval on the compliance of such programs with the requirements of the Bill. In our submission, we seek that enactment of the Data Protection law include an amendment to the Registration of Persons Act, under which the Huduma Number program is being undertaken.
We also recommend the strengthening of the law in favor of the data subject. Data breaches are the single greatest risk to widespread data processing, and public awareness of data breaches is critically important as a tool to reduce their frequency, severity, and harmful impact. Accordingly, the Data Commissioner (or the entity suffering a data breach) should be required to make public the details of any security/data breach. This requirement should apply regardless of whether the data is encrypted or anonymized since decryption algorithms and de-anonymization algorithms are increasingly available.
Kenya is among Africa’s most connected countries with a budding data economy. The data protection law is a first step towards ensuring that even in these developments, the privacy of each person is protected and promoted. CIPIT is greatly encouraged by the development of this legislative and regulatory framework as contemplated by the Bill and will continue with research to inform emerging issues in data protection.
*Grace Bomu is a Research Fellow at CIPIT.