The Hansard for the
Miscellaneous Amendment Act 2018 makes for very interesting reading.
On 7th August 2018, Parliament debated proposed amendments
to the Registration of Persons Act that would create the National
Integrated Identity Management System (NIIMS, a.k.a. “Huduma
Parliamentarians questioned the legality and wisdom of introducing
NIIMS via the Miscellaneous Amendment process. Said Hon. Robert Mbui:
“this [bill] is basically meant to deal with minor amendments to various laws. It also helps us to save time. I have gone through the Bill and I have seen quite a number of major amendments. The amendments are basically good and a lot of them seek to add value to the laws that exist. It is unfortunate that they have come as omnibus; they have all come together, so they may not receive the kind of attention that they require. I have picked about five amendments that I think are major and require a lot of deliberations. The first one is the amendment on the registration of persons.”
said Hon. Ronald Tonui:
normally assume that the Statute Law (Miscellaneous Amendments) Bill
normally takes care of minor corrections in Acts but in this one,
massive proposals have been put forward that we ought to amend. Many
of them may be unconstitutional in nature.”
(Dr.) Wilberforce Oundo similarly agreed:
basic and straightforward reading of the term “miscellaneous” or
“minor amendments” should surely be done to rectify clerical and
typographical issues or to align an Act of Parliament to any
political or constitutional dispensation or any changes in some Acts
that touch on that particular Act. What we have here touches close to
60 Acts, making it practically impossible for any reasonable Member
to literally review, interrogate and make reasonable comments in
respect of each and every Bill. The time allowed is not adequate.”
This post forms part 2 of our series on the Intellectual Property considerations in the Copyright Amendment Act. The IT considerations, focusing on digital rights will be addressed in a follow up series.
ISPs and Take Down Notices
35B covers take down notices, their form, content, addressees etc. A
is a request to an ISP by a copyright holder (complainant) to remove
take down notice shall:
Be in writing and addressed to the ISP or their agent.
Contain the name and address of the complainant.
Signed by or for the complainant.
Contain specific details of the copyrighted works subject of infringement or which is to be removed.
Identify the rights being infringed, for instance the broadcast, production rights etc.
Set out the details of the content to be taken down and the location of this content.
Be accompanied by a sworn statement attesting to the ownership of the content, validity of the rights under e) above, good faith on the complainant and the efforts (albeit unsuccessful attempts) made to the entities responsible for making the content available remove the content; and
be copied to the Board Communication Authority and the recognized ISP umbrella body.
Comment: Conspicuously missing is a requirement to include the alleged infringer (who is the ISP subscriber hence the addressing of the notice to the ISP) in the notice to take down. Such inclusion would notify and provide an alleged infringer of the notice and the option to ‘challenge’ a take-down notice issued to their ISP. There exists a relationship between the ISP and their subscribers contractual or otherwise. The obligation to notify the subscriber, if any, shifts to the ISP (see below). It is not clear as to why such a requirement would be excluded yet the requirement of a sworn statement by the complainant would be presumptive that they have attempted to reach the alleged infringer to remove the infringing content. Would the subscriber not be entitled to demand to be heard before the notice is effected? If yes, at what point would they be heard yet the notice is to be effected within 48 hours? Article 47 of the Constitution of Kenya provides that every person has a right to fair administrative action, this right includes the right to be heard.
A take down notice will be deemed delivered
Next business day following physical delivery at an ISP’s registered office.
2 days after the day post if by registered post.
Immediately if sent by electronically to a designated ISP address.
Comment: This provision has serious implication for the ISPs as it dictates when the 48 hours of compliance starts running. Where an ISP has provided a designated address, time starts running immediately a complainant sends it. It is not clear what would happen if there is delivery failure, if it is sent on a day that the ISP is closed for business or is even intercepted by a third party. While this blogger appreciates the fact that electronic transmission is instant, she acknowledges that there are circumstances that may interfere with the ISPs ability to receive the electronic notification. Legislating on time of delivery elevates time to a statutory requirement which carries weighty consequences. Time is truly of essence. However, having such a statutory requirement is an open invitation to breach. This is best left to the industry to regulate. The Board in charge of regulating ISPs may issue policy directions on the same therefore introducing implementation flexibilities.
ISP shall upon receipt of a valid
take down notice, notify the person responsible for making the
infringing content available and provide them with a copy as soon as
This provision is vague, yet its content creates a duty for the ISP.
The mandatory requirement, albeit on their cost, for the ISP to find
or establish mechanisms within which to ‘notify’ an alleged
infringer that they have received a takedown notice from the
complainant. It’s unclear if the notification should be in the same
manner as received from the complainant. For instance, if the
takedown notice is received electronically, can the ISP notify the
alleged infringer by mail? The latter would mean that time is
substantially altered. Yet it is a possibility.
notification should be immediate or as
soon as is practicable.
In light of subsection 5 which mandates an ISP to take down content
within 48 hours, what is immediate? What takes precedence? Taking
down the content or serving the notice on an alleged infringer? If
this should be as soon as practicable, whose practicality is it? The
complainant whose interest is to have the content taken down; the ISP
whose primary interest would be first to serve their clients, must
act within 48hours and disable access to the content; or the alleged
infringer whose interest is to have the content online at all time
and who may be benefiting economically from the content, who may
require ‘reasonable’ time to file a counter notice? Lastly, if it
is the ISP’s practicability, can they take down the content i.e.
comply with the law and then serve notice later? The option of having
the notice sent ‘as soon as is practical is ambiguous capable of
more than one interpretation.
This post forms part one of a two part series focused on the Intellectual Property considerations in the Copyright Amendment Act. The IT considerations, focusing on digital rights will be addressed in a follow up series.
ISPs and Copyright
The Copyright Amendment Act (Amended Act) 2019 has brought in new provisions which have created new obligations and extended rights for some parties within the copyright practice in Kenya.
In the next few weeks, the CIPIT IP Team shall undertake a review of these new provisions in a series of blogs all aimed at informing, analyzing and probably providing a critique to the same. This week’s blog begins with looking at the provisions relating to the liability of the Internet Service Providers (ISPs) in Kenya.
the onset, it is a matter of common notoriety now that copyright
enforcement is an
It requires concerted effort from all players and 3rd
parties as well. ISPs are 3rd
parties who provide a vehicle through which the copyright owners can
easily distribute their works and the users to freely enjoy the same.
Section 2 of the Amended Act defines an ISP;
a person providing information system services or access software
that provides or enables computer access by multiple users to a
computer server including connection for, the transmission or routing
put an ISP is a company or entity that provides internet
to its subscribers.
this works is that the owner or holder of copyrighted material
reduces it to a format which can be transmitted or carried through
the ISP network. The aim is to distribute the works to those who have
access to internet. Access of the copyrighted material can be free or
paid service. Payment is typically to the owner or an authorized
agent. Challenge within the copyright arena arises when the material
that should be paid for is accessed for free. Such access would be
unauthorized and infringing on the rights of the copyright holder.
ISPs are enablers of access, authorized or unauthorized hence their
inclusion in copyright enforcement.
ISPs and Internet Freedom
on their position, ISPs have the capacity to take down or disable
access to sites which are considered to be providing access/accessing
infringing materials. As is said, every coin has two, or three sides.
So the associated question is, in taking down the content or
disabling the content, will the ISP be infringing on anyone’s
digital or access rights, limiting the user’s internet freedom?
Where is the balance, if any? We shall address this with a post.
ISPs and the Law
their role in the distribution of copyright works, ISPs can be
enablers of infringement or can be the infringers depending on their
role. Section 35A provides for scenarios where an ISP shall not be
liable for infringement. These include where the ISP:
it only provides either automatic, intermediate or temporary
transmission, routing or storage of content (subject to copyright)
in its ordinary course of business on condition that:
does not initiate transmission
does not select the addressee/person receiving the content
functions are automated and technical such as not to select the
not promote the content or the material being transmitted.
the automatic, intermediate and temporary storage of content for
purposes making onward transmission of the data more efficient to
other recipients of the service upon their request on condition that
not modify the material;
with conditions on access to the material;
with rules regarding the updating the cache in conformity with
generally accepted standards within the service sector;
not interfere with the lawful use of technology to obtain
information on the use of the material;
or disables access once it receives a takedown notice or where the
original material has been deleted or access disabled on orders of
a competent court or otherwise on obtaining knowledge of unlawful
nature of the cached material.
Comment: The above places an obligation on the ISPs to ensure that they do not promote infringing materials under the guise of conducting business. This can be done partly by policing on the content or by requiring the internet content owners to indemnify the ISPs or exonerate them from liability should claims arise.
Cyberrights Research Initiative and Localized Legal Almanac (CYRILLA
is producing an open and federated resource toolkit and online
database, of legal information on digital rights. It addresses an
increasingly urgent need “for comprehensive databases aggregating
legislation and case law across a variety of jurisdictions”
expressed by digital rights researchers, journalists, civil society
advocates, human rights defenders, legal professionals, and others
seeking to shape rapidly evolving legal frameworks for digital rights
aims to organize and make accessible the world’s digital rights –
related laws so that a wide range of actors can more readily and
confidently assess legal trends as they shape and impact digitally
networked spaces, highlighting threats to human rights and
opportunities for legal reform.
known as the Arab Digital Rights Dataset, the CYRILLA database was
launched in late 2017 with a dataset of bills, law, and case law from
the 22 Arab League states. With the addition of new CYRILLA
Collaborative partners – Association for Progressive Communications
Centre for Intellectual Property and Information Technology Law
at Strathmore Law School, Columbia University’s Global Freedom of
Expression Program, Derechos Digitales3,
and Social Media Exchange (SMEX)5
– the database will expand over the next two years to include legal
information on digital rights from more than 90 countries in Latin
America, Africa and Asia.
a think tank established under Strathmore Law School, is the African
partner in this Collaborative, whose mandate relates to sub-Saharan
Africa countries. As part of its role CIPIT has been reaching out to
partners across Africa and collating, developing and populating a
with digital rights data from across sub-Saharan Africa. This data
includes both hard and soft law instruments such as legislation, case
law and policies from various African jurisdictions.
Today we pause our continuing IP series to dedicate this entire blog to the one and only Eliud Kipchoge. Why you ask? How is he related to your core business- IP? Well, there are several reasons as to why we had to do this. Most importantly, Eliud is a Kenyan champion. He is an athlete who holds several titles including 2016 Olympic Marathon Winner , 2018 World Record Holder with 2.01.39 just to name a few. He is personne extra ordinaire. More OF his achievements here. There are many things to write about Eliud but for today we shall discuss his upcoming challenge. You see, no athlete has attempted to break the current world record held by Eliud set in Berlin. So he took it upon himself to break his own record by running the 42km Marathon in a record time of 1.59.59. In this journey which he has documented in his various social media accounts, he has partnered with INEOS who are also the organisers of the challenge. The challenge is set to happen in Vienna, Austria for various reasons including weather and the course for the marathon. The challenge is tentatively planned to happen on 12th October, 2019 with the confirmation of this date from INEOS Performance Team planned for 9th October. From this side of the desk and the whole CIPIT Team would like to wish Eliud nothing but the best and this blogger promises to cheer him to the finish line. As Ben Cyco says, Cheza kama wewe!!
The second reason for dedicating this to Eliud is the commercial aspect that the challenge presents both to him and to the partners, official and unofficial. This part is meant to provoke everyone who reads it and to see the challenge from an IP perspective. In the challenge, Eliud will be wearing brands such as Nike and the event will be live on KBC, Standard group (KTN), NTV and Citizen TV in Kenya. There are other broadcasters all over the world. Nike have further specially designed 3-D printed Nike Zoom Vaporfly 4% shoe for Eliud which is aimed to give him peak performance. With such official sponsorship it is expected that Nike and Eliud, the companies will benefit commercially, directly and indirectly. This could be in the form of increased sales and reputation of the companies and that of the products endorsed by the athlete.
During the challenge, the broadcasters broadcasting to millions of people will not only focus on Eliud and also every other entity whose product which will be exhibited. This is advertising, creating brand presence, consumer awareness which in turn creates consumer loyalty. The resulting effect is a presumption by the consumers is that for an entity to be associated with such a challenge, their products (and services) must be of a certain status or quality. Such impact would ordinary times take time to create. The consumerism, the loyalty and pride resulting from this impact has a direct co-relation with the athlete. It is against this background that this blogger argues that such association should then be accompanied by commensurate commercial value to the athlete as well as the company.
This is the finale in our series on Data Protection principles espoused in the Data Protection Bill.
Clause 25 of the 2019 Data Protection Bill spells out the principles
of data protection. Among this is the prohibition from sharing data
with third parties without the consent of the data subject.
“Third party” is a term that originates from contracts.
Traditionally contracts are between two parties and a third party is
a person who deals with the contracting parties but is not party to
the contract. In data protection however, there are typically three
parties- the person whom the data concerns (data subject), the person
who designs how data will be processed (data controller) and the
person who actually processes the data (the data processor). In some
cases, data is processed by the same organisation that is the
controller. In other cases, it is processed by a third party
processor. A third party processor would not typically require
further consent to process data on behalf of the data controller.
For example, a manufacturing firm may outsource their payroll
function to a HR firm. The manufacturing firm is the data controller
as they determine which data is collected, and how it is processed.
The HR firm is the third party data processor and employees of the
manufacturing firm are data subjects.
The Data Protection Bill envisages that the data controller will
inform the data subject of the use to which their data is being put.
Clause 26 lists the rights of the data subject, and they include the
right to be informed about their data use; right to access their data
in the custody of the controller or processor; as well as the right
to object to processing of all or part of their personal data. In
the above example, the manufacturing firm would need to inform their
employees that their personal data is processed by the payroll
In the event that the data controller or processor were to share the
data with a third party, then the consent of the data subject would
be needed. Clause 25(g) states:
neutrality has many advantages and disadvantages. The success or
failure of net neutrality in a State has been relative, from a
neutrality advocates argue that keeping the internet open playing is
crucial for innovation; if broadband providers pick favourites
online, new companies and technologies might never have the chance
repealing net neutrality would lead to broadband providers being
“gatekeepers” of the internet (who have the power of defining
what websites and services are accessible). Customers would find
themselves in a helpless position at the hands of broadband
providers. This goes against the idea of net neutrality giving
Internet users more freedom without service provider interference.
on to the point above a handful of large telecommunications companies
dominate the broadband market. As a result they have the power to
suppress particular views or limit online speech depending on who can
pay the most.
example a broadband provider may allow some companies to pay for
priority or special treatments on broadband networks. The amount for
these special treatments may be high and every company may not be
able to afford and access it. Large companies would be able to afford
premiums for next-generation internet services and higher priority
lanes, but startups with no buying power will be squeezed out. That’s
relevant in the engineering space, with a lot of innovation happening
around Artificial Intelligence and robotics. Innovators are concerned
that broadband provider will become “arbiters of acceptable
online business models
This post is the fourth of CIPIT’s analysis on the data protection principles provided for under section 25 of the Data Protection Bill. This post focuses on section 25(f) which provides that personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes for which it is collected.
Kenya’s National Assembly recently released a Data Protection Bill 2019 (the Bill), which gives effect to Article 31 of the Constitution of Kenya – The Right to Privacy. Specifically, the Bill prescribes a legal instrument for the protection of personal data. It establishes the Office of the Data Protection Commissioner, makes provisions for the regulation of processing of personal data, and provides rights of data subjects and obligations of data controllers and processors.
Section 25 of the Bill outlines the broad principles of data protection, and this article focuses on s25 (f), which states: ‘personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes which it is collected’.
These principles detailed in s25 of the Bill are in essence the overarching themes that capture the spirit and intent of this Bill. On a black letter review of the wording used on s25 (f) it appears self-evident that data identifying any data subject should not be held for an infinite timeframe particularly after its utility has ended.
For example, it should be a primary privacy
concern to any Kenyan citizen how the data they use in their communications
online or over the phone, is stored by local telecommunication companies, who
can access this data(for example if required for national security purposes),
and for how long this data is held by these companies.
It is an open secret that the Bill borrows heavily from the the European Union’s General Data Protection Regulation (GDPR). Being a Bill, as the interpretation of this clause hasn’t yet been tested from a Kenyan jurisprudence perspective, it is therefore prudent to look to the intent of the GDPR principles for an analysis of s25 (f). In this case it ascribes to the following principles:
The purpose limitation principle – a Data controller or Data processor should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose. This principle has been reviewed in detail in this series of blogs particularly under s25 (e).
The storage limitation principle – This is effectively stated in the last part of the above principle, which is basically that organisations need to delete personal data when it is no longer necessary. What does ‘no longer necessary means’ in this context? In my view this means that data controllers should only process data for the time needed to execute the purpose for which this specific information was collected.
The question then follows, how this principle
is effected in this Bill. From this blogger’s review, aspects of this principle
are espoused in the following clauses:
Section 28(3) provides that a
data controller or processor shall collect, use or store personal data for a
lawful, specific and explicitly defined purpose (purpose limitation principle).
Section 29(c) on the duty to
notify, a data controller shall be mandated to inform the data subject of the
purpose for which the personal data is collected (purpose limitation principle).
Section 34(b) provides that
processing of personal data may be restricted where personal data is no longer
required for the purpose it was intended for (purpose limitation principle).
Section 39 provides for
limitation of retention of personal data and outlines some exemptions (storage limitation principle)