Tags

Icons made by Icon Pond from www.flaticon.com

By Malcolm Kijirah

This post is the fourth of CIPIT’s analysis on the data protection principles provided for under section 25 of the Data Protection Bill. This post focuses on section 25(f) which provides that personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes for which it is collected.

Kenya’s National Assembly recently released a Data Protection Bill 2019 (the Bill), which gives effect to Article 31 of the Constitution of Kenya – The Right to Privacy. Specifically, the Bill prescribes a legal instrument for the protection of personal data. It establishes the Office of the Data Protection Commissioner, makes provisions for the regulation of processing of personal data, and provides rights of data subjects and obligations of data controllers and processors.

Section 25 of the Bill outlines the broad principles of data protection, and this article focuses on s25 (f), which states: ‘personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes which it is collected’.

These principles detailed in s25 of the Bill are in essence the overarching themes that capture the spirit and intent of this Bill. On a black letter review of the wording used on s25 (f) it appears self-evident that data identifying any data subject should not be held for an infinite timeframe particularly after its utility has ended.

For example, it should be a primary privacy concern to any Kenyan citizen how the data they use in their communications online or over the phone, is stored by local telecommunication companies, who can access this data(for example if required for national security purposes), and for how long this data is held by these companies.

It is an open secret that the Bill borrows heavily from the the European Union’s General Data Protection Regulation (GDPR).[1] Being a Bill, as the interpretation of this clause hasn’t yet been tested from a Kenyan jurisprudence perspective, it is therefore prudent to look to the intent of the GDPR principles for an analysis of s25 (f). In this case it ascribes to the following principles:

  • The purpose limitation principle –  a Data controller[2] or Data processor[3] should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose. This principle has been reviewed in detail in this series of blogs particularly under s25 (e).
  • The storage limitation principle – This is effectively stated in the last part of the above principle, which is basically that organisations need to delete personal data when it is no longer necessary. What does ‘no longer necessary means’ in this context? In my view this means that data controllers should only process data for the time needed to execute the purpose for which this specific information was collected.

The question then follows, how this principle is effected in this Bill. From this blogger’s review, aspects of this principle are espoused in the following clauses:

  • Section 28(3) provides that a data controller or processor shall collect, use or store personal data for a lawful, specific and explicitly defined purpose (purpose limitation principle).
  • Section 29(c) on the duty to notify, a data controller shall be mandated to inform the data subject of the purpose for which the personal data is collected (purpose limitation principle).
  • Section 34(b) provides that processing of personal data may be restricted where personal data is no longer required for the purpose it was intended for (purpose limitation principle).
  • Section 39 provides for limitation of retention of personal data and outlines some exemptions (storage limitation principle)

It is important to note that the two principles in this clause are inextricably linked, as in order to establish the length of time data may be stored, it is incumbent on the decision makers to consider the purpose it is being used as espoused in s25(e).

As above, the purpose limitation principle has been expounded on in the s25(e) blog in this series. To explore s25 (f) further, this blogger will focus on s39 of the Bill, which outlines the exemptions/ limitation of retention of personal data. In particular, s39 (a) provides that a data controller or data processor shall retain data only as long as may be reasonably necessary to satisfy the purpose for which it is processed unless the retention is ‘required or authorised by law’. There is therefore a risk that this clause may give authority for a data controller to retain data perpetually as there is no time limit defined in the Bill for how long the data may be retained.

Broadly speaking, the period that the data controller/processor requires to retain the data should be specified and indicated to the data subject to inform their consent. Importantly, and to the extent possible, this should be done before the data is collected. There is a reasonableness standard that should be determined on a case by case basis.

For the purposes of this article this blogger will use the example of a Part VII exemption, S51 (2) (b), which outlines that the processing of personal data is exempt from the provisions of this Act if it is necessary for ‘national security or public order.’ This exemption will be used to illustrate how the storage limitation principle may be effected appropriately despite tensions with seemingly open ended exemptions such as those espoused in  s39 of the Bill being ‘required an authorised by law’.

The storage and purpose limitation principles have tension with this national security exemption. For one, by necessity, informing a data subject for their consent defeats the covert nature of national security investigations. Therefore, the right to privacy may be limited for purposes of national security and/or the prevention, detection, investigation, prosecution or punishment of a crime. The broad nature of this exemption demands that there be a balance struck in interpreting and implementing this power.  This raises a number of questions from a personal privacy perspective including:

  • What agencies are included in the ambit of ‘National security’ agencies?
  • How will they obtain this data and from whom?
  • How long will this data be retained and for what purpose?
  • What forms of oversight are in place to make sure a national security agency does not abuse this exemption?

In this particular instance, it is possible (if not likely) that the data obtained and retained will be data from telecommunications companies. The data subject as prescribed in s25 (f) is any citizen that these agencies are investigating i.e. their customers. Whilst it is true that access to data is central to almost all serious criminal and national security investigations; the key question being illustrated in this example under the s25 (f) principle is, how long will this data be retained by organizations in the telecommunications industry such as carriers, carriage service providers and internet service providers such as Safaricom, Airtel, Orange etc. for this purpose?

Given the ambiguity in this space, it is important for clarity to be provided. This blogger proposes the following:

  • Access to telecommunications data under any proposed data retention scheme should be subject to a number of safeguards. In particular:
  • access to data is limited to a defined list of law enforcement and national security agencies
  • agencies that may access data are subject to an independent oversight body and/or judicial review
  • the relevant Ministry reports to Parliament on the operation of a data retention scheme each year
  • Where National security or enforcement agencies require access to relevant data, those agencies are required to obtain a warrant, and report all such requests to their respective independent oversight body.

In view of the above, amendment of the Bill, or development of regulations that governs data retention (from a national security perspective) should be enacted in this space to satisfy the s25 (f) principle. This hard law instrument should outline the type of data that may be processed by such organs (with/without a warrant), the length of time such data shall be processed (within the norms of proportionality), and the organs that may process the data. It should also outline how long this data is to be retained by the relevant organisations for this purpose (these being the telecommunications organisations and the national security agencies).

A good reference point is to review how other jurisdictions have dealt with this challenge. In Australia they have created the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015[4] that requires their telecommunications companies to retain a particular set of telecommunications data for 2 years. This is primarily metadata (a set of data that describes and gives information about other data). The content or substance of a communication is not considered to be metadata and is not to be stored.

The UK enacted the Data Retention and Acquisition Regulations 2018 [5](the regulations) in October 2018. The regulations were introduced following the Court of Justice of the European Union’s (CJEU) ruling on the Tele2 and Watson case in 2016[6], which found that the scope of the UK’s data retention regime was too wide to be compatible with European Union (EU) law. The CJEU found that the retention and acquisition of communications data can only be justified where: (1) the objective is fighting serious crime, (2) only data that is “strictly necessary” is retained, and (3) the retained data is kept within the EU. The CJEU noted that there should also be independent administrative or judicial authorisation for the retention and acquisition of communications data. The CJEU therefore required the UK to limit the scope of its data retention regime[7].

In this instance the UK regulations directly affect telecommunications and postal operators as the potential subjects of retention notices issued by the Secretary of State. A retention notice may relate to a particular operator or any description of operators and require the retention of all data or any description of data for up to 12 months[8].

In 2006 the EU issued its Data Retention Directive[9]. According to the Directive, EU Member States had to store electronic telecommunications data for at least 6 months and at most 24 months for investigating, detecting and prosecuting serious crime. In 2016, with an EU legal framework on data retention still lacking, the CJEU further clarified what safeguards are required for data retention to be lawful in the aforementioned Tele2 and Watson case[10].

In conclusion, Section 25(f) of the Bill details that ‘personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes which it is collected’. There are various clauses including Section 28(3), 29(c) & 34(b) of the Bill that reflect this principle, however in this article, this blogger has focussed on the national security data retention exemption  to illustrate just one specific subject area that the principle outlined in s25 (f) of the Bill may have a very credible and wide ranging impact on the protection and retention of personal data.

In this particular instance, as currently drafted, there will eventually be a tension between personal privacy rights and national security requirements in the retention of data (storage limitation principle). More transparency will eventually be required by the public on what information that National Security agencies require, how they use it, what oversight there is, and importantly, how long can they and any affected organisations such as telecommunication companies retain this data.

Enacting additional legislation or regulations that govern data retention in the national security space, will become necessary to govern these privacy concerns and fully effect the storage limitation principle drafted in s25 (f).This will provide a legislative safeguard for our personal identification data and communications and provide oversight for its use if its ever required under the national security exemption.


[1] EU Data protection and privacy regulation agreed upon in April 2016, available at https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

[2] Defined in the Bill as “a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purpose and means of processing of personal data”.

[3] Defined in the Bill as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller”.

[4] https://www.legislation.gov.au/Details/C2015A00039

[5] https://www.legislation.gov.uk/uksi/2018/1123/pdfs/uksi_20181123_en.pdf

[6] https://www.daqc.co.uk/wp-content/uploads/sites/22/2016/12/Watson-judgment-1.pdf

[7] O’Donoghue, C. and Bateman, K. “UK Government introduces Data Retention and Acquisition Regulations 2018” at https://www.technologylawdispatch.com/2018/12/regulatory/uk-government-introduces-data-retention-and-acquisition-regulations-2018/

[8] Ibid

[9] https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058

[10] Data Retention Across the EU at https://fra.europa.eu/en/theme/information-society-privacy-and-data-protection/data-retention