The following post is the second of CIPIT’s analysis of the data protection principles provided for under section 25 of the Data Protection Bill. This post focuses on Section 25 (c) & 25 (d) of the Bill which provides for the processing of personal data collected should be for an explicit, specific and legitimate purpose and that the personal data should be adequate, relevant, limited to the purposes.
As was pointed out in the previous blog, available here, the central objective of the Data Protection Bill is to
give effect to the Right to Privacy enshrined in Article 31 of the
Constitution. Over and above this objective the preamble of the Bill provides
other objectives of the Bill. It states that the Bill is to make provision for
the regulation of the processing of personal data, provide for the rights of
data subjects and impose obligations on the data controller and processors.
In order to ensure that the objectives of the Bill, in particular, the regulation of the processing of personal data, are catered for, the Bill contains several provisions which help facilitate the achievement of these objectives. One such provision is Section 25 which contains the data protection principles, this blog will focus on the principles of purpose limitation and data minimisation provided for in section 25(c) & 25(d).
This is the first in a series of blogs where the CIPIT team analyses the principles of data protection as provided in Section 25 of the Data Protection Bill, 2019. This edition by Charles Lwanga Opiyo tackles sections 25 (a) and (b) of the Bill, which provide for the processing of data in accordance to the right of privacy, and processing data in a lawful, fair and transparent manner respectively. In this analysis, sections of the Bill that reflect the principles in 25 (a) and (b) are reviewed as well…
The central objective in the Data Protection Bill, 2019 (the Bill) is to give effect to the right to privacy (Article 31 of the Constitution of Kenya 2010), as is explicitly stated in the preambular section of the Bill. Section 25 (a) of the Bill reiterates the constitutional right to privacy in the context of data protection, stating that data controllers and processors shall ensure that personal data is processed “in accordance with the right to privacy of the data subject”. This article seeks to unpack the concept of privacy in the Kenyan Constitutional context and analyze how the same concept is reflected in the Bill. The Constitution shall be the test upon which the provisions of the Bill are reviewed.
The provisions of Section
25 (b) – i.e., that data be processed lawfully, fairly, and in a transparent
manner – are also discussed in this post because of their intimate connection
with the right to privacy.
It is also understood that principles in the Bill are similar to Europe’s General Data Protection Regulations (GDPR). This article will highlight such similarities.
Last year, CIPIT hosted a series of public participation fora over three months in response to a request for comment on a proposed Data Protection Bill originating from the Senate (the “Senate Bill”) and a similar policy that was formulated by the ICT Ministry (the “Ministry Bill”). The CIPIT events preceded a public participation event with a variety of stakeholders, held at the Louis Leakey Auditorium before the Privacy and Data Protection Taskforce on 5 October 2018.
The CIPIT events generated a great deal of discussion and informative content from the participants who consisted of stakeholders involved in the processing of data. The information collated during these events represented the varying positions and views held by participants and was synthesized into a cohesive set of documents that were presented during a meeting with the task force on 26 September 2018.
The legislative process is now at a crucial juncture, the Data Protection Bill is in the committee phase in the National Assembly. On Tuesday 16 July 2019, the Parliamentary Departmental Committee on Communication, Information and Innovation accepted Memoranda from the public on the 2019 Data Protection Bill.
Data protection is definitely in vogue in Africa. This may be a response to the economic potential of having robust data protection safeguards, and the fear of being left behind by other states that have implemented such laws.
The intricacies involved in establishing a functioning data protection regime, mandate Kenya’s legislators to comprehend the full gamut of parties involved in the data life-cycle, and accruing rights and duties.
What is the data life-cycle? A report by the Centre for International Private Enterprise (CIPE) defines it as the four stages data goes through, from initial collection to disposal. These stages are data collection and processing, storage, transfer, and disposal.
Why is it important? Regulation should adequately modulate the actions of various persons in the data cycle and the processes involved.
The Matter of Mangala & WAP -vs- The Guacamole Republic of Avocado (GRA)
As promised, here is the account of the recently concluded CIPIT ICT Moot. Held every two years, the competition attracts teams across East Africa. It is the only one in the mooting calendar this part of Africa that has information technology and intellectual property as subject matters. This allows competitors to engage with contemporary issues, as was the case in this year’s edition. Data protection has not been legislated extensively in Kenya. The resulting lacuna forces the litigant to think outside the box and try to find viable and practical solutions to technology related problems oft outside the purview of lawyers.
“There will be winners, and there will be losers…” were the words of the Dean of the Strathmore Law School to end his address to the participating teams during the second biennial CIPIT moot. This author is sure that nothing rung truer in the minds of the eager young faces looking at him.
CIPIT held its biennial moot on 11th and 12th of October 2018. In total there were 13 teams in attendance, with about half of the teams hailing from Uganda. In the coming weeks, the CIPIT team will provide a full play by play account of events. Before that however, we would like to acknowledge one of the teams that participated.
The University of Nairobi Team comprising of the Kanyangi twins (so any confusion in the above image is regretted but understandable) and Jackline Sang wrote to us, grateful for the wonderful experience they had during the moot. Truth be told, it is the CIPIT team that is in gratitude for their attendance and their thoughtful letter. Here is their account of the moot, viva voce…
“It was a great privilege to participate in the recently concluded CIPIT 2018 moot competition. From the very onset it was exciting to engage with teams from universities around the country and Uganda. The moot concerned the right to privacy and data protection. Of specific emphasis was the disclosure of health data to third parties and the use of such information to peddle advertisements on the accounts of Wika virus victims.
A striking postulation of free speech was developed in the 19th Century by John Trenchard and Thomas Gordon, supporters of John Locke. They defined the right as the freedom to “think what you would and speak what you thought”. This placed a strong emphasis on the citizens’ role in exercising the right as against an implied oppressor, the government.
Other postulations of the right intuit that there is a balance to be struck between the right expressed by the citizen and the right of others. Between citizens, the government is charged with ensuring no one infringes the right of another. The overt regulation of speech amounts to the prevention from: holding an opinion, receiving information to facilitate creation of said opinion, or the dissemination of information that would allow the creation of opinions. The state would in this instance curb the spread of information it perceives as undermining its rule or that which infringes the rights of others.
The International Convention on Civil and Political Rights (ICCPR) posits freedom of speech as consisting two parts; a negative obligation on state organs, to deregulate speech and, a positive right, exercised by the public within the law. Subsequently, the right operates within two parameters as well: dissemination of information and expression of opinions that are vital for debate and transparency in democracies; and the censure of statements infringing the rights of others or abrogating order within the state. Two competing norms exist, individual autonomy versus the protection of collective goals, such as equality among persons.
Criticism of other persons should be conducted within the law. Hence, one must respect the rights and reputations of others. Are statements by errant bloggers protected by Kenya’s own free speech clause? Not quite, libellous statements are not granted legal protection. Article 33 of the Constitution of Kenya (CoK) outlaws making of statements that disparage persons and their reputations.
Citizens should be able to oppose decisions made by their government, employer, municipal court or member of parliament. The CoK stipulates that public participation is an essential avenue for citizens to express their sentiments regarding governance. In democracies, elected representatives are not immune from critique. Their actions are scrutinised by a vigilant public, aware of state obligations.
Free Speech: Applicable mutatis mutandis in cyberspace?
Conceptualists of free speech had written their treatises prior to the internet and mass media. Thus, contemporary issues such as jurisdictional conflicts over online offences were unforeseen. Free speech should evolve to meet these demands.
The right should supersede the classic two-party consideration; the government and the citizen. Social media platforms and internet service providers are new participants in the rights matrix. They curate more data than ever before and have the power to deactivate accounts spreading misinformation. While international case law indicates that social media is an arena for free speech, administrators should be obliged to curate the content on their sites and ensure there are no rights infringements.
Kenyan courts applied principles of tort to malfeasance on social media, to regulate the platform. This approach is only partially viable; the “obligation to curate” must be placed on administrators. The main impediment to this concern is practicality. Twitter cannot monitor its 335 million active user’s pages. Surveillance on that scale would broach a myriad of privacy concerns.
A possible solution could be mandating platforms to introduce a complaints system, allowing users to report rights violations. Administrators responding to the report provide initial adjudication on whether the offending content contravenes internal policies. Illegality however, mandates administrators to assist municipal law enforcement with information pertinent to investigations.
Concluding, digital free speech may be defined as:
The freedom to express a factual representation or opinion on an online platform. The right precludes the following: defamatory statements, hate speech, cyber-bullying, or misrepresentations. The custodians of the right include the government and at initial phases, administrators of online platforms. These custodians are obliged to respond expeditiously to any reports of illegal activity or activity flouting platform policies.