The Government of Kenya through the Ministry of Information Technology recently published draft regulations, the Data Protection (Civil Registrations) Regulations 2020 and called for a public participation hearing on 27th February 2020 at KICC, welcoming oral submissions and comments to the draft regulations.
The regulations are divided into six parts covering respectively; Preliminary, Data Protection Principles, Rights of the data subject, Obligations of the civil registration entity, Security Safeguards, and Miscellaneous provisions.
CIPIT took part in the public hearing sessions and took note of debates arising from the process as discussed below. Data Protection Principles
Ensuring that legal frameworks on data protection meet the objective of protecting the collection, processing, and storage of personal data requires that the frameworks are structured to adhere to the principles of data protection. The regulation has focused on two principles – consent and security safeguards, inadequately addressing other core principles on purpose limitation, storage limitation, adequacy, and data transfer.
In order to avoid abuse, there is need for clarity on all the principles. The principles give effect to the rights of a data subject. Abiding by these principles not only guarantees the right to privacy but also legally justifies the processing of personal data in a manner that respects the rule of law.
Processing of Personal Data relating to children.
Children are less aware of the risk involved in the processing of their personal data and therefore merit specific protection when their data is collected and used. Consideration must be given to clarity on privacy notices, reliance on direct consent of a child, the competence of the child in understanding what they are agreeing to, identification of risks and consequences of the processing and the implementation of age-appropriate safeguards.
The recently enacted Data Protection Act, 2019 has brought about the need to enlighten stakeholders about its implication on personal data. The lawyers Hub training on Data Protection and the General Data Protection Regulation (GDPR) conducted on 22nd January, 2020, focused on expounding provisions of the Act with an intention of incentivizing lawyers on ways to comply. The training also highlighted provisions of the GDPR, from which the Data Protection Act has been heavily borrowed.
The speakers were Dr. Isaac Rutenberg,
Director for the Centre for Intellectual Property and Information Technology
Law (CIPIT), who explained the Data Protection principles and the GDPR;
Grace Bomu, Research Fellow at CIPIT, who took participants through the Kenyan
Data Protection Act and; Rosemary Koech, Legal and Regulatory Officer at
Oxygene Communications Ltd, who demonstrated measures that can be adopted by
lawyers to ensure compliance with the Act.
Dr. Isaac Rutenberg commenced by highlighting
the principles of data protection ,
established to guide data controllers and data processors in the processing of
personal data, and compared them with
the principles laid out in the GDPR, where it was evident that the principles
laid out in the two statutes are similar. He subsequently elaborated the
difference between personal data and
sensitive personal data and gave
a clear cut distinction between the two using illustrations, and emphasizing on
the need for lawyers to appreciate the difference when handling personal data,
to ensure effective compliance with the Act.
Over the last couple of years, Kenya has experienced a significant surge in insecurity. Notably, the country has seen a rise in terror attacks and cyber crime in its various forms. On the legislative front, security attacks have been met by a discernible trend: the enactment of a reactionary law, which is then flagged by human rights advocates for infringing on fundamental rights and freedoms. Next, a tedious court process in which the court has to weigh limitations in the law and adjudicate on whether the limitations are constitutional or not.
Pieces of legislation that have followed
this cycle include the infamous Security
Laws (Amendment) Act (SLAA) and
the Computer Misuse and Cybercrimes Act in
2014 and 2018 respectively. More recently, the Statute Law (Miscellaneous Amendment) Act introduced the National
Integrated Information System (NIIMS), a system was, and is still being contested
The similarity in the above cases, and
more, is telling of a legislative system that perhaps does not take adequate
consideration of fundamental rights and freedoms, especially where security
needs are involved. This results in a court process which is both time and financially
consuming. It is for this reason that the Centre for Intellectual Property and
Information Technology Law (CIPIT) sought to bridge the gap by providing a
resource of standards to consider when legislating on security provisions.
Particularly, we looked at the right to privacy given its prominence both
locally and internationally in recent events.
project took a multi-stakeholder approach, with respondents from the Judiciary,
Parliament, Law Society of Kenya, Kenya Law Reform Commission and civil society
represented by Katiba Institute. The result is a ten-point checklist that is based
on the proportionality principle as provided under Kenyan law. Through the
checklist, CIPIT hopes to provide a practical guideline on how to best ensure
proportionality and the rule of law while seeing to the security needs of the
country. The checklist can be found here.
The Forum on Internet Freedom in Africa
(FIFAfrica) is a landmark event that convenes various stakeholders from the
internet freedom, governance and online rights arenas in Africa and beyond to
deliberate on gaps, issues and opportunities for advancing privacy, access to
information, freedom of expression, non-discrimination and the free flow of
information online on the continent.
The Forum responds to rising challenges to the
enjoyment of internet freedom in various countries, including arrests and intimidation
of online users, internet disruptions, and a proliferation of laws and
regulations that undermine the potential of digital technology to drive
socio-economic and political development on the continent.
FIFA strives to put internet freedom on the agenda
of key actors including policy makers, regulators, human rights defenders, law
enforcement representatives, and the media, paving way for broader work on
advancing online rights in Africa and promoting the multi-stakeholder model for
The engagement at the Forum aims to reflect the current
trends and concerns in access and usage of the internet and related
technologies on the continent at any given point in time. As such, each year
has its theme based on the state of Internet Freedom in Africa at that point.
This is the finale in our series on Data Protection principles espoused in the Data Protection Bill.
Clause 25 of the 2019 Data Protection Bill spells out the principles
of data protection. Among this is the prohibition from sharing data
with third parties without the consent of the data subject.
“Third party” is a term that originates from contracts.
Traditionally contracts are between two parties and a third party is
a person who deals with the contracting parties but is not party to
the contract. In data protection however, there are typically three
parties- the person whom the data concerns (data subject), the person
who designs how data will be processed (data controller) and the
person who actually processes the data (the data processor). In some
cases, data is processed by the same organisation that is the
controller. In other cases, it is processed by a third party
processor. A third party processor would not typically require
further consent to process data on behalf of the data controller.
For example, a manufacturing firm may outsource their payroll
function to a HR firm. The manufacturing firm is the data controller
as they determine which data is collected, and how it is processed.
The HR firm is the third party data processor and employees of the
manufacturing firm are data subjects.
The Data Protection Bill envisages that the data controller will
inform the data subject of the use to which their data is being put.
Clause 26 lists the rights of the data subject, and they include the
right to be informed about their data use; right to access their data
in the custody of the controller or processor; as well as the right
to object to processing of all or part of their personal data. In
the above example, the manufacturing firm would need to inform their
employees that their personal data is processed by the payroll
In the event that the data controller or processor were to share the
data with a third party, then the consent of the data subject would
be needed. Clause 25(g) states:
This post is the fourth of CIPIT’s analysis on the data protection principles provided for under section 25 of the Data Protection Bill. This post focuses on section 25(f) which provides that personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes for which it is collected.
Kenya’s National Assembly recently released a Data Protection Bill 2019 (the Bill), which gives effect to Article 31 of the Constitution of Kenya – The Right to Privacy. Specifically, the Bill prescribes a legal instrument for the protection of personal data. It establishes the Office of the Data Protection Commissioner, makes provisions for the regulation of processing of personal data, and provides rights of data subjects and obligations of data controllers and processors.
Section 25 of the Bill outlines the broad principles of data protection, and this article focuses on s25 (f), which states: ‘personal data should be kept in a form which identifies the data subject for no longer than is necessary for the purposes which it is collected’.
These principles detailed in s25 of the Bill are in essence the overarching themes that capture the spirit and intent of this Bill. On a black letter review of the wording used on s25 (f) it appears self-evident that data identifying any data subject should not be held for an infinite timeframe particularly after its utility has ended.
For example, it should be a primary privacy
concern to any Kenyan citizen how the data they use in their communications
online or over the phone, is stored by local telecommunication companies, who
can access this data(for example if required for national security purposes),
and for how long this data is held by these companies.
It is an open secret that the Bill borrows heavily from the the European Union’s General Data Protection Regulation (GDPR). Being a Bill, as the interpretation of this clause hasn’t yet been tested from a Kenyan jurisprudence perspective, it is therefore prudent to look to the intent of the GDPR principles for an analysis of s25 (f). In this case it ascribes to the following principles:
The purpose limitation principle – a Data controller or Data processor should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose. This principle has been reviewed in detail in this series of blogs particularly under s25 (e).
The storage limitation principle – This is effectively stated in the last part of the above principle, which is basically that organisations need to delete personal data when it is no longer necessary. What does ‘no longer necessary means’ in this context? In my view this means that data controllers should only process data for the time needed to execute the purpose for which this specific information was collected.
The question then follows, how this principle
is effected in this Bill. From this blogger’s review, aspects of this principle
are espoused in the following clauses:
Section 28(3) provides that a
data controller or processor shall collect, use or store personal data for a
lawful, specific and explicitly defined purpose (purpose limitation principle).
Section 29(c) on the duty to
notify, a data controller shall be mandated to inform the data subject of the
purpose for which the personal data is collected (purpose limitation principle).
Section 34(b) provides that
processing of personal data may be restricted where personal data is no longer
required for the purpose it was intended for (purpose limitation principle).
Section 39 provides for
limitation of retention of personal data and outlines some exemptions (storage limitation principle)
Although Kenya does not have a rich history when it comes to privacy law as compared to the US, supposedly due to varying ages of the countries, there is an increasing interest in the right to privacy especially as applied in the digital sphere. The challenge, however, resides in defining the right to privacy in the digital era.
The Constitution of Kenya provides for the right to privacy but it is not immediately apparent Article 31 appreciates the realities of the digital world where the right can be asserted over the communication and telecommunication networks.
A report published by Privacy International highlights the intrusive nature of micro-lending apps, which continue to demand more and more personal data in a bid to define what they term as a financial identity in a bid to determine a person’s credit worthiness. The report studies the nature of information collected to create such identity. One digital lender, Branch, collects call logs, contacts, SMS messages including M-Pesa, GPS location, the repayment patterns of one’s friends for Branch loans etc. Most of these digital lenders are startups whose exit strategy involves being bought out by another company. It is not clear to what extent to customers will have control over their data once the startup is sold to new owners.
The case of Kenya Human Rights Commission v Communications Authority of Kenya & 4 others  eKLR discusses the use of a Device Management System (DMS) to tap into the devices of mobile phone users. The device was mainly meant to monitor illegal international calls between Kenya and Rwanda. Nevertheless, the High Court ruled that the device would infringe on the consumer right to privacy because the monitoring would be done in the absence of orders to collect information of a private nature.
Why does it Matter?
The foregoing cases bring out a number of challenges that need to be resolved if we are to entrench the right to privacy in the digital space. To begin with, where there are no mechanisms to regulate the nature of information collected, the autonomy of the individuals from whom such information is collected may not be respected. In addition, entities who unwittingly collecting significant volumes of data create a significant risk when their technical systems are breached. Moreover, it is important to make sure that customers can always exercise their data protection rights where a company changes ownership.
The Way Forward
From the aforementioned, certain elements are necessary in defining the right to privacy. A digital right to privacy will be assured where the data subject can determine: a) who can collect their data, b) what data is collected, c) what data is not collected, d) and the nature consent required to collect certain kinds of data. This criterion derives from the legal doctrine of the right to informational self-determination in respect of right to privacy. It is the right of a person to determine the disclosure, and the use of their personal data. The doctrine is in line with Westin’s definition of the right to privacy which he succinctly defines as “the right of the individual to decide what information about himself should be communicated to others and under what circumstances”.
 Samuel Warren, Louis Brandeis, ‘The Right to Privacy’, Harvard Law Review, Vol 4 No.5.
 Article 31, Constitution of Kenya (2010): Every person has the right privacy, which includes the right not to have – (a) their person, home or property searched, (b) their possessions seized, (c) information relating to their family or private affairs unnecessarily required or revealed, or (d) the privacy of their communications infringed.
 Privacy International, ‘Fintech: Privacy and Identity In the New Data-Intensive Financial Sector’, 2017.
 Privacy International, ‘Fintech: Privacy and Identity In the New Data-Intensive Financial Sector’, 2017
 Privacy International, ‘Fintech: Privacy and Identity In the New Data-Intensive Financial Sector’, 2017
 Crabtree A,’ Personal Data, Privacy and the Internet of Things: The Shifting Locus of Agency and Control’
 Rouvroy A, ‘The Right to Informational Self-Determination and the Value of Self-Development: Reassessing the Importance of Privacy for Democracy’ 2009.
 Westin A, ‘Privacy And Freedom’, 25 Washington and Lee Law Review, 1968.