*Lyndah Tugee & Mercy Kingori
A little history
Brandeis and Warren trace the origin of the right to privacy in the U.S. back to the 1890s. They define privacy as the right to be let alone[1]. The right was first concerned with personal autonomy but it later evolved to cover the peoples’ personal information. A Privacy Act was enacted in 1974 to prevent unauthorized disclosure of personal information held by the federal government. Later on, other Acts including Financial Monetization Act 1999 and Fair Credit Reporting Act requiring financial institutions to provide customers with a privacy policy and to protect their personal financial information they had collected.[2] The right continues to extend its sphere of influence with the emergence of technology, which allows individuals to use, create and publish digital media or to access and use computers, devices or communication networks.[3]
Although Kenya does not have a rich history when it comes to privacy law as compared to the US, supposedly due to varying ages of the countries, there is an increasing interest in the right to privacy especially as applied in the digital sphere. The challenge, however, resides in defining the right to privacy in the digital era.
The Issue
The Constitution of Kenya provides for the right to privacy but it is not immediately apparent Article 31 appreciates the realities of the digital world where the right can be asserted over the communication and telecommunication networks.[4]
A report published by Privacy International highlights the intrusive nature of micro-lending apps, which continue to demand more and more personal data in a bid to define what they term as a financial identity in a bid to determine a person’s credit worthiness.[5] The report studies the nature of information collected to create such identity.[6] One digital lender, Branch, collects call logs, contacts, SMS messages including M-Pesa, GPS location, the repayment patterns of one’s friends for Branch loans etc.[7] Most of these digital lenders are startups whose exit strategy involves being bought out by another company. It is not clear to what extent to customers will have control over their data once the startup is sold to new owners.
The case of Kenya Human Rights Commission v Communications Authority of Kenya & 4 others [2018] eKLR discusses the use of a Device Management System (DMS) to tap into the devices of mobile phone users. The device was mainly meant to monitor illegal international calls between Kenya and Rwanda. Nevertheless, the High Court ruled that the device would infringe on the consumer right to privacy because the monitoring would be done in the absence of orders to collect information of a private nature.
Why does it Matter?
The foregoing cases bring out a number of challenges that need to be resolved if we are to entrench the right to privacy in the digital space. To begin with, where there are no mechanisms to regulate the nature of information collected, the autonomy of the individuals from whom such information is collected may not be respected. In addition, entities who unwittingly collecting significant volumes of data create a significant risk when their technical systems are breached.[8] Moreover, it is important to make sure that customers can always exercise their data protection rights where a company changes ownership.
The Way Forward
From the aforementioned, certain elements are necessary in defining the right to privacy. A digital right to privacy will be assured where the data subject can determine: a) who can collect their data, b) what data is collected, c) what data is not collected, d) and the nature consent required to collect certain kinds of data. This criterion derives from the legal doctrine of the right to informational self-determination in respect of right to privacy. It is the right of a person to determine the disclosure, and the use of their personal data.[9] The doctrine is in line with Westin’s definition of the right to privacy which he succinctly defines as “the right of the individual to decide what information about himself should be communicated to others and under what circumstances”.[10]
[1] Samuel Warren, Louis Brandeis, ‘The Right to Privacy’, Harvard Law Review, Vol 4 No.5.
[2] < https://www.livescience.com/37398-right-to-privacy.html> as at 3rd August 2018.
[3] < https://en.wikipedia.org/wiki/Digital_rights> as at 19th August 2018.
[4] Article 31, Constitution of Kenya (2010): Every person has the right privacy, which includes the right not to have – (a) their person, home or property searched, (b) their possessions seized, (c) information relating to their family or private affairs unnecessarily required or revealed, or (d) the privacy of their communications infringed.
[5] Privacy International, ‘Fintech: Privacy and Identity In the New Data-Intensive Financial Sector’, 2017.
[6] Privacy International, ‘Fintech: Privacy and Identity In the New Data-Intensive Financial Sector’, 2017
[7] Privacy International, ‘Fintech: Privacy and Identity In the New Data-Intensive Financial Sector’, 2017
[8] Crabtree A,’ Personal Data, Privacy and the Internet of Things: The Shifting Locus of Agency and Control’
[9] Rouvroy A, ‘The Right to Informational Self-Determination and the Value of Self-Development: Reassessing the Importance of Privacy for Democracy’ 2009.
[10] Westin A, ‘Privacy And Freedom’, 25 Washington and Lee Law Review, 1968.