Last year, CIPIT hosted a series of public participation fora over three months in response to a request for comment on a proposed Data Protection Bill originating from the Senate (the “Senate Bill”) and a similar policy that was formulated by the ICT Ministry (the “Ministry Bill”). The CIPIT events preceded a public participation event with a variety of stakeholders, held at the Louis Leakey Auditorium before the Privacy and Data Protection Taskforce on 5 October 2018.
The CIPIT events generated a great deal of discussion and informative content from the participants who consisted of stakeholders involved in the processing of data. The information collated during these events represented the varying positions and views held by participants and was synthesized into a cohesive set of documents that were presented during a meeting with the task force on 26 September 2018.
The legislative process is now at a crucial juncture, the Data Protection Bill is in the committee phase in the National Assembly. On Tuesday 16 July 2019, the Parliamentary Departmental Committee on Communication, Information and Innovation accepted Memoranda from the public on the 2019 Data Protection Bill.
CIPIT welcomes the publication of the Data Protection Bill by Kenya’s National Assembly. The center has been involved in policy development for the digital economy in Kenya and Africa at large. In 2014, CIPIT gave input to the African Union Convention on Cybersecurity and Personal Data Protection, emphasizing on the need to protect and promote the right to privacy. Since then, there has been massive development in the data economy in both the public and private sector. CIPIT has previously recommended a comprehensive data protection framework for Kenya.
The Centre has reviewed the proposed law and submitted comments to the Clerk of the National Assembly. From our interaction with micro, small and medium enterprises (MSMEs) in the digital space, we have observed that these entities work in extremely different circumstances from traditional enterprises. Some of them are one-person operations that outsource services such as accounting on a need basis. It would be difficult for them to comply with the registration requirements, compared to larger entities that have dedicated compliance departments. We, therefore, propose that as the Bill requires registration of data processors and controllers, the data protection framework be tiered, and that consideration be given to the type of data being handled by data processors and controllers.
Data protection is definitely in vogue in Africa. This may be a response to the economic potential of having robust data protection safeguards, and the fear of being left behind by other states that have implemented such laws.
The intricacies involved in establishing a functioning data protection regime, mandate Kenya’s legislators to comprehend the full gamut of parties involved in the data life-cycle, and accruing rights and duties.
What is the data life-cycle? A report by the Centre for International Private Enterprise (CIPE) defines it as the four stages data goes through, from initial collection to disposal. These stages are data collection and processing, storage, transfer, and disposal.
Why is it important? Regulation should adequately modulate the actions of various persons in the data cycle and the processes involved.
CIPIT’s bi-annual moot competition aims to be innovative and to attract teams from across East Africa, and the 2018 edition was no exception. This year’s edition was particularly significant being the first moot in Sub-Saharan Africa to focus on Information Technology(IT) Law. The 2018 moot problem addressed the complexities of innovation, privacy and data protection in jurisdictions that operate in a legal vacuum with respect to data privacy. Therefore, participating students were able to interact with the topics of privacy and data protection and grapple with the ambiguities these cutting-edge issues pose in the legal field. This was also an excellent opportunity for CIPIT to highlight the trickle- down effect of innovations to the recurring concerns of data protection, and to nurture the interest of the young generation in IT law and policy.
The Matter of Mangala & WAP -vs- The Guacamole Republic of Avocado (GRA)
As promised, here is the account of the recently concluded CIPIT ICT Moot. Held every two years, the competition attracts teams across East Africa. It is the only one in the mooting calendar this part of Africa that has information technology and intellectual property as subject matters. This allows competitors to engage with contemporary issues, as was the case in this year’s edition. Data protection has not been legislated extensively in Kenya. The resulting lacuna forces the litigant to think outside the box and try to find viable and practical solutions to technology related problems oft outside the purview of lawyers.
“There will be winners, and there will be losers…” were the words of the Dean of the Strathmore Law School to end his address to the participating teams during the second biennial CIPIT moot. This author is sure that nothing rung truer in the minds of the eager young faces looking at him.
CIPIT held its biennial moot on 11th and 12th of October 2018. In total there were 13 teams in attendance, with about half of the teams hailing from Uganda. In the coming weeks, the CIPIT team will provide a full play by play account of events. Before that however, we would like to acknowledge one of the teams that participated.
The University of Nairobi Team comprising of the Kanyangi twins (so any confusion in the above image is regretted but understandable) and Jackline Sang wrote to us, grateful for the wonderful experience they had during the moot. Truth be told, it is the CIPIT team that is in gratitude for their attendance and their thoughtful letter. Here is their account of the moot, viva voce…
“It was a great privilege to participate in the recently concluded CIPIT 2018 moot competition. From the very onset it was exciting to engage with teams from universities around the country and Uganda. The moot concerned the right to privacy and data protection. Of specific emphasis was the disclosure of health data to third parties and the use of such information to peddle advertisements on the accounts of Wika virus victims.
Lessons from the Forum on the participation of NGO’s in the 62nd ordinary session of the ACHPR at the Royal Suites Hotel, Nouakchott.
CIPIT was invited to the ACHPR NGO forum to present their biometrics research findings to a side event that was taking place during the African Charter for Human and Peoples Rights 62nd Ordinary Session and to lobby for the inclusion of the right to privacy to the ACHPR (Banjul Charter).
For this mission we teamed up with the Legal Research Centre (LRC) from South Africa and Privacy International from London. Based on his experience in previous ACHPR events, LRC’S Tsanga Mukumba advised us to advocate for the right to privacy to be included to the mandate of Rapporteur to the right of freedom of expression. He added that asking for the inclusion of the right to privacy, while still the end goal to the Banjul Charter, might be difficult at this stage. A sad truth that we discovered through our interactions with the other forum attendees.
Since we were organising a side event as well, we attended other organizations side events to advertise our event.
While interacting with other human rights advocates who had convened at the event, we faced a challenge of convincing them on our digital right agenda. Many felt that there far more important and grave human rights atrocities in the continent such as the death penalty, torture and slavery. We decided to show the participants how digital rights such right to privacy affect their work on other human rights issues. We brought up issues of government surveillance on civil society and instances where telecom corporates work with law enforcement to crackdown on human rights defenders. This argument helped us gain momentum in our interactions and many saw the relevance of our cause.
At the end of the NGO forum, Tsanga submitted a resolution to the forum, which sought inclusion of the right to privacy to the mandate of the Rapporteur to the right of freedom of expression.
Legal Resources Centre Recommended Resolutions to the NGO Forum April 2018
That human dignity, as contained in Art. 5 of the African Charter on Human and People’s Rights is the core right and value which underpins the need for the respect, recognition and promotion of the right to privacy of all people in Africa;
To accept that effective respect and promotion of this right is necessary for the enjoyment of a range of human rights, including freedom of expression, access to information, association and peaceful assembly;
That the above recognition of the importance and validity of the right to privacy ought to inform and embedded within the process of the revision of the Declaration of the Principles of Freedom of Expression in Africa flowing from African Commission Resolution 362;
That the mandate of the Special Rapporteur on Freedom of Expression and Access to Information should include privacy and digital rights concerns where these impinge on the ability to communicate and receive opinions freely. Specifically including:
Unlawful, disproportionate or unnecessary state surveillance and the private enterprises which enable this through the provision of technological solutions;
The role of the private sector in conducting unlawful collection and processing of their customers personally identifiable information;
Regulation of the costs of access to the internet, and content and platform neutrality online;
The prevalence of ‘internet shutdowns’ in African States, particularly during periods of social protest and elections;
Regulation of the processing of personal data, which can directly or indirectly identify individuals, by public and private bodies, and in particular the need for the processing of sensitive personal data such as biometrics to be subject to higher safeguards.
The LRC is a member of the International Network of Civil Liberties Organizations (INCLO). INCLO is a network of 13 independent, national human rights organizations from the global South and North working to promote fundamental rights and freedoms.