Data Protection on the Ground (#1): Kenya’s draft bill

12 Jul 2018

By Sheetal Kumar and Richard Wingfield

In Chapter 4 of GPD’s recently published Travel Guide to Data Protection, we outline a set of key questions which can be used to determine whether a data protection regime is rights-respecting. In this mini-series, Data Protection on the Ground, we apply this framework to laws currently in development. 

***

There is currently no single, comprehensive piece of data protection legislation in Kenya. Instead, statutory protection of personal data is provided through a patchwork of different pieces of legislation which apply in different sectors. General provisions providing a degree of protection of personal data can be found in the Constitution, the Access to Information Act, 2016, and the Consumer Protection Act, 2012, with more specific and detailed protection of personal data in particular sectors in the Information and Communications Act, 1998, and the Registration of Sim-Cards Regulations, 2015. Other laws and policies regulate the processing of particular types of sensitive data like health or medical data (including the Public Health Act and the HIV and AIDS Prevention and Control Act, 2006).

In May 2014, the Cabinet Secretary for Information Communication and Technology announced that a Data Protection Bill would be tabled in Parliament, with the aim of harmonising existing legislation and providing a single overarching regulatory framework for the processing of personal data in Kenya. After almost a year, it was finally tabled in April 2015, and subsequently remained pending in parliament until it was reintroduced by the Senate’s ICT Committee in 2018.

In this analysis we take a look at the latest version of the bill, which was published in June 2018 for public consultation. Following the public consultation, the bill will be presented to parliament.

 

  1. DOES THE DATA PROTECTION LAW INCORPORATE THE MINIMUM STANDARDS NEEDED TO ENSURE THAT AN INDIVIDUAL’S RIGHT TO PRIVACY IS PROTECTED?

Yes and no.

The bill contains a number of protections consistent with the minimum standards of data protection. It provides data subjects with the right to access information about them; makes it clear that the data subject should be informed of the purposes for which their data is being collected, stored and used at or before the time of its collection; and mandates that any information collected must be accurate, kept up-to-date, and complete.

But these protections are unfortunately undermined by a few problematic elements in the bill. As we note in the Travel Guide, it is important that data protection laws also allow for exceptions (pp. 92-4). However, in order for these exceptions to be human-rights respecting, they must meet certain tests – i.e. be in pursuance of a legitimate aim; and be proportionate. In several crucial instances, exceptions specified within the bill fall short of meeting those tests. For example, the bill states that protections around personal data processing do not apply in certain cases, e.g. for reasons of national security, public order and defence (clause 3) – overly broad exceptions, which a government could easily use to disrupt legitimate activities, like a political protest or demonstration. The bill also absolves data controllers of the need to comply with the provisions of the legislation where it is not “reasonably practicable,” a provision which undermines the very principles of data protection itself. After all, if it is not practicable to comply, then the data in question should not be processed in the first place.  

Ironically, in the areas where exceptions to data protection are genuinely necessary – for example, in cases where data is processed for personal or household reasons – no provisions are made. This risks needlessly sanctioning people for everyday and legitimate uses of personal data, like the sharing or storage of photos or phone numbers.

Finally, while it is true that data controllers should, according to the minimum standards of data protection, be held accountable for complying with the requirements of the legislation, the bill’s imposition of criminal liability on the failure to protect data (see clauses 23 and 38 in particular) is inappropriately severe. Civil penalties would be not only more appropriate, but more effective, too.

 

  1. IS THE DATA PROTECTION LAW COMPREHENSIVE?

Yes.

The stated object of the bill is to protect personal data collected, use, or stored by both private and public entities. However – as well as addressing the overly broad exceptions noted above – the text of the bill could be clearer in specifying the scope of the protection. For example, clause 2 currently only references “public entities.” For accuracy and consistency, it should be made clear that “data is recorded information which is held by a public or private entity”.

 

  1. IS THERE AN ENFORCEMENT AUTHORITY IN PLACE EQUIPPED WITH THE POWERS TO ENFORCE THE LEGISLATION?

Yes.

The data protection bill gives the Kenya National Commission on Human Rights (KNHRC) powers to enforce the provisions of the legislation; which means conducting investigations, and taking legal proceedings in instances where the legislation has been breached, As outlined in the Travel Guide (p.59), a key prerequisite of rights-respecting data protection regimes is an independent enforcement authority, and this bill meets it.

It’s important to note that powers don’t, on their own, guarantee an effective enforcement authority. If the bill is passed, the government must also ensure that the KNHRC is provided with sufficient resources to be able to carry out its duties in full.

 

Conclusions

Should the Kenyan data protection bill be passed in its current form, it would not provide for a human-rights respecting regime. To do so, it would need to resolve the following issues:

  • Overly broad exceptions around compliance (clause 3)
  • Absence of appropriate exceptions for everyday, personal processing of data
  • Reliance on criminal offences to provide accountability, sanctions and remedy for infringements of the law (clause 23 and 38);
  • It is also important that the KNHRC is resourced so that it is able to fulfill its function to oversee and enforce the implementation of the law.

You can find the full text of Kenya’s draft Data Protection Bill here. For in-depth analysis of data protection in Kenya, take a look at KICTANet’s policy briefing.

GPD’s Travel Guide to the Digital World: Data protection for human rights defenders offers further guidance on the requirements for a rights-respecting data protection – as well as in-depth analysis of current policy debates, case studies, information on key forums, and advocacy tips and messaging.