Expert Commentary: Kenya follows the path of European-style Data Protection

Guest Post

By Dr. Isaac Rutenberg, Director and Senior Lecturer, Centre for Intellectual Property and Information Technology Law, Strathmore University, Nairobi, Kenya

cipit.org @StrathCIPIT

On the 8th of November, the President of Kenya signed into law the Data Protection Act 2019. This action completed a process that spanned more than a decade, and allows Kenya to enter a new phase with respect to the evolving centricity and treatment of data in society. This article looks at the content of the Act, highlights important and interesting provisions, and concludes with predictions as to the implementation.

Viewed from a high level, Kenya’s Data Protection Act (DPA) has many similarities with the General Data Protection Regulation (GDPR) in the EU, but also some notable features that have been localized for the Kenyan context. Without question, the DPA will satisfy Kenya’s obligations with respect to data protection under the African Union Convention on Cyber Security and Personal Data Protection, to which Kenya is a signatory. Also without question, the DPA is a major development that will require significant changes to the operations of private and public entities.

The similarities with GDPR are very clear. Section 25 of the DPA lists the principles of data protection that apply to data controllers and processors:

Respect of the right of privacy;
Data is collected for explicit, specified, and legitimate purposes (purpose limitation);
Data is processed lawfully, fairly, and transparently;
Data is adequate, relevant, and limited (data minimization);
Data is accurate and kept up to date;
Data processing is explained to the data subject;
Data is kept not longer than necessary for the purposes for which it is collected; and
No transfers outside Kenya without proof of data protection safeguards, or consent.

Each of the above principles is supported by additional provisions throughout the Act, with some more effectively supported than others. A thorough analysis of these provisions is provided in a series of blog posts at www.cipit.org.

Data processing must generally be done in compliance with the above principles. There are, however, numerous exceptions, and one exception in particular will require attention as the Act is implemented. Section 30 states that personal data shall not be processed unless the processing is necessary “for the performance of any task carried out by a public authority.” This appears to be a blanket authorization for any and all activities by the government. The provision is greatly worrying, even though such activities may still be limited by other provisions of the DPA (such as the need for a risk assessment as described below).

A few other provisions of the DPA are worth discussion.

Companies may choose to have a Data Protection Officer, but unlike the GDPR, the DPA never requires such an officer. Given the complexities of data protection in the global context, it is inconceivable that any large company would elect not to have a Data Protection Officer, and it is advisable that many smaller companies (particularly tech companies) should also seek the services of a full or part-time Data Protection Officer.

An intriguing aspect of the DPA is found in Section 31, which states that any data processing that is “likely to result in high risk to the rights and freedoms of a data subject” must undergo a data protection impact assessment. The requirement appears to apply to both private and public activities; government projects as well as private sector projects involving data will require impact assessments. The highly controversial “Huduma Namba” digital ID program currently being introduced in Kenya seems to be exactly the type of project that would require an impact assessment under this provision. Much like all major construction projects now routinely undergo environmental impact assessments, it is hoped that the data protection impact assessment will become a normal part of project planning. As a side note, it is unclear whether the skills and experience for carrying out data protection impact assessments are widely present in Kenya.

Another intriguing provision is found in Section 35: “Every data subject has a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or significantly affects the data subject.” Many telecom companies and startup companies in Kenya are making microloans to consumers based on various credit scoring methods (some of which, incidentally, involve algorithms using artificial intelligence). It appears that, with some exceptions (such as when the data subject consents), such products are no longer legal unless a human is involved in the final decision as whether to grant a loan.

Now that the process of enacting data protection legislation is over, the details of implementation are now center stage, and will ultimately be just as influential in Kenya’s commitment to data protection.

Favorably, the law provides for an Office of the Data Commissioner that is a state office. This means that the Data Commissioner will be relatively independent of the executive branch of government. Most importantly, funding for the Data Commissioner will be provided directly through Parliament. The Data Commissioner will be appointed by the President from three candidates selected by the Public Service Commission, so the executive will still have a large influence over the philosophy of the Office of the DC. The Data Commissioner receives a six-year term, and the selection of the inaugural Commissioner is a critical step that will determine much about the implementation and impact of the law.

There is, however, a more pressing concern. Recently a private individual brought a lawsuit in the High Court to halt implementation of the Data Protection Act. The petitioner argues that the DPA resulted from the merger of two bills, one of which originated in the Kenyan Senate. Since the DPA itself was never sent to the Senate for approval, the lawmaking process was improper. Bypassing the Senate is a method that has been used by the government to shorten the lawmaking process in other pieces of legislation, and this lawsuit tests the very fundamental question of when such a method is consistent with Kenyan constitutional democracy. The DPA merely appears to be the battlefield upon which this issue may finally be decided.

Implementation of any aspect of the DPA requires appointment of the Data Commissioner. In view of the pending litigation, this appointment may be substantially delayed, and data protection for Kenyans will have to wait.

One final thought: when Europe implemented the GDPR, which was more favorable to data subjects than any other legal framework existing at the time, some American tech companies modified their activities. It was reported that Facebook, for example, moved non-European data to servers located outside the EU. But, due to the size of the market, most major tech companies continued to engage with Europe and Europeans. Considering the vastly smaller market in Kenya, it will be interesting to see whether the similarly strict provisions of the DPA will result in some global tech companies deciding that the Kenyan market is not worth engaging.

—Dr. Isaac Rutenberg,

Centre for Intellectual Property and Information Technology Law, Strathmore University

Publication information:

Posted 22 November, 2019

Posted November 22, 2019 in International Privacy, Privacy Law, Region: Africa
Tags: Huduma Namba

New Report: Risky Analysis: Assessing and Improving AI Governance Tools

We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map

About this Data Visualization: This interactive map displays the presence...
Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974

This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process.