The time has finally come: Kenya is seizing the opportunity to protect individuals and their data

This photo originally appeared here.

For years, Privacy International and our partners in Kenya have been promoting the right to privacy in Kenya through research and investigations into government and private sector policies and practices and advocating for the adoption and enforcement of the strongest data protection and privacy safeguards.

The need for Kenya to adopt a comprehensive data protection framework (in addition to strengthening privacy protections in other legislation) has always been there but the urgency for such a regulation has heightened over the last few years with the move by the government of Kenya to deploy data-intensive systems including the expansion of state and corporate surveillance, the use of biometric electoral registry, and the use of social media data and other platforms to profile and target online users.

This is why the legislative process announced in early July 2018 by the government of Kenya to adopt a comprehensive data protection framework is an immense opportunity.

Privacy and data protection are intrinsically linked. Individuals, as citizens, customers, and consumers, need to have the means and tools to exercise their right to privacy and protect themselves and their data from abuse. We are pleased that the Kenya government has recognised this intrinsic link in clause 1 of the Data Protection Bill they published on 6 July 2018 by stating that the law “will to give effect to Article 31(c) and (d) of the Constitution” which uphold the right to privacy.

The on-going engagement by the National Coalition of Human Rights Defenders in Kenya (NCHRD-K) demonstrates the growing concerns of HRDs with regards to state and corporate surveillance which deeply impact their ability to undertake their work securely and freely.

Research by the Centre for Intellectual Property and Information Technology Law (CIPIT) on the privacy implications of using biometric technology during the electoral process in Kenya raised key questions on how the Kenyan government is adopting new technologies for governance and yet doesn’t have the necessary regulatory and security framework in place to do so in a way that protects the privacy of individuals. Similarly, the Kenya Legal & Ethical Issues Network on HIV and AIDS (KELIN) has advocated for the rights of key populations such as persons living with HIV, against the use of biometrics in HIV research, which they saw as both high-risk and intrusive: “Everyone just said no, and we kept saying no.”

In December 2017, Privacy International released an investigative feature revealing how Harris Media LLC, a far-right American digital media company, developed online campaigns on behalf of President Kenyatta’s re-election campaign targeting users through ad words in Google search and targeted advertising on a range of social media platforms. Despite what we have come to know, we still don’t have further details on what data and/or user profiles Harris Media had access to, and how they processed the data. Our concerns of such activities in Kenya were further heightened following the revelations that emerged from the Cambridge Analytica and Facebook scandal in March 2018 as they demonstrated the lack of transparency and accountability of both the public and private sector.

Whilst data protection won’t solve all the problems we’ve highlighted above, it will be extremely helpful and thus it constitutes a foundational protection mechanism for individuals to exercise their right to privacy.

It is crucial for any regulatory framework to be centred around the protection of human rights, autonomy and dignity, and therefore essential to ensure that legislative processes leading to the adoption of a data protection framework are open, inclusive and transparent. 

Following the publication of a first bill in 2015, we welcome this renewed opportunity for Kenya to adopt a comprehensive data protection framework which will regulate the processing of personal data. It won’t be easy but PI and our partners are ready to take on this opportunity to share our expertise as well as our in-depth understanding of the privacy and data protection context in Kenya.

We invite you to read our joint submission on the Bill which highlights a number of significant shortcomings and presents various recommendations identified by PI, the NCRDH-K, CIPIT and KELIN to ensure that the law would provide for the effective protection of privacy and would comply with international data protection standards and principles and protect the rights of individuals.

Privacy International looks forward to engaging, in collaboration with our partners, in the next steps of this legislative process and calls on any other parties, in particular civil society organisations, to directly engage within the legislative process.

We remain available to provide interested parties with further expertise to ensure that Kenya adopts a robust, comprehensive data protection law which will ensure its citizens will be able to enjoy their right to privacy and their data will be subject to the highest safeguards.

To find out more about privacy and data protection in Kenya, please refer to The State of Privacy in Kenya’ (last updated in February 2018).

If you are interested you can visit our website to find out more about our efforts to call for the adoption and enforcement of stronger privacy and data protection laws with the Privacy International Network, and you can also sign up to our public engagement platform to stay in touch with us!