Data Protection Still on the Agenda in Kenya
In parallel to the legislative process initiated by the Kenya Senate in July 2018, a Task Force constituted by the Ministry of Information, Communication and Telecommunication developed a draft Data Protection Bill which it published for consultation in May of this year.
Privacy International and its Kenya Partners, the National Coalition of Human Rights Defenders – Kenya (NCHRD-K), the Centre for Intellectual Property and Information Technology (CIPIT) are pleased to have had the opportunity to take part in the open consultative process of the Ministry to seek feedback on the proposed Bill.
We welcome the effort by the Government of Kenya to give life to and specify the right to privacy, already enshrined in Article 31(c) and (d) of the Constitution of Kenya by proposing a draft Data Protection Act.
However, the Data Protection Bill proposed by the Taskforce has a number of significant shortcomings. We recommend that to effectively protect privacy and to meet international standards in protecting personal data, that full consideration be given to the areas of concern and improvements outlined below under each Part of the Bill, which include:
- Reviewing some of the definitions outlined in Part 1 and in particular clarify the definition of ‘sensitive personal data’.
- Reviewing the material and territorial scope of the law, in particular with the aim of ensuring that the law applies to public entities including law enforcement and intelligence agencies.
- Guaranteeing that all data protection principles are included and revised clearly to provide for principles of fairness and transparency, storage limitation, integrity and confidentiality, and accountability.
- Guaranteeing that data subjects are provided with rights including the right to suppress or block (restrict), the right to data portability, as well as the protection and enjoyment of their rights in relation to profiling and automated decision making.
- Reviewing the current scope of the obligation to notify a data subject about the processing of their personal data.
- Providing clarity as to what the legal grounds for processing may be including by defining concepts such as ‘public interest’ and ‘legitimate interest’, and in particular reviewing the legal grounds for processing ‘sensitive personal data’ to strengthen the protection of such data.
- Ensuring that any exemptions relating to the different data protection principles and the rights of data subjects must be provided for in the law in a form which is clear, precise and limited to specific necessary and proportionate exceptions rather than broad blanket exemptions, particularly for government authorities.
- Reviewing the grounds for processing including ensuring that processing of data which is available to the public or deemed publicly available is not free for all to use without requiring further involvement of the data subject.
- Reviewing the clause on the storage of data in Kenya and focus on ensuring the data is protected with the highest safeguards rather than demanding data localisation which may not achieve the purpose of providing a higher level of protection as intended.
- Guaranteeing that a strong process is in place to regulate the transfer of personal data including developing a process for assessing adequacy of protection in the receiving country, not only in terms of data protection but also protection of human rights and rule of law.
- Ensuring that the protection of the data subject and their data as well as their right of privacy is balanced with freedom of expression under Article 33 of the Constitution for the media, artistic or literary work.
- Guaranteeing that the independent authority established by the law, the Office of the Data Protection Commissioner, has sufficient resources to undertake its mandate, and also that data subjects are given access to an effective remedy and ensuring that the Commissioner has the power to impose penalties, and ensure effective remedies.
Moving forward, Privacy International with our partners and other interested parties, in particular civil society organisations, will monitor this legislative process which is occurring alongside the draft Data Protection Bill in Kenya (on which we also submitted comments).
Our priority is to ensure that the highest data protection safeguards are encoded in lawand effectively enforced so that people in Kenya are protected from undue harm and they are able to fully exercise the enjoyment of their fundamental rights and freedoms.
To find out more about privacy and data protection in Kenya, please refer to ‘The State of Privacy in Kenya’ (last updated in February 2018).
We take the opportunity to share our guide for policy engagement on data protection "The Keys to Data Protection". The guide is intended to help organisations and individuals improve their understanding of data protection, by providing a framework to analyse the various provisions which are commonly presented in a data protection law.