Comments on the Kenyan Data Protection Bill, 2019

We welcome the effort by the Government of Kenya to give life to and specify the right to privacy, already enshrined in Article 31(c) and (d) of the Constitution of Kenya by proposing a draft Data Protection Act. We particularly appreciate the direct reference to this Constitutional right in the purpose of the Act and the way it is referred to on several occasions in this proposed Bill. 

Development of an effective and comprehensive Data Protection law in Kenya is a priority. In particular, given that a number of strategies are currently being deployed in Kenya to promote digital inclusion including: digital identities, micro-lending and Alternative Credit Scoring. While these efforts have positive intentions, a number of concerns ought to be addressed and a strong data protection framework would be a step in the right direction, for example: 

1. Firms should deploy secure infrastructures to avoid data breaches, like those currently being seen with the Aadhaar system in India. 
2. Biometrics are used excessively in certain circumstances where less intrusive options such as unique identifiers would be sufficient without the concomitant risk. This is particularly true in the health sector where biometrics could expose certain at-risk populations. 
3. Alternative Credit Scoring by Micro-Lending institutions use a vast range of data points such as call detail records (CDR) and customer relationship management (CRM) details. These firms are often acting without clear opt-in mechanisms or sufficient information being provided to individuals. 

However, the Data Protection Bill proposed by the Taskforce has a number of significant shortcomings. In our joint submission, we recommend that to effectively protect privacy and to meet international standards in protecting personal data, that full consideration be given to the areas of concern and improvements outlined below under each Part of the Bill, and include: 

• Reviewing the definition of ‘sensitive personal data’ to ensure a comprehensive definition. 
• Replacing the current proposal to establish the office of the data commissioner as a body corporate with its establishment as a Constitutional Commission under Chapter 15 of the Constitution.
• Guaranteeing that all data protection principles are included and revised clearly to provide for principles of integrity and confidentiality and accountability. 
• Guaranteeing that data subjects are consolidated in the law in a clear manner under the same section, and the right to effective remedy, and the right to compensation and liability which are currently missing must be added to the list of rights of data subjects. 
• Reviewing the current scope of the obligation to inform a data subject about the processing of their personal data. 
• Providing clarity as to what the legal grounds for processing may be including by defining concepts such as ‘public interest’ and ‘legitimate interest’, and in particular review the legal grounds for processing ‘sensitive personal data’ to strengthen the protection of such data.
• Ensuring that any exemptions relating to the different data protection principles and the rights of data subjects must be provided for in the law in a form which is clear, precise and limited to specific necessary and proportionate exceptions rather than broad blanket exemptions, particularly for government authorities. 
• Reviewing the grounds for processing including ensuring that data processing of data which is available to the public or deemed publicly available is not free for all to use without requiring further involvement of the data subject. 
• Reviewing the clause on the storage of data in Kenya and recommending that focus should be on ensuring the data is protected with the highest safeguards rather than demanding data localisation which may not achieve the purpose of providing a higher level of protection as intended. 
• Guaranteeing that a strong process is in place to regulate the transfer of personal data including developing a process for assessing adequacy of protection in the receiving country, and not only in terms of data protection but protection of human rights and rule of law.
• Ensuring that the protection of the data subject and their data as well as their right of privacy is balanced with freedom of expression under Article 33 of the Constitution for the media, artistic or literary work. 

We invite you to read our joint submission which elaborates on these and areas of concern and improvements under each Part of the Bill. 

Our joint legal analysis of previously proposed data protection bills can be accessed here.

We remain available to provide interested parties with further expertise to ensure that Kenya adopts a robust, comprehensive data protection law which will ensure its citizens will be able to enjoy their right to privacy and their data will be subject to the highest safeguards.