ARTICLE 19 welcomes the recent Presidential assent to the Data Protection Bill (2019) in Kenya, following many years of advocacy efforts by ARTICLE 19 Eastern Africa. This legislative framework gives effect to the constitutional right to privacy and, for the first time, provides coherent guidance on the collection, storage, processing, dissemination and transfer of personal data in Kenya as well as legal recourse following the misuse of the same.
Despite this significant moment for campaigners, ARTICLE 19 Eastern Africa notes the enactment of a petition challenging the constitutionality of the framework. We call on the government to ensure that the Office of the Data Protection Commissioner (or ODPC) is made operational, operates independently and enabled to work collaboratively with the Commission on Administrative Justice (or CAJ) (the body tasked with implementing the Access to Information Act, 2016, which also has several data-protection responsibilities).
The Data Protection Bill (2019) is a huge win for a multi-stakeholder group of organisations and individuals, including civil society organisations (or CSOs) and the private sector. This enactment follows numerous digitalisation and harmonisation drives by the government, including Huduma Namba, as well as private sector entities and provides citizens with legal recourse following the breach of their personal data by individuals, and state and non-state entities.
The constitutional petition lodged on the 14th November 2019 raises questions about the efficacy of the office designed to implement and oversee practice under the law.
ARTICLE 19 Eastern Africa welcomes the insertion of minimum rights-protecting principles and rights, including consent, adequacy and relevance, data portability and data rectification. These four (4) core principles and rights are particularly crucial in the Kenyan jurisdiction following complaints by Kenyan citizens about institutions (e.g., restaurants) using citizens’ Mpesa payment details to send targeted advertisements and mobile loan applications reporting defaulters to a borrower’s contact list.
However, issues which might prevent the effective implementation of the Bill to international standards, remains a concern. Citizens must know whether they can trust how state and non-state entities will process their data. This is issue is particularly pressing given the presence of international corporations who do not have physical presence in Kenya and yet are amassing vast amounts of citizens’ data.
Challenges to the Framework
While we cannot comment on the petition challenging the constitutionality of the Data Protection Act, we note that the definition of personal data under the Data Protection Act is not synchronized with the definition under the Access to Information Act, 2016.
The Data Protection Act includes some of the information mentioned in the Access to Information Act in the definition of “sensitive personal data.” We believe it is crucial that same categories of data follow the same regime and guarantees as established under the Data Protection Act in relation to sensitive personal data. Notably, two divergent definitions will invariably create confusion for both the ODPC and the CAJ who are both tasked with implementing their respective data protection mandates.
We also note that the Data Protection Act (2019) fails to provide clarity regarding the constitution of the ODPC. We reiterate that the ODPC should operate as an independent constitutional commission, under Article 59 (4) of the Constitution of Kenya, 2010, and not as a State agency, in order to be free from undue political, administrative or commercial pressure, and to fulfil its specified purpose(s).
Instructively, the CAJ, which faced independence and operating constraints as a department within a State Ministry, was established following a restructuring of the Kenya National Human Rights and Equality Commission. This restructuring was necessary in order to adequately protect citizens’ access to information under the Bill of Rights.
Finally, we also note that the Data Protection Act fails to adequately balance the right of privacy with the rights to freedom of expression and access to information. Instructively, Article 52 of the Data Protection Act provides a narrow definition of journalistic exemption. Journalists and the media are not exempt from registration requirements, and may be obliged to inform the Office of the Data Protection Commissioner about the type of personal data being processed, as well as the purpose and the category of data subjects.
This provision will threaten the anonymity of journalistic sources, especially when whistle-blowing has helped to inform criminal and/or corruption investigations. Journalists may find themselves facing criminal investigations where it is determined that the disclosure of personal data in an article, especially public figures, does not meet the public interest test. Crucially, penalties under the Data Protection Act include a fine not exceeding five (5) million shillings and/or imprisonment for up to two (2) years.
We call on the Government of Kenya to review the above challenges to ensure that personal data is adequately protected by an empowered body which receives state support (both administrative and financial) in order to operate as envisaged.
ARTICLE 19 Eastern Africa remains committed to forming a collaborative relationship with the ODPC (once established) and the CAJ, in light of its cross-cutting data protection and access to information responsibilities. This will ensure that the Kenyan jurisdiction complies with international standards and best practices on data protection and privacy.
The full legal analysis of Kenya’s Data Protection bill can be found here.
The right to privacy is protected under Article 31 of the Constitution of Kenya, 2010. Despite this constitutional protection, there existed a data protection gap which was not adequately bridged by various statutes within Kenya. These include the Access to Information Act (2016) and the Kenya Information and Communications (Consumer Protection) Regulations (2010), amongst others, which failed to protect the integrity of citizens’ personal data and the misuse of the same by third (3rd) parties.