Data protection is one of the most important issues currently facing the Kenyan economy. On July 17th FSD Kenya submitted public comments to the Data Protection Bill, 2018 presented by the Senate ICT Committee. For years Kenya has been rapidly moving towards a digital society, but without the proper framework for data protection in place.
On July 17th FSD Kenya submitted public comments to the Data Protection Bill, 2018 presented by the Senate ICT Committee. For years Kenya has been rapidly moving towards a digital society, but without the proper framework for data protection in place. So despite our significant concerns with this Bill, which as drafted may in fact worsen data protection not support it, the emergence of a data protection bill is an important sign that this topic is finally receiving the policy attention it merits.
While there are data protection and data privacy provisions within different sector legislation they are typically sector-specific and not economy-wide. Nonetheless, such legislations can offer a good starting point for establishing consumer-centric data protection laws.
For example, Kenya’s 2010 Information and Communications (Consumer Protection) Regulations include a customer’s right to personal privacy and unauthorized use of personal data. They also require mobile network operators (MNOs) to provide notice that transactional data may be sold to third parties and obtain prior customer consent before selling or sharing data. However, as one review of user agreements in Kenya and across Africa found:
Over 80 per cent of contracts contain clauses permitting providers to share information with third parties, such as credit reference bureaus, provider agents and subsidiaries, and also “for reasonable commercial purposes related to the provision of services”. This is quite vague and may give providers overbroad license to share consumer data, which raises privacy concerns. Management of privacy and data protection is further complicated by the lack of specific data protection legislation in the jurisdictions reviewed. Consumers have to rely on provisions contained in various pieces of legislation that do not comprehensively protect them.
As this analysis makes clear, although current practices may comply with the law they are not necessarily easy for consumer to manage. This is why we hope to see a comprehensive data protection law in Kenya as soon as possible that will include a robust monitoring and enforcement mechanism. To this end, we wish to propose several ways in which the current draft of the data protection bill could benefit from significant improvements.
The bill does not include several aspects of modern privacy laws that support consumer control over their information and competition:
- Data portability. This allows data subjects to share their economically-useful information, such as banking history, with third parties. This would help address the “data silos” common in Kenya’s digital financial services ecosystem.
- Separation of product acquisition and consent to data sharing with third parties. Blanket provisions allowing data collectors to share consumers’ information with unnamed third parties are often buried in product terms and conditions we often don’t read. Consent to data sharing should not be a requirement of using a product or service.
- Liability of data controllers for the conduct of third parties they share information with. Just as mobile money operators bear some responsibility for the conduct of their agents, data controllers should have to properly vet and monitor the conduct of third parties they share customer information with.
- Consent archives. It is just as important to make the records of consumer consent to data sharing traceable and accessible as the information a data collector stores itself.
- Deletion of records. The data protection bill lacks the “right to be forgotten,” where a data subject can delete their history with a data collector if they want.
The bill also has vague and subjective language granting potentially wide-sweeping exemptions to key privacy provisions. For example, “10. (1) Before an agency collects personal data directly from a data subject, the agency shall in so far as is reasonably practicable, inform the data subject…”. “Reasonably practicable” is a subjective phrase that leaves the requirement to comply with informed consent open to noncompliance. This could undermine the good faith application of these principles in the implementation of the bill by data controllers.
Another concerning section of the Bill is, “7 (3) An agency shall collect, store or use personal data— (a) using lawful means; or (b) using means that, in the circumstances, do not intrude to an unreasonable extent, upon the personal affairs of the data subject except in accordance with this Act or any other written law.” It is not clear why an exemption to comply with the law in data collection, storage and use is included in the Bill as it could negate the very protections this bill seeks to enact. Also, such a broad clause as “to an unreasonable extent,” opens Kenyans up to serious privacy risks by giving broad and imprecise exemptions for agencies to comply with the law.
There is also the risk that the Bill allows for third-parties to access data subjects’ information without properly informing the data subject first: “7. (2) An agency shall not be required to collect personal data directly from a data subject where… (c) the data subject has consented to the collection from another source; (d) collection from another source would not prejudice the interests of the data subject… (f) compliance is not reasonably practical in the circumstances of the case.” By allowing “pass-through” consent it will be very difficult for data subjects to understand and manage all the ways in which their information is being distributed across the economy. This will also legally formalise the issues that have been identified in the market where firms use broad and non-specific clauses in product terms and conditions to grant themselves permission to use and share customers’ data without additional customer consent or control.
Finally, the bill in some cases only mandates the obligation to “inform” a consumer, but not necessarily to seek their consent. For example, consent may be delayed in an undefined manner “where— a) it is not practicable for an agency to comply with subsection (1) before collecting information”. This means that firms may collect data without first informing their customers.
Given these concerns, the data protection bill could benefit from a substantial revision to better reflect the objectives of giving consumers greater access and control to their digital lives. Data protection is one of the most important issues currently facing the Kenyan economy. We hope that the robust public debate this bill has encouraged will lead Kenya to a strong, pro-consumer data protection law in the near future.