On November 8, 2019, the president of Kenya, Uhuru Kenyatta, enacted a law on the 2019 data protection bill. Kenya now joins 25 of the 54 African countries that have so far implemented personal data protection laws, to which Zambia and Zimbabwe will soon join.
The new Kenyan data protection law, which follows the model of the General Data Protection Regulation of the European Union (GDPR), was delayed greatly. Despite the fact that it has won the title of “Silicon Savannah” of Africa for its gigantic advances in the proliferation of information and communication technologies and that it has become a hotbed of new companies on the continent and Silicon Valley, Kenya had no data protection laws.
This lack of a legal framework on how private and governmental entities should handle customer and citizen data became the subject of one of the first cases in the world in which the private data of citizens was used to influence a presidential election.
The presidential elections of 2013 and 2017, in which President Kenyatta was re-elected, were involved in a scam in which Cambridge Analytica illegally collected data from Facebook profiles of millions of Kenyans. These profiles were then correlated with more than 47,000 surveys conducted in the period prior to the 2013 presidential election to determine the needs and concerns of Kenyan voters, which served as the basis for campaign messages. In the 2017 presidential elections, this data was used in a digital data campaign to help the re-election of President Kenyatta.
The British consultant has been in the eye of the storm since the electoral victory of US President Donald Trump in 2016 for collecting data on millions of Facebook users and directing them with information intended to influence Trump.
This new data law will have a significant and far-reaching impact, as Kenya continues to have one of the highest internet penetration rates in Africa, with 112%, according to the latest statistics from the Communications Authority.
Review of the new Kenyan data protection law
The mandate of this new law will essentially be to establish a legal and institutional mechanism to regulate the collection, storage and processing of personal data to protect people's privacy. The law will apply the right to privacy with solutions against any leak.
Implementation of #dataprotection Act in Kenya is expected to be a gradual process. Will require creation of Data Commissioner’s office, build confidence of data controllers, development of Implementation mechanisms, stakeholder engagement and awareness @KeCIRT @CADirectorGen
– CA (@CA_Kenya) November 27, 2019
The application of the Data Protection Act in Kenya is expected to be a gradual process. It will require the creation of the data commissioner's office, building the trust of data controllers, the development of enforcement mechanisms, stakeholder participation and knowledge of the Coordination Center of the National Computer Incident Response Team of Kenya.
Kenyan citizens now have the right to: know why and how their information is registered, stored and handled, and for what specific purpose it will be used. They will also have the right to access your personal data and to oppose its processing, as well as to the correction and deletion of false or misleading data, and to prohibit the disclosure or reuse of your personal data.
Organizations and government authorities that own, manage, store or control data will be required to register their companies in the office of a Data Protection Commissioner, as required by the new law. They will also be required to inform users of the personal data they are collecting, why they are using them and how long they will store them.
Kenyans greet the new law
The new law is a welcome relief for many Kenyans who have been subjected to various forms of privacy breaches, in particular, the proliferation of the country's mobile connectivity and the adoption of mobile money services.
For a long time, the collection of personal data of citizens has been part of the security requirements of private and governmental institutions so that Kenyans can access most buildings. Although information is often collected as a safeguard measure, its effectiveness has been questioned as a measure of protection against acts of violence. Dusit's most recent terrorist attack and the attack on the Westgate Mall in September 2013 made this look closely.
While these data collection points have been shown to have gaps that terrorists have used to register false data, most Kenyans put their real personal data in these building records.
Cases of mobile and online fraud have continued to increase, often against users of the M-pes mobile money service – the most popular way to pay for goods and services online and offline in Kenya. M-pesa is a service of Safaricom, a public limited company and one of the largest mobile network operators in Kenya.
It has also become a common practice among Kenyan companies that accept payments with M-pesa and that use the Paybill service to send promotional messages from the collected contacts to their customers for the sole purpose of facilitating a payment transaction.
– Pauline Warui (@PwaruiM) October 31, 2019
Data Protection. It's bad that every time I use Paybill, merchants flood me with unwanted promotions and campaigns. Please, Joe Mucheru, Minister of Information and Communication Technologies of Kenya, protects the privacy of citizens.
Today, 25th November 2019, something significant is happening.
The Kenyan Data Protection Act 2019 commences. It becomes effective. #dataprotection
– gatuyu (@Gatuyu) November 25, 2019
Today, November 25, 2019, something significant is happening.
The Kenya data protection law is initiated 2019. It is effective.
Some private financial institutions our here have access to your private communications, that is voice and text communication.
Some individuals working in those institutions are misusing those privileges for their personal gains. Something needs to be done. ASAP#dataprotection pic.twitter.com/7MdnKalVKr
– Road Alerts. || ?? (@RoadAlertsKE) November 26, 2019
Some private financial institutions here have access to your private communications, that is, voice and text communication.
Some people who work in these institutions are misusing those privileges for personal gain. Something must be done as soon as possible.
The information and communication technology professionals in Kenya welcomed the signed bill as a good regulatory framework for the industry and urged the Government to accelerate the drafting of guidelines and regulations around the data protection law in consultation With your sector.
Concern for the application
The Office of the Data Protection Commissioner will be the one to carry out the application of this new law. The body will be created and will be directed by a commissioner appointed by the Public Administration Commission from his appointment by the president and will be subject to the approval of the National Assembly. The Data Protection Commissioner will depend on the Ministry of Communications and Information Technology. The commissioner will receive and investigate the infractions, with the power to file lawsuits and impose fines.
According to Kenyans online, this is just the beginning. A major obstacle will be the implementation and application of this law against the biggest culprits – digital loan applications. These applications use predatory and unethical tactics that require access to smart phone data in an attempt to determine solvency and recover loans from defaulters and retail companies that send promotional text messages to their customers.
Consumers Beware; TO #fintech app-based lender without access to potential borrowers ’financial data may require permissions for the app to scrape data from the borrower’s phone, including reading messages with details of financial transactions. #ExploitiveMoneyLendingApps
– Consumer Grassroots (CGA) (@Consumers_Kenya) November 28, 2019
Consumers, be careful. A lender of the Fintech application without access to financial data of potential borrowers may require permissions for the application to delete the data from the borrower's phone, including reading messages with details of financial transactions.
Critics have expressed concern at the time of the signing, following the clamor of the Kenyans for the massive implementation of the National Integrated Identity Management System (NIIMS) – better known as Huduma Namba -, much criticized by the defenders of the Privacy.
The NIIM is a national program introduced by the Kenyan Government in April 2019 for the establishment of a massive biometric registration system to create, manage and store population data for Kenya and as the “only source of truth” for information on citizens Kenyans and foreigners residing in the country.
Kenyan freelance writer Rasnah Warah recently opined in an article why the signing of the data bill aims to accelerate the implementation of Huduma Numba, which many opposed because of lack of an adequate framework. Look maliciously at the hasty way in which the new data protection bill was passed. He believes that it was created as a door for the commercial interests of the national exercise of Huduma Numba in which citizens will be led to a debt trap.
His feelings have also been expressed by renowned Kenyan economist David Ndii, whose article “Capitalism of friends and capture of the State 2: Documents that reveal the plans of the Kenyatta family to take care of loans to SMEs,” delves into the details of a mobile phone loan platform proposal in which the Kenyatta family bank, NCBA, has vast interests.
The proposed initiative is a “collaborative initiative to facilitate access to credit to micro and small businesses”.
Interestingly, the day President Kenyatta signed the bill, he was next to Amazon executives, who announced plans to establish Amazon Web Services Edge in Kenya. Amazon operates Amazon Web Services – the largest cloud computing platform in the world.
It remains to be seen whether or not the new law will protect the rights of Kenyan citizens or if it will simply serve as a conduit for the top actors in the food chain of digital capitalism to acquire, store and use private data legally for commercial purposes.