Data Protection Bill 2018

JavaScript is disabled!

Please enable JavaScript to read this content.

The days of receiving unsolicited text messages from supermarkets and betting companies are numbered.

Kenyan companies that hold consumers’ information will now have to seek permission first before collecting, processing or storing personal data if a proposed new law comes into effect.

The Data Protection Bill, 2018 presented by chairperson of the Committee on Information, Communication and Technology - and Baringo County Senator, Gideon Moi contains provisions that will significantly change how public and private entities handle information entrusted to them.

According to the Bill, companies will now have to inform users of any personal data they are collecting, the purpose for collecting that data and how long the same will be stored. The law also gives users the right to decline to have their data collected or processed as well as demand to have false data corrected or deleted upon demand.

A person found guilty of interfering with the personal data of others or infringes on their right to privacy will be liable, on conviction, to a fine not exceeding Sh500,000 or to imprisonment for a term not exceeding two years, or to both.

The Bill is, however, mum on penalties or fines subject to corporates found guilty of the same and leaves it to the complaints commission to decide the course of action.

This comes in the wake of a global push to create legislation that safeguard the data and privacy of users as digital technologies become more ubiquitous.

“Due to massive development in the field of information, communication and technology experienced the world over and increase in collection of personal information by government and private bodies, the need to protect personal information has gained prominence,” explains a memorandum accompanying the draft document.

“Therefore, there is urgent need to put in place rules to regulate the collection, use, storage and processing of personal information.”

If passed, the new law will compel companies to inform users when their personal data is being actively collected and processed and report on the outcome of this processing.

The Bill borrows from the General Data Protection Regulation (GDPR) passed by the European Union last month and makes Kenya the second country in East Africa after Rwanda to have legislation dedicated to data protection.

The GDPR has been hailed as the first step in checking the excesses of powerful technology firms that collect vast amounts of personal data from their users for commercial or competitive advantage.

Companies found to have violated the GDPR face stiff penalties that include fines of up to four per cent of their global turnover or €20 million (Sh2.3 billion), whichever is greater.

Third Party Access

The case for the GDPR was made stronger following revelations that Cambridge Analytica, a political campaigns firm, mined data from more than 80 million profiles of Facebook users and used the data to create psychographic profiles in several elections across the world, including the 2016 US elections and UK Brexit campaigns.

The Data Protection Bill, 2018 seeks to limit similar cases of unwarranted access to users’ personal data by third parties.

A study by Strathmore University’s Center for Intellectual Property and Information Technology Law (CIPIT), last month found that millions of Kenyans had their personal data collected and sold to third parties during last years’ General Election without their knowledge or consent.

In the weeks to the elections, many Kenyans raised concern after receiving campaign text messages from aspiring politicians despite never giving their phone numbers.

If the proposed law comes into effect, agencies will be required to take steps to protect the personal data of subjects in their possession from loss, damage or unauthorized access from third parties.

The bill also makes it illegal for companies to transfer the data of Kenyan users outside the country unless the third party is subject to a law or agreement enforcing data protection.

However, there are exemptions when companies and agencies will not be required to get consent. These include instances where the information is publicly available, the user has authorised the collection of the data from a third party or where non-compliance does not prejudice the interests of the user.

Blanket surveillance

Companies are also exempt from seeking consent in cases where the information being collected is meant to help detect or prevent a crime or threatens national security.

Privacy experts have, however, said this gives security officials a leeway to carry out blanket surveillance under the guise of national security.

The Data Protection Bill 2018 proposes the establishment of a commission that will handle complaints against individuals and entities accused of violating the data privacy of others.