The National Treasury’s proposal to exempt the Kenya Revenue Authority (KRA) from the Data Protection Act has understandably raised concern among Kenyans, who fear that this will set a worrying precedent.

The proposal by the National Treasury seeks to exempt the processing of personal data relating to the assessment, enforcement and collection of taxes from the Act in a move that will give the KRA carte blanche to access and review personal financial records of any Kenyan.

The amendment is concerning and it comes a few years after the enactment of the Act that has made Kenya an exemplary country on the continent in regards to the recognition of its citizens’ private data in a fast-evolving digital landscape.

Passing such amendments that erode the safety rails that make this crucial Act effective sets a bad precedent and takes the country a step backward.

In the first place the Data Protection Act 2019 already has several exemptions embedded into it that take into account circumstances where the state may be exempt.

Law enforcement and judicial authorities, for example, are exempt from the Act when gathering or processing data that is necessary for national security or in cases where a court has ordered the disclosure of particular information.

Such provisions, like the rest of the Act, were borrowed from the General Data Protection Regulations (GDPR) of the European Union which served as the blueprint for many legislations developed by developing countries.

Global best practice

The GDPR also contains exemptions for intelligence services, police and judicial officers in processing data that is crucial for criminal investigations or proceedings.  

And even within these exemptions, the GDPR has laid down guidelines on how enforcement agencies should handle the personal data of citizens to ensure that they execute their work without violating citizens’ private data.

It is thus concerning that the Kenyan government is breaking away from global best practice in the administration of the Act.

A proposed exemption for the KRA written into the law could dampen the appetite of investors who shun any additional State interference in their business.

It could also open a Pandora’s box of abuse by State officials as has been witnessed before. In the 2017 general elections, officials from the Interim Electoral and Boundaries Commission were found culpable when political parties gained access to millions of Kenyans’ phone numbers and proceeded to send them targeted campaign SMSs.

It is worrisome to think what political rivals and unscrupulous State officials can do with full access to a database containing the names, identities, income and business interests of all Kenyans.

The KRA already has significant powers and authority that it uses to justify its crucial role. Additional powers that call for re-writing the law would not translate to more collections as believed, but push some taxpayers underground and into the black market.