On July 31, I had the unenviable honour of attending a public participation forum on the newly proposed Huduma Bill 2019. Like most important forums, it was scantily attended. Jaded officers from the Ministry of Interior listened to civil society representatives outlining rather obvious shortcomings in drafting of the bill in question, as well as glaring potential for human rights violations.
As is usually the case, the folks on the high table were rather bored until it came their turn to speak. A representative of the permanent secretary made an interesting, if somewhat shortsighted comment along the lines of “data is the new oil,” going on to imply the government was keen on mining it for some yet unclarified gain.
Let us give the said gentleman the benefit of doubt – Kenya just started exporting oil, and we are barely getting started on robust data protection, so he might not have a lot of information on the richness of the irony he revealed.
SEE ALSO: The reality of Kenya’s jobs market: What the numbers show
Let us further say that such pronunciations are commonplace in some quarters – usually in quarters that don’t think critically about these issues, or those that fail to appreciate the magnitude of data in the information age.
Data is not the new oil, especially not biometric data. While there is indeed potential for governments to mine data and sell it to corporations, the analogy fails when stretched to its logical conclusion. Questions on user privacy, consent on third party access, and proportionality of the data collected to its use are nontrivial ones.
Like oil, personal biometric data, cannot be replaced in the event that such information gets into the wrong hands. We cannot change our fingerprints like we can user names, retinas are not cheap to come by like a new Facebook password is. If the metaphor of data and oil holds, it only approximates the potential for disaster that accompanies lax regulation–oil spills and data leaks are alike in this sense.
Here’s an olive branch–aggregating data for over 40 million Kenyans when done right has the potential for massive socioeconomic impact. Digital identity databases could be designed for scalability and multiple use cases–healthcare providers could conduct longitudinal studies on illnesses and design public health responses from data sets that are representative of the population, financial inclusion initiatives can benefit from identifying and reaching far flung rural communities, and biometrics allow for deduplication that could send ghost workers packing.
SEE ALSO: Revealed: Best goalkeepers in the Premier League this season
Data when followed with sensible regulation can allow innovations in public service provision that rival magic. As the home of mobile cash transfers, our comfort and ease with digital technologies position Kenya to leapfrog the information age into the data age.
And yet, we cannot simply ignore the absence of a robust data protection regime – law, regulation, authority, and offices. Some regulations exists on accessing health information for practitioners and the Central Bank has some regulation on payment systems, for instance.
While these are better than the alternative of having nothing at all, there is need for harmonisation across multiple regulations, and anticipation of multiple use cases and contexts for data. The absence of these mechanisms renders any hope of a data-driven economy a mirage at whose end reside unimagined consequences.
Furthermore, a nuanced understanding of data regulation is essential for engaging commercial actors. The present regulatory environment provides no incentive for rigorous data protection policies from private actors, you only have to read the terms and conditions of your favourite telecom provider to understand this.
Companies are incentivised to collect as much data as possible, immaterial of utility to their service provision. User optimisation is an end in some instances, but more often than not, firms simply stockpile data waiting for the highest bidder in future. A balanced appreciation of the interplay between regulation, user agency and innovation is at the nexus of progressive data protection regimes.
That these debates on data protection occur within the context of the new Huduma Bill, as well as a proposed Data Protection Bill is evidence of the serendipitous relationship between the two parallel efforts.
Whatever justification the Government eventually presents in support of the Huduma process, it must not be construed to assume the State has unbridled right to citizens’ information. The specific uses for the data collected are an important point for building trust with the public, as well as ensuring incentive for the private sector to develop commensurate data protection policies.
The alternative is untenable in a democratic society–selling personal civil information to the highest bidder without repercussions, or even worse, collecting information the State has no clear need for is a sure way to entrench vulnerabilities in an unpredictable data economy. Data is the new nuclear, and wars may very well be fought over it.
Mr Odhiambo is a public policy analyst focused on the digital economy in Africa