BBI proposal on protection of personal data should be clear

One of the proposals in the Building Bridges Initiative (BBI) Constitutional Amendment Bill is an amendment to Article 31 of the Constitution on the right to privacy.

It states that every person has the right to privacy including the right not to have personal data infringed upon. Curiously, this is the only proposed amendment to the Bill of Rights.

The Data Protection Act, 2019 defines personal data as any information relating to an identified or identifiable person. The BBI report explains that the proposed amendment protects personal data and boosts the taming of surveillance capitalism which is the economic system centred on the commodification of personal data for profit-making. The proposal is welcome considering only a handful of constitutions around the world provide for a constitutional right to data protection. Kenya has had a chequered past in protecting the individual right to privacy.

Jubilee Party reportedly procured the services of Cambridge Analytica which infringed on the right to privacy of many Kenyans by collecting personal data on Facebook to use for targeted online political campaigns.

In the wake of these revelations, Cambridge Analytica ceased to exist as a company while Facebook was fined £500,000 by the United Kingdom’s data protection watchdog.

I am always sceptical of initiatives by the government sold to be about personal data protection. There was no good faith in the process to the enactment of the Data Protection Act, 2019.

The journey to enactment of the Act was protracted. A Data Protection Bill was first floated more than eleven years ago and State and commercial interests consistently torpedoed discussions on the Bill. At some point there were multiple draft Bills presented for consideration; some crafted to derail or slow down possible enactment of a data governance law.

Without the petition that challenged the constitutionality of the Huduma Namba for not having right to privacy protection, the Data Protection Act would never have been enacted.

Promoters of the Huduma Namba mocked data protection advocates that the State had so much data on Kenyans and that it was a fool’s errand to ‘derail’ Huduma Namba on account of the right to privacy.

My scepticism is further heightened by an analysis of the Data Protection Act. One, as crafted, the Act requires several regulations to be put in place to fully operationalise it.

These include regulations on thresholds required for mandatory registration of data controllers and data processors, guidelines for carrying out an impact assessment, practice guidelines for commercial use of personal data, measures to safeguard a data subject’s rights, freedoms and legitimate interests in connection with the taking of decisions based solely on automated processing and what data may be localised for strategic reasons.

This means entities in public and private sectors will cite lack of regulations as reason for their non-compliance to the Data Protection Act.

While the Act provides that the Data Protection Commissioner is responsible for the regulating personal data protection laws, the ICT Cabinet Secretary also has roles under the Act. The existence of these two centres of power in regulating compliance to personal data protection principles is bound to create a conflict.

Third, the Act provides that the Data Commissioner is to collaborate with security organs and that processing of personal data is exempt from the provisions of the Act if it is for national security or public interest.

From history, national security and public interest have been defined broadly by the State to infringe on fundamental rights and freedoms. Mandating the Commissioner to collaborate with security organs has the potential of relegating the Data Commissioner to rubber stamp for State organs when they wish to go against constitutional principles.

Perhaps we should adopt a cautious but optimistic mind set that the Data Commissioner will overcome the gaps and challenges in the face of the law.

However, most data protection authorities around the world are plagued with underfunding, under staffing, State interference and general lack of capacity to take on multinational corporations that are among the largest culprits in infringing on the right to privacy.

Going back to the BBI proposal that aims at taming surveillance capitalism and protecting personal data of citizens, what about protecting personal data from extrajudicial action and surveillance by the government?

Will political parties stop using entities such as Cambridge Analytica that illegally collect personal data for political purposes?

BBI is also silent on remedying the gaps in the Data Protection Act.  I doubt if the BBI proposal on personal data protection will offer much recourse in view of the history around personal data protection regulation in Kenya.

-The writer is an advocate of the High Court of Kenya and a privacy and data protection specialist.

[email protected]