The European Union parliament last year voted on a new set of legislation that spelt out how companies and institutions handle the personal data of individuals they interact with.
The new laws, known as the General Data Protection Regulation (GDPR) were developed as a response to growing concern that consumers are losing control of their personal data and privacy to businesses that are increasingly engaging in data analytics to gain a competitive edge.
The GDPR came into force in May last year but will not apply until May 2018 and Kenyan firms that transact business with any of the 28-member EU bloc countries will be expected to adapt to the new legislation.
Intellectual property lawyers are further warning that many Kenyan firms remain oblivious of the impending data protection laws that require companies to radically change how they handle their customers’ personal information or risk billions of shillings in fines.
“Although it is an EU regulation, the GDPR will undoubtedly have implications for countries in Africa,” says Juliet Maina, an advocate at Trippleoklaw Advocates Nairobi. “Unlike the previous Data Protection Directive, the GDPR will operate extra-territorially so as to apply to EU data subjects irrespective of their location.”
Any company that processes the data of an EU member state citizen or temporary resident, has employees based in an EU member state, offers goods or services in an EU member state or has a partnership with an EU business falls under the law.
This includes Internet service providers, airlines, mobile phone service providers, banks, international couriers and numerous service providers that often deal with clients across national and virtual borders.
“The regulations not only apply outside the EU borders, but also carry very hefty fines for non-compliance,” says Ms Maina. “Failure to adhere to the provisions of the GDPR could result in fines of up to €20 million (Sh2.5billion), or four per cent of global annual turnover.”
Under the new rules, companies will be required to inform their consumers that they are storing and, or processing their clients’ personal data, giving reasons why they are holding that data, how long they plan to hold it and the interest the company has in the data.
Companies will also have to provide consumers with access to their personal data as well as the right to have the data erased, or to restrict it from being processed. In special circumstances, users can ask companies to delete the data they hold including when the data is no longer serving the original purpose for its collection.
Ms Maina says the GDPR not only places more pressure on companies to be more transparent and seek more consent when dealing with consumers’ personal data but also demands that the Government and regulators update data regulation to conform to the same standards.
“The GDPR also introduces prohibition of cross-border transfers where there is no adequate data protection in the corresponding country,” she says.
“This essentially means that African countries that have previously been engaging with EU member states will be restrained from doing so until they can prove compliance with the GDPR, or can demonstrate a certain level of data protection.”
Currently, Kenya does not have a dedicated law, with the Data Protection Bill (2013) stuck in Parliament. This is despite the country being ranked top globally in terms of mobile adoption and being home to the continent’s fourth largest community on both Facebook and Twitter.