Major firms have opposed proposals to limit how they use personal data from millions of Kenyans, threatening the implementation of robust data protection laws.
The companies, including multinationals want unfettered access to the data they have on their customers, some of which may have been collected without users’ knowledge.
The Privacy and Data Protection Bill, set to be tabled in Parliament in the coming weeks, contains proposals that dictate how companies handle their customers’ personal data and seeks to protect Kenyans who have had little say on how the information is gathered and used.
Some of the provisions that the firms are opposing include having to seek consent from users before exploiting their data for purposes other than what the data was originally intended for.
The Bill also requires firms to store data in servers physically located in Kenya and hire local professionals to monitor how the data is exploited and whether they are operating within the data protection laws.
There are currently a handful of local data centres mostly owned and operated by Internet Service Providers (ISPs) such as Liquid Telecom, Safaricom, Telkom Kenya and Internet Solutions.
Safaricom’s data centre and the East African Data Centre operated by Liquid Telecom have both attained Tier 3 Certification, meaning they have satisfied international requirements on operation efficiency.
However, despite the presence of local hosting solutions, the majority of the Kenya’s internet data is hosted in servers outside the country. This means internet traffic from Kenya has to be routed through servers in Europe and the US before it re-enters the local space and reaches the destination.
The private sector has in the past cited prohibitive costs and security as a determent to local hosting and now opposes mandatory imposition of the provision through the proposed data laws.
“Tala recommends reconsideration or deletion of this clause as retention of data within physical servers would be cost-prohibitive for emerging companies in Kenya and mirroring of such data between physical servers and cloud servers is difficult, if not often possible, from a technical perspective,” said Rose Muturi, the country manager for InVenture Mobile, the firm behind micro lender Tala in submissions to the Bill.
“To reduce such burdens, Tala recommends restricting of the requirement for data storage within Kenya to certain critical data (for instance, data critical for national security or related concerns) and revising such that the ability to access such data in Kenya is sufficient for compliance.”
Branch International, another mobile-based lender, also opposed the requirement to store data in Kenya on the grounds of additional financial costs.
“The investment required to establish and run servers and data centres which are able to offer a reasonably priced service runs into the billions of dollars,” the company said in its submission to the Bill.
“This is a high barrier to entry which limits the likelihood that the required infrastructure can be easily set up. From a commercial stand-point, Branch would only be able to use data centres and data servers which provide the required service at a price comparable to the current price offered by global competitors such as Amazon Web Services. Price is critical as it has a direct impact on Branch’s ability to offer an affordable credit service.”
Other firms opposed to the provision said it is misaligned to the business reality and could undermine benefits of cloud computing. “We believe firms should demonstrate that they have adequate disaster-recovery and back up plans and be given the flexibility to store data where most effective and appropriate, keeping in line with the requirements of the Bill,” Pauline Githugu, director for external affairs at M-Kopa Solar said.
According to payments service provider MasterCard, data-localisation is detrimental to African economies. The company argued that prohibiting transfers or requiring expensive ‘mirror’ storage will prevent the operations of many fintech companies in Kenya, weakening key elements like fraud prevention analysis and lead to the country being cut off from the international digital economy.
Local service providers such as Kenya Commercial Bank (KCB) also defended companies’ decisions to host data externally, saying the government could still ensure the integrity of local data hosted outside the country.
“There needs to be a concerted and deliberate effort to ensure the amendment of the above clauses,” KCB said in its submissions. “With modern technology like cloud computing, it is possible to ensure the sovereignty of data even when the data resides in another jurisdiction. The only consideration for the transfer or processing of data outside of Kenya is if the adequate security considerations with respect to the protection of personal data are met.”
Tala also opposes the requirement to hire Kenyan data protection officers, citing inadequate capabilities among local IT professionals and instead asks the government to give companies the leeway to appoint foreign personnel.
This concern has been raised on several occasions by both local and multinational firms who criticise the local IT curriculum offered by universities as out of touch with rapidly changing developments in the industry.
KCB cited a critical skills gap and recommended a transitory period. “There is a critical skills gap in the country as people who are equipped to execute the above mandate are few. There should be a transitionary period before the full implementation of the law to allow for capacity building,” it said.
The bank said the new law could give regulators and State agencies the leeway to seek out Kenyans’ personal data held by companies. “By this policy, revenue collection agencies, for instance the Kenya Revenue Authority should be restricted from demanding customer information unless under a clear process. (This) should include obtaining a court order or seeking arbitration before data is provided,” KCB said.
Another clause that is causing a headache among the private sector is one giving users the “right to be forgotten” which is mirrored on the European Union’s General Data Protection Regulation (GDPR) that came into force in May. Under GDPR, companies that handle EU citizens’ data are required to get the consent of consumers to collect their personal data and provide consumers access to it as well as the right to have the data erased, or to restrict it from being processed.
In special circumstances, users can ask companies to delete the personal data they hold including if they believe the data is no longer serving the original purpose for its collection.
Companies that fail to comply with GDPR face stiff penalties that could include fines of up to four per cent of their global turnover or €20 million (Ksh2.3 billion), whichever is greater. They can be fined even if the data has not been lost.
The “right to be forgotten” is currently at the centre of a landmark suit brought against internet giant Google in several EU states.
Local firms are also against this clause and want continued access to clients’ personal data even after they have ceased being their customers.
According to the Data Protection Bill, customers, who are the real data owners, can request service providers to erase their personal information once they stop being their customers.