President Uhuru Kenyatta’s assent to the Data Protection Act 2019 portends new dynamics for tech firms and people on the use of information.
The Act introduces new controls on how public and private entities handle, process and transact with Kenyans’ data.
The move comes at a time when many Kenyans have surrendered their data to the State agencies during Huduma Namba registration as well as financial technology firms and social media that may abuse such data.
The new law came into effect the same day the President met with Amazon Web Services (AWS) executives led by Vice President Teresa Carlson, with the firm planning to set up operations in Kenya.
The Head of State said Kenya has the requisite infrastructure and educated young population to support the establishment of an edge location by Amazon.
“I am delighted to welcome AWS’s investment in Kenya,” said the president. “The launch of Amazon CloudFront will put us in the forefront of accelerated innovation - enabling startups, enterprises and our government agencies to focus on building the best user experience.”
The announcement brings out the delicate balancing act that the State will have to make to promote the expansion of tech-multinationals into the country as well as protect the interests of Kenyan consumers and firms.
This means the enforcement of the Data Protection Act 2019, a piece of legislation that has been years in the making, will determine the success of regulators to protect the interest of Kenyan consumers from exploitation by multinational tech giants.
Amazon has over the past decade grown into the world’s largest online retailer and this year became the world’s most valuable company worth more than Sh30 trillion. The meteoric rise of Amazon has largely been on the back of personal consumer data. From its online store to streaming services and digital home assistants, the company has access to valuable data on consumer behaviour, patterns and trends. Such information is analysed and used to create products and services that almost always strike gold in the market.
The success of Amazon and other technology giants such as Facebook, Netflix and Uber has however raised concern that large multinationals are raking in billions of dollars from users’ data without any value accruing to owners of the data.
In Kenya, the success of fintech providers such as Branch, Tala and Safaricom’s Fuliza have all exemplified the value of mining consumer data.
Tala and Branch last year topped the list of most heavily invested start-ups in Kenya with Branch announcing a Sh17 billion in debts and equity investment earlier this year to expand its loan portfolio.
Last year, Tala announced it had raised Sh5 billion in its third round of investment - bringing its total financing to Sh10.5 billion and in just nine months, Kenyans borrowed Sh140 billion from Fuliza.
A recent report by the United Nations Conference on Trade and Development (UNCTAD) noted that increasing digitisation from businesses, governments and individuals has created a data economy that is expanding in unprecedented speed.
Feeding our personal information into these data behemoths has created an asymmetrical relationship between consumers and data companies that governments and regulators are only beginning to realise. According to UNCTAD, the US and China account for 90 per cent of the value of world’s 70 largest digital platforms with Europe’s share at four per cent and Africa and Latin America at just one per cent.
Thought the data protection law will reign in the power of tech giants, its success is dependent on how the various State organs implement it.
The yet to established Data Commission will be tasked with formulating and implementing data awareness programmes, monitor and investigate complaints regarding violation of the laws.
The Commission’s set up is likely to mirror the Public Complaints Commission (The Ombudsman).
Users can lodge a formal complaint with the Commission in writing or orally for prescribed action that could range from dismissal of the complaint to recommending investigations on the accused individual or agency.
Companies will, however, be required to inform the Commission in instances where the personal data of users under their care has been lost or stolen for instance through a cyber-attack. This will entail a budget to establish directories and hire staff specialised across the various sectors.
In comparison, the Commission on Administrative Justice was allocated Sh565 million in the 2019/2020 financial year.
Aside from the massive financial and skills resources required to establish the Data Commission, the judiciary and the industry regulators will be key to the successful enforcement of the data law.
While the law makes it implicit for private and public entities to obtain informed consent from users, processing or transferring their data, numerous loopholes can be exploited.
According to the Act, firms can collect personal data without notifying users in instances where the information is publicly available or where a user has authorised its collection from a third party.
Users’ consent can also be waived in cases where the information being sought is will help detect or prevent crime or threatens national security. Privacy experts say this gives State security agencies a leeway to carry out blanket surveillance and data collection under the guise of national security.
Data privacy watchdog Privacy International last year’s report says Kenyan security agencies routinely work with mobile service providers to carry out surveillance on users outside the confines of the law.
The report notes that Kenya’s spy agency- the National Intelligence Service (NIS) has direct access to telecommunications networks and can even bypass mobile service providers to access users’ data.
“Telecommunications operators end up handing over their customers’ data because they largely feel they cannot decline agencies’ requests, in part due to the vagueness in the law and telecommunication industry regulations,” reads the report in part.
Commissions and independent state bodies have found it difficult to rein in the executive and legislature from violating public finance legislation and the new Data Commission is unlikely to be different unless strict enforcement is realised.