Weak privacy laws expose Kenyans to data brokers

The company creates advertising profiles for Internet users who have never used the app.

The revelations, however, did not seem to raise much dust in Kenya despite the fact that the country is home to the third-largest population on Facebook in Africa and was mentioned on several occasions as having been a victim of Cambridge Analytica’s divisive online campaigns.

Experts now warn that failure by the government to implement crucial legislation to protect online users is leaving millions of Kenyans exposed to exploitation by multinational technology firms and data brokers.

This follows reports that the State is planning to collect even more personal information from Kenyans.

Details contained in the Miscellaneous Amendments Bill, 2018 indicates that the government seeks to create a database with every Kenyan’s biometric data including fingerprints, retinal scans and DNA.

The proposed law, however, does not explain the rationale for the establishment of the database nor a plan of how the data will be collected, secured or who will be allowed access.   

Industry stakeholders have further raised questions over the motive behind the new legislation while crucial bills such as the Data Protection Bill 2013 and the Cyber Crimes Bill 2017 are still stuck in parliament. “This is extremely reckless without a data protection law,” said Sidney Ochieng, a data scientist and a member of the Kenya ICT Network, KICTANet. “Already, we are worried about how the government is using the data it has about us and now we want to take it all and put it in one place?”

Mr Ochieng reckons that collecting additional biometric data will be expensive to taxpayers who have not even been informed of the reasons behind the establishment of such database.

In addition to collecting data through the National Integrated Identity Management System, the government is also seeking to collect biometric data on more than three million secondary school children through the proposed State insurance scheme announced earlier this month.

Bill of Rights

This has fuelled calls for a review of Kenya’s existing and proposed laws governing Internet use to protect users data from exploitation from third parties.

Article 19, a global rights lobby that defends freedom of expression has raised concern that Kenya’s Cyber Security Bill 2017 needs review before it is passed as it contains inconsistencies with the country’s Bill of Rights.

Article 19 says the Bill is too fragmented in the definition of and penalty for cyber offences leaving too much room for abuse.

“The Bill contains separate offences for unauthorised access and interception and separate offences for computer forgery and fraud,” said the rights body in its review in part. “The substantial overlap between these offences creates concern that individuals will be charged under separate offences for the same crime enhancing the risk of excessive criminal liability.”

In addition to this, the Bill proposes disproportionate restrictions to Internet users that are ambiguous and infringe on their rights to expression.

“Offences criminalising the exchange of particular types of content including false publications and communications that “detrimentally affects a person” are likely to violate Kenya’s obligation to respect and ensure freedom of expression,” said Article 19 in its report.

“These offences are excessively broad and provide the authorities largely unfettered discretion to prosecute individuals for expression and communication that is perfectly legitimate and lawful.” This is not the first time the government is on the spot for introducing policies that infringe on users’ right to privacy and freedom of expression.

Recently, the High Court blocked a plan by the Communication Authority of Kenya (CA) to install a system that would allow monitoring and collection of mobile phone users information.

Earlier last year, the CA wrote to Safaricom, Airtel and Telkom Kenya directing the mobile service providers to provide access to government engineers to install a device management system (DMS) on their networks.

CA argued that the system was for identifying and blocking counterfeit devices and that the operator had previously agreed on installing the same.

However, Safaricom led the opposition to the DMS arguing that it would give the government full access to subscribers’ personal data including phone calls and messages.

“The decision to install the devices without consultation is arbitrary as the law does not grant CA powers to interfere with devices by tapping, listening to, surveillance or intercepting communications,” said Safaricom in its submissions in the case filed by activist Okiya Omtata.

Public sector

According to the head of data and analysis at consultancy firm KPMG, Brian DeSouza, Kenya, like most of the countries in the region, lags behind in adopting legislation on data protection, leaving most firms and agencies in both the private and public sector to grope in the dark.

“Unfortunately in East Africa, we are not prepared in matters data protection and there is no complete legislation in Kenya as yet governing the issue,” he said.

Mr DeSouza said insufficient laws and strategy on managing the massive flows of data churned out by Kenyan consumers not only exposes users to unscrupulous data brokers but also limits growth opportunities for companies and public agencies.

“The Cambridge Analytica scandal has alerted consumers to some of the ways their data can be used by companies without their knowledge and they are going to ask for more accountability moving forward,” he said.

In less than one month, the European Union’s General Data Protection Regulations (GDPR) come into force introducing new rules for firms and State agencies that handle consumers’ data.

The laws largely drafted by Germany which has reputation for developing strict legislation to protect citizens’ online privacy and apply to residents of the 28-member EU bloc irrespective of their physical location.

This means any firm processing data of an EU member-State citizen or resident, has employees based in an EU member State, offers goods or services in an EU member state or has a partnership with an EU business will be subject to the new law.

Already, technology companies such as Facebook, Twitter and Apple have started alerting their users to expect new changes starting May 25th as firms rush to comply with the directives.

The laws that propose fines of up to four per cent of a company’s global turnover do not just apply to technology companies.

Airlines, telecommunication companies, banks, insurance companies, global couriers and numerous other service providers that deal with clients across national and virtual borders.

“There is a level of compliance required of companies that handle data from EU citizens even if they are based in Kenya,” explains DeSouza. The GDPR also requires companies to inform consumers they are storing or processing their (consumers’) personal data - giving reasons why they are holding such data, how long they plan to hold it, and the interest the company has in the data.

Firms will also have to provide consumers with access to their personal data as well as the right to have the data erased or restrict it from being processed.

Failure to adhere to the provisions of the GDPR could result in fines of up to Euros 20 million (Sh2.5 billion) or four per cent of a firm’s global annual turnover.

In special circumstances, users can ask firms to delete the personal data they hold including when the data is no longer serving the original purpose.

In Kenya, the State and regulators still lag behind in passing data protection and privacy laws even as global tech companies continue to roll out products that prey on private data.