Laws Applicable to Political Micro-Targeting in Kenya
The rise of online political microtargeting has caused governments to come up with initiatives to respond to the situation. Online political microtargeting has a number of risks such as invasion of privacy since it involves the collection of people’s personal data on a massive scale to identify their political preferences. The data collected can also be used for other separate purposes thus invading the privacy of data subjects.
There are a number of principles relating to the processing of personal data that should be observed. For instance the Kenya Data Protection Act 2019 provides that, ‘Every data controller or data processor shall ensure that personal data is collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes.’ 1 This provision is also reiterated in the General Data Protection Regulation (GDPR).2 If personal data is collected for other purposes other than the specified purpose it violates the above principle and also infringes on the privacy of a data subject.
Another important principle that should be observed when processing personal data entails lawfulness, fairness and transparency. This principle is enshrined in the Kenya Data Protection Act 2019 and it provides that a data controller or data processor shall ensure that personal data is ‘processed lawfully, fairly and in a transparent manner in relation to any data subject.’3 The same principle has also been reiterated in the GDPR.4 Data processing can therefore only take place where the data subject has consented to it or if it is covered by a legal permission.5 This principle also applies to online political microtargeting where personal data relating to a voter should be processed in a transparent manner. Political microtargeting however requires robust laws which will cover online political advertising and due diligence measures that should be observed when dealing with online political advertising.
In Kenya there is not yet a specific legislation that addresses political microtargeting. However, the laws discussed below are applicable to political microtargeting:
The Constitution of Kenya
The Constitution of Kenya is regarded as the supreme law of Kenya and the right to privacy is an important right which is enshrined in it. Every citizen is guaranteed the right to informational privacy as provided for in Article 31(c)6 of the Constitution. In order to give effect to this provision, the Data Protection Act was enacted into law in 2019.7
The Data Protection Act 2019
The Act regulates how personal data is processed8 and ensures that the data subject’s data is processed in accordance with the data protection principles provided for in the legislation.9 Personal data should be processed with regard to the right to privacy of a data subject,10 in a lawful, fair and transparent manner11 and should be collected for specified and legitimate purposes.12 The personal data should also be relevant to what is necessary in relation to the purposes for which it is processed.13
Consent is also required from a data subject before processing their personal data for a specified purpose.14 The data belonging to a voter can therefore be collected for targeting and micro targeting purposes if they have given consent for it to be used for such purposes.15 Additionally, due to the nature of such data, the rights and freedoms of a data subject may be at a high risk and therefore a data processor shall be required to perform a data protection impact assessment.16
The legislation also provides for sensitive personal data and this kind of data includes a person’s race, their biometric data and also their ethnic social origin.17The ethnic origin of a person can easily be identified by the name one holds and therefore this also becomes easy for political actors to target certain individuals.18 In such a case, a name can be placed in the category of sensitive personal data. If a political actor desires to process such data they will have to satisfy the conditions for processing personal data and one of the grounds for processing sensitive personal data19 provided for in Section 45 of the Act.
The Data Protection (General) Regulations 2021
The regulations provide that certain measures should be taken by the data controller or processor when processing personal data on the basis of consent. A data subject will therefore be aware of the implications involved in processing personal data. Section 4 of the regulations lists the information that a data processor shall inform the data subject of and some of these include the right to withdraw consent, whether the personal data that will be processed shall be shared with third parties and also the kind of personal data collected.
Such measures will hinder political micro-targeting since they will ensure transparency is observed and political actors don’t misuse personal data which they have obtained from data subjects. Additionally, a data processor who obtains consent from a data subject will be required to ensure that the consent was given voluntarily, it was specific to the purposes of processing and the data subject had capacity to give consent.20
The regulations also recognise that personal data can be used for commercial purposes through direct marketing and it occurs when a data controller or data processor advances commercial interests through ‘displaying an advertisement on an online media site where a data subject is logged on using their personal data…’21 The regulations provide that personal data can be used for direct marketing purposes by the data controller or data processor under certain conditions which include notification of the data subject that ‘direct marketing is one of the purposes for which personal data is collected.’22The other requirement is that the data subject should have ‘consented to the use or disclosure of the personal data for the purpose of direct marketing.’23
The right to object to processing is recognised in the regulations and it is also applicable where processing is for ‘direct marketing purposes which includes profiling…’24 If a data subject objects to the processing of his or her personal data for instance where it is obtained for political micro-targeting purposes, he or she can request for erasure or destruction of the data. 25 The regulations also provide the procedures that will be followed whenever a data controller or processor receives such a complaint. The measures will therefore play a key role in restricting political micro-targeting practices.
The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021
The regulations ‘provide for the procedure required for registration of data processors and controllers.’26The regulations will play a key role because without them the Data Commissioner would have a difficult time registering data processors and controllers and this includes political parties and candidates thus ensuring that the activities they engage in are monitored.27The regulations provide that a data controller or data processor is required to register as being a data controller or processor where personal data is processed for ‘canvassing political support among the electorate.’28
The Elections (Technology) Regulations, 2017
The regulations came into place to regulate the use of electoral technology by the Independent Electoral and Boundaries Commission (IEBC). Part V of the regulations deal with information security and data storage. The commission is required to come up with mechanisms to ensure confidentiality of data and measures to protect against attacks on election technology.29 These measures are important so as to protect voters’ alphanumeric and fingerprint data from being misused for instance through political micro targeting.
The IEBC maintains that its database has not been hacked to date since its data storage is not centralised. This is because it uses primary and secondary servers.30 The Commission also confirmed that it has an external disaster data recovery site31 which is in line with the requirements provided in section 25 of the Elections (Technology) Regulations.32
The Computer Misuse and Cybercrimes Act, 2018
One of the vices of political micro-targeting is that it has the capability of turning citizens into objects of manipulation and thus ‘undermines the public sphere by thwarting public deliberation, aggravating political polarization and facilitating the spread of misinformation.’33 The Computer Misuse and Cybercrimes Act makes it an offence to misinform an individual with the intent that the data relied on shall be acted upon.34
Another threat of micro targeting is with regard to privacy and especially data breaches. Once a hacker realises that there is a loophole when it comes to protection of data belonging to individuals, they can access databases containing personal data35 then misuse it. The Computer Misuse and Cybercrimes Act makes it an offence to intentionally or without authorisation intercept data and cause it to be transmitted to a computer system or telecommunication system.36
In conclusion, the above laws and regulations play a significant role in governing how data regarding voters should be handled which is important in protecting data subjects. However, there are certain gaps in these legislations that need to be addressed such as the lack of precise rules on the use of personal data for political micro-targeting and also lack of a clear definition of what political advertising entails. A single comprehensive law dealing with political microtargeting is therefore required since this is an emerging area and developments in the ICT sector will require legislators to come up with laws addressing specific sectors being affected by technological advancement including the political arena.
1 Section 25 (c) provides that, ‘Every data controller or data processor shall ensure that personal data is collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes.’
2 Article 5 (1) (b) provides that personal data shall be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.’
3 Section 25 (b)
4 Article 5 (1) (a)
5 Paul Voigt and Axel von dem Bussche,The EU General Data Protection Regulation (Springer 2017)
6 It provides that, ‘Every person has the right to privacy which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed.’
7 Data Protection Act 2019, the preamble provides that the purpose of the legislation is to ‘give effect to Article 31(c) and (d) of the Constitution.’
8 Data Protection Act 2019, section 3 (a)
9 ibid section 3 (b)
10 ibid section 25 (a)
11 ibid section 25 (b)
12 ibid section 25 (c)
13 ibid section 25 (d)
14 ibid section 32 (1) provides that, ‘A data controller or data processor shall bear the burden of proof for establishing a data subject’s consent to the processing of their personal data for a specified purpose.’
15 Hashim Mude, ‘Political Micro-targeting in Kenya: An analysis of the legality of Data-Driven Campaign Strategies under the Data Protection Act’ (2021) 1(1) JIPIT 7-36
16 Data Protection Act 2019, section 31 (1) provides that, ‘Where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall, prior to the processing, carry out a data protection impact assessment.
17 ibid section 2
18 Mude (n 15) 19
20 The Data Protection (General) Regulations 2021, section 4(3)
21 ibid section 14 (2) (b)
22 ibid section 15 (1) (b)
23 ibid section 15 (1) (c)
24 ibid section 8 (4)
25 ibid section 12
26 The Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021, section 3(1)
27 Abdulmalik Sugow and Isaac Rutenberg, Securing Kenya’s Electoral Integrity: Regulating Personal Data Use (1 October 2021) < https://www.theelephant.info/op-eds/2021/10/01/securing-kenyas-electoral-integrity-regulating-personal-data-use/ > accessed 20 July 2022
28 Third schedule
29 The Elections (Technology) Regulations 2017 section 14
30 Dr. Robert Muthuri,Moses Karanja, Francis Monyango and Wanjiku Karanja, Biometric Technology, Elections and Privacy In Kenya < https://cipit.strathmore.edu/biometric-elections-privacy-kenya/ > accessed 20 July 2022
32 The Elections (Technology) Regulations 2017, section 25 (1) (a)
33 Frederick J. Zuiderveen, Judith Moller, Sanne Kruikemeier and Claes de Vreese, ‘ Online Political Microtargeting: Promises and threats for Democracy’ (2018) 14 (1) Utretcht Law Review 82-96
34 The Computer Misuse and Cybercrimes Act 2018, section 22(1)
35 Zuiderveen (n 33)
36 The Computer Misuse and Cybercrimes Act 2018, section 17(1)