This is the first in a series of blogs where the CIPIT team analyses the principles of data protection as provided in Section 25 of the Data Protection Bill, 2019. This edition by Charles Lwanga Opiyo tackles sections 25 (a) and (b) of the Bill, which provide for the processing of data in accordance to the right of privacy, and processing data in a lawful, fair and transparent manner respectively. In this analysis, sections of the Bill that reflect the principles in 25 (a) and (b) are reviewed as well…

The central objective in the Data Protection Bill, 2019 (the Bill) is to give effect to the right to privacy (Article 31 of the Constitution of Kenya 2010), as is explicitly stated in the preambular section of the Bill. Section 25 (a) of the Bill reiterates the constitutional right to privacy in the context of data protection, stating that data controllers and processors shall ensure that personal data is processed “in accordance with the right to privacy of the data subject”. This article seeks to unpack the concept of privacy in the Kenyan Constitutional context and analyze how the same concept is reflected in the Bill. The Constitution shall be the test upon which the provisions of the Bill are reviewed.

The provisions of Section 25 (b) – i.e., that data be processed lawfully, fairly, and in a transparent manner – are also discussed in this post because of their intimate connection with the right to privacy.

It is also understood that principles in the Bill are similar to Europe’s General Data Protection Regulations (GDPR). This article will highlight such similarities.

What is privacy?

Black’s Law Dictionary defines privacy as:

“the non-intervention of secret surveillance and the protection of an individual’s information…”

This definition is quite neat; however, it does not consider instances of where privacy may apply, nor does it describe the parties that may be obliged to keep to the right to privacy. Within a rights and duties matrix, a more concise definition may be found in the constitutional framework of the right to privacy. The objective of the right is to prevent illegal and excessive intrusions into the lives and communication of citizens (see KHRC v Communications Authority of Kenya & 4others [2018] eKLR).

Privacy is found in Article 31 of the Constitution. The document states that privacy includes four duties:

• Refraining from searching the person or home of anyone;
• Not seizing people’s possessions;
• Avoiding revealing or requiring the submission of information regarding the family or private affairs of persons; or
• Not infringing a person’s communications.

The right to privacy is not absolute but is only limited to the extent that the Constitution provides. Article 24 (1) succinctly enumerates how a right may be limited, and the instances when this may happen. Such limitations may be only based on the law (as might be the case with the Bill, if it is enacted and deemed constitutional) and whether the limitation is reasonable and justifiable in a democratic society.

Privacy as contemplated in the Bill

Section 25 (a)

The obligation to process data in accordance with the right to privacy is reflected throughout the Bill. For instance, section 8 (1) (j) obligates the Data Commissioner (DC) to monitor trends in data processing to ensure there are no adverse effects on the privacy of individuals. Conducting “monitoring of this scale is a potentially expensive endeavor. The funding that the DC’s office shall receive must be able to meet this demand, and it is anticipated that a great deal of funding for this research may have been sourced from the Executive’s (i.e. the Ministry of ICT) interactions with Parliament.

This inference is based on the provisions of section 68 (3) of the Bill, which provides that the Cabinet Secretary is mandated to present the budgetary estimates of the Office of the DC to Parliament, ostensibly to source more funds. Thus, while the provision is forward-thinking on the face of it, its practical application may be left at the whims of the Executive, potentially limiting the independence of the DC. However, the DC is still empowered to source funds from external grants, gifts, endowments, and its daily operations per section 67 (b) and (c). This may give the Office some leeway in achieving its objective to monitor processing trends to better serve the data subject. Indeed if, at any time, the Office of the DC claims that “underfunding” is preventing it from doing a thorough job, CSOs and international donors should take note that providing funding to the DC may improve privacy issues (assuming, of course, that the DC can act relatively independently of the government).

Data controllers and processors are also mandated by the Bill in section 41 (1) to implement measures to secure personal data. Section 41 applies generally to all data controllers and processors on purpose. The intent of this provision is to ensure all natural or legal persons, public authorities, and agencies that determine how data is to be processed or engage in the actual processing of data are obliged to put in place safeguards that secure data (see section 2 for the applicable scope of the terms, “data controllers” and “data processors”). Providing for such obligations in the Bill is a natural expression of the Constitutional right to privacy.

Predictably, there is a “claw-back” clause within the Bill. Section 51 (2) (b) of the Bill provides that where data is being processed with national security or public order objective in mind, then all data protection principles would not apply to this form of processing. This provision is suspect. Why? The executive arm of government is vested with the mandate of ensuring national security and public order (see Article 240 of the Constitution which establishes the National Security Council that is chaired by the President, the Head of the Executive). Therefore, the effect of section 51 (2) (b) is to allow the Executive to argue “national security” to seek exemptions from the Bill. Because instances, where the national security clause would apply, are not specified in the Bill, this breeds ambiguity.

There is Kenyan privacy case law that may render this provision unconstitutional based on the facts presented. The KELIN & 3 others v Cabinet Secretary Ministry of Health & 4 others [2016] eKLR is an instance where the Executive was prevented from collecting the health data of HIV/AIDS patients. This is despite the government arguing that the aim of the data collection was the provision of better health care and as such would ensure public order (see paragraph 105 of the case). The rationale of the courts would only apply if the Bill is challenged in court once enacted, to prevent the implementation of this law being curtailed by litigation (as was the case with the Computer Misuse and Cyber-Crimes Act, which was suspended for having unconstitutional provisions).

The Bill in section 24 (1) (b) and (c) also obliges processors and controllers to appoint Data Protection Officers (DPO’s) who are to monitor operations that may potentially infringe the privacy of data subjects, more so if the processing involves sensitive data. It is anticipated in this regard, that firms offering to act as DPO’s for multiple processors and controllers may emerge in the market (much akin to an independent auditing firm). This is a positive development that may lead to the creation of new job niches in the market. The International Association of Privacy Professionals (IAPP) estimated recently that 75,000 DPO positions will be required globally due to the GDPR. A similar situation could arise in Kenya, by mandating the utilization of DPO services.

Finally, the Bill in section 47 (2) (b), stipulates that sensitive personal data should be processed subject to further conditions; confidentiality being paramount. This principle has already been reinforced by Kenyan case law as well (see the  KELIN case). It must be noted that practically section 47 (2) (b) should not operate in isolation. If there is an expectation by the data subject that their health data should be held confidentially, the data collector/processor should demonstrate the measures being put in place to not merely keep the data safe (as section 41 (1) provides) but also ensure that the identities of the patients are not revealed to third parties..

Section 25 (b)

25 (b) acts as a guide for the DC in their assessments of data processing generally. It reflected in Article 5 of the GDPR as well. In section 8 (1) (e) the DC is mandated to investigate by its own motion (suo motu) or at the request of a public or private body whether data is being processed according to the provisions of the relevant law by public or private data controllers and processors. Practical situations that may prompt the DC conducting further investigation are complaints that are made to the office (per section 56) and instances of suspected non-compliance by data controllers/processors that may come to light via data protection impact assessments.

Section 8 (1) (e) empowers the DC to apply the research they may have gathered when observing data protection trends (see section 8 (1) (j) of the Bill). It also enshrines, to some degree, the independence of the DC by stating that it may make its own assessments. It can be assumed that the result of these assessments may be the application of the enforcement provisions found in Part VIII of the Bill. Practically, the DC should be able to utilise these assessments to enforce the Bill, such as making a determination on whether a data controller/processor its liable for the cancellation of a certificate of registration (per section 22 (b) of the Bill, which empowers a DC to vary or cancel registration due to failure to comply).

We note, however, that the Bill places a heavy burden on the DC by requiring it to seek out data protection violations. In some countries of West Africa, a better solution has been found. All government projects that involve any significant amount of personal data are required to seek approval by the Data Protection Authority. The Kenyan legal regime has a similar concept: government infrastructure projects need approval by the National Environmental Management Authority to show that they will not likely significantly harm the environment. In much the same way, we should mandate all government projects to receive approval by the proposed DC to show that they will not likely significantly harm people, such as by violating the right of privacy. In other words, government agencies should be going to the DC, rather than the opposite (as is provided in the current bill).

Transparency, one of the norms stated in 25 (b), is enshrined in the Bill in section 29 via the processor’s duty to inform data subjects of the use and type of data in their custody. These norms are reiterated for data collectors as well in section 28 (3), where the collection of personal data is to be done with a lawful, specific, and explicitly defined purpose. Legality is reflected in section 34 (1) (c) of the Bill as well. The provision restricts the processing of data that is unlawful and is not consented by the data subject (the principle of legality as presented in the Bill is reflected verbatim in Article 6 of the GDPR).

Concluding, the purpose of the principles in this Bill is to expand the right to privacy as contemplated by the Constitution. The principles do not act in isolation, they will be supported by precedence from Kenyan Courts that considered similar issues concerning privacy and data protection. It is also important for provisions such as section 51 (2) (b), that may potentially conflict with the Constitution to be amended. This shall prevent instances of litigation that may render the Bill partially suspended and hinder its progress towards enactment. Thus, the Bill in its current format may require an amendment to fully encompass the data protection principles of privacy and data processing that is legal, fair and transparent.