Last year, CIPIT hosted a series of public participation fora over three months in response to a request for comment on a proposed Data Protection Bill originating from the Senate (the “Senate Bill”) and a similar policy that was formulated by the ICT Ministry (the “Ministry Bill”). The CIPIT events preceded a public participation event with a variety of stakeholders, held at the Louis Leakey Auditorium before the Privacy and Data Protection Taskforce on 5 October 2018.

The CIPIT events generated a great deal of discussion and informative content from the participants who consisted of stakeholders involved in the processing of data. The information collated during these events represented the varying positions and views held by participants and was synthesized into a cohesive set of documents that were presented during a meeting with the task force on 26 September 2018.

The legislative process is now at a crucial juncture, the Data Protection Bill is in the committee phase in the National Assembly. On Tuesday 16 July 2019, the Parliamentary Departmental Committee on Communication, Information and Innovation accepted Memoranda from the public on the 2019 Data Protection Bill.

Data Protection Forum

To initiate discussions, Article 19, The Kenya ICT Action Network (Kictanet) and CIPIT held the Data Protection Forum on 23 August 2018. There were presentations made concerning the proposed legislation. Article 19 and Kictanet are central participants in the freedom of expression and tech-policy reform space, and in collaboration with CIPIT, these institutions have been monitoring both the Data Protection Bill and the Computer Misuse and Cybercrime Act.

The audience was encouraged to discuss the way the state, data controllers and data processors (these are defined as persons that determine the manner in which data is being processed and also process data on behalf of the data processors) intended to handle their data as anticipated by the legislation. The context was provided via initiating deliberations with CIPIT’s report on the use of biometrics in Kenya’s last general elections.

Preliminary issues discussed included:

• The rights and duties of parties involved in data (the data subject, data processor, and data controller).
• Case studies, such as the proposal by the Ministry of Education to collect data from school-going children and incidences of ordinary persons receiving text messages from politicians, seeking their vote.
• The principles of data protection proposed in the Bills (to fully understand their proposed effect on the common public).
• The role that the envisioned Data Protection Commission would play, against the backdrop of proposals to have other bodies carry out the mandate of protecting the rights of data subjects and ensuring compliance.

After the discussions, the views presented were condensed into a five-point issues paper (find the paper here) that would set the foundation for discussions during the second event in the series, the ‘Data Protection Visioning Workshop’.

Data Protection Visioning Workshop

The second event in the series was a Data Protection Visioning Workshop (the “Workshop”) held on 20 September 2018. The workshop drew attendance from various stakeholders involved in data processing, collection, and regulation. Large players from industry, Kenyan regulatory bodies, small and medium-sized enterprises, and technology enthusiasts were robustly represented at the forum.

The forum was divided into six thematic areas covering the scope of the newly proposed laws on data protection. These included:

• The independence of the Data Protection Commission (DPC);
• The appointment of Data Protection Officers (DPO’s);
• The proposed registration system, digital identities of the data subject, modes of alternative credit scoring that are within norms of privacy;
• The limitation clauses of the new law;
• Cross border transfers; and
• Transition and implementation clauses

The objective of the discussions was to generate a series of proposals that would be presented to the Privacy and Data Protection Taskforce. To facilitate this, attendees were encouraged to act as principal moderators at the event.

A snapshot of the major resolutions reached during the event include:

• Creation of a fully-fledged Commission, which would, in theory, guarantee its independence.
• Placing the appointment of the Data Protection Commissioner under a competitive process determined conducted by the Public Service Commission, instead of an appointment by the Minister in charge of ICT (as the Ministry Bill proposes).
• Implementation of a tiered system of registration, where persons with a smaller “data footprint” are eligible for exemptions due to the much smaller amount of data being handled; the data subject should also be empowered to provide partial consent to services or withdraw consent entirely.
• Outright removal of exemptions based on blanket considerations such as national security and tax collection (which was found unconstitutional in Robert K. Ayisi v KRA & another [2018] eKLR case).

Content generated during the workshop is available here.

Taskforce Presentation

On 26 September, CIPIT presented its findings at the Communications Authority Headquarters, where the Privacy and Data Protection Taskforce was hosting various sector representatives to present their specific thoughts on the Bill. After a series of fruitful and informative discussions, CIPIT tabled a comprehensive report outlining the positions of the various parties involved in the Workshop and the Forum.

The workshop had managed to expound on issues from multiple perspectives. Areas under consideration were the:

• human rights position;
• the corporate responsibility aspect;
• the necessity of implementing a tiered system; and
• liability.

The human rights position was represented when discussing the scope of limitations of the Bill. Noting that providing the government with general exceptions that would allow the processing of data would allow the risk of the abuse of rights.

Corporate responsibility was elaborated as well. It was noted that companies handling data should be sensitive to the rights of their consumers (read: data subjects) and as such, must formulate policy to meet the demands of legislation.

There is also a need to tier the demands of the proposed law based on the size of data handled, the type of data handled, and the purpose of the data being collected. Finally, liability concerns came to the fore as well, there was a need to clearly distinguish the liability that attaches to data controllers and data processors as well as properly understanding the different roles they play along the data lifecycle (this article elaborates what the lifecycle is and the roles each actor within it has to play).

 The Way Forward

As mentioned earlier, there is a Data Protection Bill that has been tabled at the National Assembly. There have been some positive changes to the Bill, such as the inclusion of clauses to provide a clear source of funding for the Data Commissioner (the institution charged with governing data protection matters) in Section 67 of the latest version of the Bill and the possibility of seeking redress from the DC via the Fair Administrative Action Act as provided by Section 64. A great deal remains to be done however, to streamline the Bill to meet the unique demands of the Kenyan populace.

CIPIT has also done a preliminary commentary on the 2019 Data Protection Bill here.