The Data Protection Act as a tool for permitting innovation and consumer safety in Kenya’s digital finance market

Image by Gerd Altman from Pixabay

By Mercy King’ori


There is a common perception that the law clashes with innovation. The narrative as perpetuated by this perception is that the law only focuses on how to protect rights endangered by a particular innovation but never permitting it. Undeniably so, regulation can be used to discourage innovation by prohibiting exploration and adoption of certain innovative technologies and/or increasing the cost and uncertainty of developing such innovations. However, in some parts of the world, this perception seems to be slowly fading away as regulators realise the heavily dependent relationship between regulation and innovation.

The close linkage between the two has seen regulators begin to use regulation as a means of permitting innovation while at the same time safeguarding human rights. This is the case in the European Union (EU). In 2018, the General Data Protection Regulation (GDPR)[1] and the Payment Services Directive 2 (PSD 2)[2] came into effect. The PSD2 was the catalyst for an innovative model of banking known as “open banking” in the EU.[3] To a great extent the PSD2, as the enabling legislation ensured that consumers were offered the much-needed data protection that comes with this form of banking.[4] On the other hand, the GDPR as the overarching data protection legislation contains certain provisions that would mandate open banking providers to be conscious of consumers privacy.[5]

This post posits that Kenya has a similar opportunity to use certain provisions of the recently enacted Data Protection Act (DPA) to nurture innovation in particular in the digital finance market. At the same time, the implementation of the DPA will offer privacy solutions to address existing data protection challenges that affect this industry.[6] For example, some digital lending applications have been accused of accessing a borrower’s personal contact list and sending messages to the people on it.[7] The digital finance sector has proven to be an innovative solution to the financial exclusion that plagues Kenya.[8] It still is a nascent area that has room for more innovative solutions. According to a report by Financial Sector Deepening (FSD), the market for digital financial services “offers untapped opportunities for financial service providers”. However, massive privacy violation threatens its growth.

The EU Case

In 2018, the PSD2 was implemented introducing an innovative form of banking known as “open banking”.  Open banking is a collaborative model in which banking data is shared through APIs between two or more unaffiliated parties to deliver enhanced capabilities to the marketplace.[9] PSD2 is supposed to ensure that banks will create mechanisms to enable third party providers (TPPs) to work securely, reliably and rapidly with the bank’s services and data on behalf and with the consent of their customers.[10] The goal is to break down banks’ monopoly on their users’ data.[11] Simply put, the PSD2 seeks to permit third party providers (TPPs) to access personal data held by banks and financial institutions that is highly monopolised.  A key beneficiary of the PSD2 has been financial technology companies (fintechs).[12] Fintechs  are now developing innovative financial products around the customer data which was previously impossible or difficult to gain access to.

Compelling banks to open up customer account interfaces raises data protection concerns. In response, the PSD2 and GDPR provide useful remedies to core data protection to address the  concerns to avoid possible abuse of personal data. For instance, both the PSD2 and GDPR have mandatory consent requirements; PSD2 requires that consent is obtained before providing payment services[13]; and  GDPR provides that consent must be obtained from a data subject before any processing of personal data.[14] Consent is one of the legal bases of lawful processing in GDPR.[15] In addition, GDPR provides the right to data portability that allows a data subject to transmit data from one controller to another in a structured, commonly used, machine-readable and interoperable format.[16]This right is only available where the data processing is based on consent and contract.[17]Open banking gives practical effect to data portability. Open banking requires transfer of information, this right ensures transfer of information from a willing customer in a seamless manner. The transfer enables effective open banking while allowing data subjects to retain a considerable amount of control over their personal data.

The Kenyan Situation

Digital financial services in Kenya, especially digital money lending services such as Tala have received high acceptance in Kenya.[18] They have revolutionised the finance industry in Kenya. As a result of the prominence of digital finance, Kenyans now save, transact and borrow digitally through services such as M-shwari.[19] However, there have been concerns of information privacy violation within this industry. FSD in its analysis of the privacy provisions of commonly used digital finance platforms, found that all the surveyed lenders had and did share personal data with third parties and that for most of them when a customer accepts the terms and conditions it amounts to consent to the lender to disclose the customer data.[20] This study by FSD was published in November 2019 while the DPA commenced on 25 November 2019. By applying the DPA to these terms and conditions, these lenders are in gross violation of its requirements.

Innovation in digital financial services is on the rise in Kenya as Kenyans demand for more innovative financial solutions that are more accessible. However, should such innovation happen at the expense of customer’s privacy? How can a balance between innovation and protection of privacy be struck? The DPA seems to provide the solution.

In the digital lending market, lenders must have a means of assessing the creditworthiness of borrowers. Therefore, customer identity in digital lending is the cornerstone of operation as there is no collateral given.[21] Lenders create a digital identity with information about the borrower to determine their eligibility. This process of creating digital identities has been the source of many information privacy issues with lenders obtaining vast amounts of potentially intrusive personal information through difficult to read, long terms and conditions. Undeniably, accessing personal information is crucial to creating the identities as that is the business model that facilitates the lending.

To explore the remedying power of the DPA in this digital finance- privacy dilemma let us look at some of its provisions. The DPA allows commercial use of personal data.[22] However, there is a  caveat. For personal data to be commercially exploited, it must be obtained with the consent of the data subject.[23] Consent makes any processing of data to be lawful. While lenders may argue that borrowers consent through the long terms and conditions, the Act is specific as to what is considered consent. Under the Act, consent is any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to the data subject.[24] This form of consent is often not obtained hence putting digital lending innovations at the risk of violating data protection requirements. The Act stipulates that a data controller or data processor shall bear the burden of proof for establishing a data subject’s consent to the processing of their personal data for a specified purpose.  Therefore, the controller/ processor should ensure that consent as provided is obtained before any processing of personal data.

A study by Privacy International in 2016 on protecting privacy/data as a means for protecting innovation showed that people are not willing to trade off privacy for the sake of innovative products.[25] To demonstrate this, the study cites research done that involved saving energy bills by installing a smart thermostat that would monitor a person’s movement in the home. Most people opted not to control their bills due to privacy concerns. Therefore, even though currently some borrowers are giving up their privacy when using the digital lending applications, it is not the preferred way. The practice may be short-lived and only digital innovations that consider their customer’s privacy will endure.

The permissive nature of the DPA that allows controllers to commercially exploit personal information on condition that they obtain consent from the data subjects. This will create more demand for such services as customers will feel safe using the applications. A high demand will likely create opportunities to supply innovative yet privacy conscious entities in the digital finance market.


The impact of PSD2 and GDPR mandatory requirements of data protection can be directly linked to operationalisation of open banking. This is one classic example of how the law can be used to spur innovation. However, the relationship is symbiotic. The result is a safe environment for growth for fintechs and safety for consumers. In Kenya, the digital finance market can borrow some lessons on how to encourage growth while ensuring consumer safety as it moves to implement the DPA. Increased adoption of innovation creates room and opportunities for more providers of digital financial products in the market such as personalised financial management tools. 



[3] Capgemini, ‘PSD2: An Open Banking Catalyst: Leverage Open APIs to Unlock New Business Opportunities’

[4] Kroft J, Kuijsten P, ‘How Banks Can Balance GDPR and PSD2’

[5] Kroft J, Kuijsten P, ‘How Banks Can Balance GDPR and PSD2’

[6] Privacy International, ‘Fintech: Privacy and Identity in the New Data-Intensive Financial Sector’ November 2017.

[7]Sunday F, Kamau M, ‘How Kenyans give up privacy for costly mobile loans ’ accessed on 7 February 2020.

[8] Central Bank of Kenya, 2019 FinAccess Household Survey, April 2019.

[9] McKinsey & Company, ‘Data Sharing and Open Banking’, September 2017.





[14] Article 7, General Data Protection Regulation 2018


[16] Article 4, General Data Protection Regulation 2018

[17] Article 20, General Data Protection Regulation 2018

[18] Chege P, Kaffenberger M, ‘Digital Credit in Kenya: Time for Celebration or Concern?’ accessed on 7 February 2020.

[19] Suri T, Gubbins P, ‘How is digital credit changing the lives of Kenyans?’ Nairobi: FSD Kenya.

[20] Gwer F, Totolo E, ‘Digital credit audit report: Evaluating the conduct and practice of digital lending in Kenya’, 2019

[21] Privacy International, ‘Fintech: Privacy and Identity in the New Data-Intensive Financial Sector’, November 2017.

[22] Section 37, Data Protection Act  2019

[23] Section 37(1)(a), Data Protection Act 2019

[24] Section 2, Data Protection Act 2019

[25] Privacy International, ‘Protecting Innovations and Protecting Data: Can we have surveillance and innovation?’, 2016

Leave a Comment

Your email address will not be published. Required fields are marked