Third party data sharing: Analysis of the Data Protection Bill, 2019
By Grace Mutung’u
This is the finale in our series on Data Protection principles espoused in the Data Protection Bill.
Clause 25 of the 2019 Data Protection Bill spells out the principles of data protection. Among this is the prohibition from sharing data with third parties without the consent of the data subject.
“Third party” is a term that originates from contracts. Traditionally contracts are between two parties and a third party is a person who deals with the contracting parties but is not party to the contract. In data protection however, there are typically three parties- the person whom the data concerns (data subject), the person who designs how data will be processed (data controller) and the person who actually processes the data (the data processor). In some cases, data is processed by the same organisation that is the controller. In other cases, it is processed by a third party processor. A third party processor would not typically require further consent to process data on behalf of the data controller.
For example, a manufacturing firm may outsource their payroll function to a HR firm. The manufacturing firm is the data controller as they determine which data is collected, and how it is processed. The HR firm is the third party data processor and employees of the manufacturing firm are data subjects.
The Data Protection Bill envisages that the data controller will inform the data subject of the use to which their data is being put. Clause 26 lists the rights of the data subject, and they include the right to be informed about their data use; right to access their data in the custody of the controller or processor; as well as the right to object to processing of all or part of their personal data. In the above example, the manufacturing firm would need to inform their employees that their personal data is processed by the payroll company.
In the event that the data controller or processor were to share the data with a third party, then the consent of the data subject would be needed. Clause 25(g) states:
Personal data should be released to a third party only with the consent of the data subject
An example would be where the manufacturing firm is negotiating car loan facilities for its employees, and the bank wanted to analyse the manufacturing firm’s payroll data in order to develop a car loan proposal.
Consent is described as the any voluntary, specific and informed expression of will of a data subject to process their personal data. The consent requirement is an important safeguard in protecting data subjects from further use of their data, including sharing it with third parties. Data controllers will therefore need to carefully analyse business relationships they may be entering into where personal data is concerned in order to comply with this requirement. They will need to review all their existing outsourced business processes and relationships with vendors to ensure that those involving personal data comply with the requirement of clause 25(g).
Clause 25(g) will therefore protect people from misuse of data in commercial agreements. This is because it anchors consent as a basis for data processing, particularly where third parties are involved. However, the Bill also spells out other basis for processing of data. These are listed in clause 30(1) (b) as well as exemptions in Part VII of the Bill. They include: contracts; compliance with legal obligations; legitimate interests which do not prejudice the rights of the data subject; public functions; historical, statistical or journalistic research; and law enforcement.
The Bill therefore empowers the individual by anchoring the individual’s consent as the default basis for sharing data with third parties. It however waters down this power by giving a wide range of exceptions to consent as a basis for data processing, including sharing with third parties. In comparison, the General Data Protection Regulation (GDPR) gives five other bases for data processing, apart from consent: contracts, legal obligation, protection of vital interests of the data subject, performance of a task carried out in public interest or in pursuance of official authority, and legitimate interests.
Although data may be shared with third parties without the consent of the data subject, the GDPR has narrower exceptions to consent. The additional bases in Kenya’s proposed law innovatively expand the uses of data by exempting uses such as research. However, there is need to clarify the research exemptions to prevent perpetual storage of personal data under the guise of research. In addition, the law should promote open knowledge by encouraging the free sharing of the research from personal data.
The question of access to data by state agencies is a contested one. In previous iterations of a data protection framework, public agencies such as law enforcement and the Kenya Revenue Authority sought direct access to personal data. This, they argued would make them more efficient in discharging their duties for example in the fight against terrorism and collection of revenue. CIPIT takes the view that the rationale for a data protection law should be enhancement of the right to privacy in the digital age, and not its limitation.
Perhaps the greatest test on the notion of consent prior to sharing personal data with third parties will be access to data by state agencies. The Bill must therefore address this issue by clearly contemplating how state agencies may access data held by their counterparts and private entities. Coming at a time when there is great contestation about the government’s programme to build a digital database that collates and centralises all identity data, the Data Protection Bill ought to guide the state entities on how to protect the right to privacy in the Huduma Namba project. One way to ensure rights respecting data sharing would be to narrowly limit any access by state agencies to functions established under their establishing laws. This requires consequential amendments to bring such laws up to data protection standards contemplated under Article 31 of the Constitution. At the end of the day, the efficacy of the proposed law will be measured by how well it enhances the right to privacy to ensure that as the digital economy progresses, Kenyans are protected from hazardous data sharing.