It is very rare for foreign laws to have extra territorial application in Kenya or any other country for that matter. One such law is the US Foreign Account Tax Compliance Act, popularly known as FATCA, which requires all non US financial institutions wherever situated on the globe, to search their records for customers who have any indicia of connection to the US and to report the assets and identities of such persons to the US authorities.
On 14th April 2016, the European Union adopted a data protection law with a similar extra territorial effect. The General Data Protection Regulation, better known as the GDPR, came into force on 25th May 2018 and its effect is already being felt across the world following the imposition of hefty fines running into millions of dollars against some of the world’s largest multinationals. Although Kenya does not, currently, have a data protection law, local businesses face the same risk for breach of the GDPR provisions.
The advent of the information age has ushered in the era of the big data which has, literally within the twinkling of an eye, catapulted personal data to the prime perch of the world’s most valuable asset, hence the new stringent measures to protect it.
The GDPR is designed to protect the personal information (data) of persons in the EU irrespective of their nationality wherever the breach occurs across the world. Its primary objective is to regulate the collection, recording and storage of personal data belonging to natural persons in the EU by any person within or outside the EU. Such activities are collectively known as “data processing”. For purposes of the GDPR, the European Data Protection Board defines a “person in the EU” as any natural person who is present in the EU at the time their data is processed. Thus, neither citizenship nor permanent residence in the EU is required for the GDPR to apply.
The GDPR only protects the information of natural persons as opposed to corporations. Trade secrets and other commercial information of a proprietary nature do not fall within the ambit of the GDPR.
The protected personal information includes, without limitation, a person’s name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
It is unlawful to process personal information without lawful reasons which include the consent of the person to whom such information belongs (called ‘data subject’). Even where consent has been given, it would still be illegal to use such information for a purpose other than that for which it was initially given. Further, refusal to erase the information upon the request of the data subject is also prohibited. Where personal information was obtained for a specific purpose which has since been achieved, the continued storage of the information is illegal.
For liability to arise, the processing of personal information must relate to the offering of goods or services for sale or monitoring the behaviour for data subjects. Consequently, where a Kenyan business, say, a bank, curio dealer, hotel chain, travel agency, school, software developer or payment services provider offers to supply goods or services to persons in the EU, it would be caught up by the provisions of the GDPR despite not having a physical presence in the EU.
The processing of personal data belonging to persons in the EU should be done lawfully, with consent, accurately, for a specified legitimate purpose, relevant and limited to what is necessary, processed in a manner that ensures appropriate security and not stored for longer than is necessary. Breach of any of these principles exposes the business to liability.
The GDPR acknowledges that in certain specified situations the express consent of a data subject may not be required but can be inferred or implied. For instance, where parties have entered into a contract, it is presumed that the performance of such contract will necessarily entail the receipt and retention of personal information. Similarly, there is no breach if the personal information is obtained pursuant to or in compliance with the performance of legal obligations or tasks carried out in the public interest, in exercise of official authority or in order to protect the vital interests of the data subject or of another natural person.
All data processors are required to implement effective organizational and technical measures to ensure the security, confidentiality and integrity of such data. The recommended measures include, among others, pseudonymisation (ensuring that personal data can no longer be attributed to a specific data subject without the use of additional information) and encryption (to conceal both the identity of the data subject and the information itself).
A further obligation imposed by GDPR which directly affects Kenyan businesses (including law firms, incidentally) is that any business that potentially targets clientele from the EU must, for purposes of GDPR compliance, designate a representative based in one of the EU countries where the targeted data subjects reside. This representative must cooperate with data protection authorities and maintain records of processing activities which the non-EU entity undertakes in order to ensure compliance with the GDPR.
Violation of the GDPR attracts hefty fines which vary depending on the gravity of the breach. The maximum fine is 20 Million Euros (Ksh. 2.3 Billion) or 4% of the total worldwide turnover of the organization’s preceding financial year, whichever is higher.
A few recent cases illustrate the potential risk that could befall Kenyan businesses that breach the GDPR. In July, 2019 the UK Information Commissioner’s Office fined British Airways GBP 183 Million (Ksh. 23 Billion) for failure to implement sufficient measures to prevent the unauthorised access to its customers’ personal data. In the same month, the Marriott Hotel was fined GBP 100 Million (Ksh.12 Billion) for breach of customer data. In January, 2019 Google was slapped with a US$ 56.8Million (Ksh.5.9 Billion) fine by the French data protection regulator for failure to comply with its obligations under the GDPR.
The common thread running through all the above cases is the large volume of personal data which the fined companies regularly obtain from their customers. The writing is on the wall for Kenyan businesses which routinely handle high volumes of personal information from clients.
It is instructive to note that for liability to arise, the breach need not have been deliberate. Even where the breach is caused by the hacking of an organization’s IT system by vandals or cyber terrorists, the organisation would still be held liable unless it can demonstrate to the satisfaction of the data regulator that it had put in place adequate technical measures to safeguard the data against such risks.
Fortunately, since the coming into force of the GDPR, various legal compliance tools have been developed which, if well implemented, can significantly reduce the risk of breach.
The article was featured on the Business Daily on 5 September 2019 and can be accessed here.