The year 2019 will forever be etched in the annals of law as the epoch when Kenya joined the league of nations which have recognised the value of personal information and taken bold legislative steps to protect privacy as a fundamental human right.
Although the right to privacy is enshrined in our Constitution, there has, until now, been no legislative framework to actualize it. The enactment of the Data Protection Act, 2019 is, therefore, an important milestone as personal data continues to dominate the global market-place as the most valuable asset in the hands of any business.
Unlike intellectual property which requires substantial effort and resources to create and commercialise, the uniqueness of personal data is that despite its high premium, it is quite easy to collect, analyse and use at almost no cost. Take, for instance, the number of times you have had to give out your name, address, identity card number, phone number, age, occupation and, sometimes, even a photograph to a complete stranger without imposing any conditions whatsoever on how he should use such intimate information. Each time you pay for goods/services using mobile money, a credit or debit card, you are sharing a host of your personal data with merchant stranger without having any control over what he may do with it or who he may share it with.
By simply aggregating and analysing such personal information, a smart business is able to compile an almost picture-perfect profile of your good self and use it to create a precious repository of marketing information targeting customers of your income bracket and lifestyle. It gets worse. Since your contact details are already out there in the hands of strangers, you may start receiving unsolicited marketing information and all manner of offers from establishments that you may never have interacted with before, urging you to buy products and services that you do not know that you need. Oftentimes it is almost impossible to unsubscribe from such channels despite the irritation they cause. The bigger concern, however, is the fact that someone has accessed, processed, stored and is using and sharing your personal information for commercial gain without your knowledge or consent.
It is shuddering to have to face and accept the reality that in this era of big data, each time you share your personal information in the course of a legitimate transaction like buying an air ticket, checking into a hotel, logging into a website, entering an office building or parking your car, you are, in effect, giving away the ingredients required for the compilation of your personal profile and, sometimes, that of your family by a stranger with ulterior commercial motives. The use of such information for commercial purposes not only violates your dignity as a person but makes you feel insecure and vulnerable. As strange as it may sound, prior to the enactment of the Data Protection Act, 2019, you would have had no remedy whatsoever for such gross invasion of your privacy.
The main objective of the Data Protection Act, therefore, is to confer upon every person living in Kenya the right to prevent the abuse of his personal information and to regulate the manner in which such information can be obtained and handled to avoid the violations illustrated above. In particular, you will have the right to be informed of the specific use to which your personal information is to be put, access it on request, object to the processing of the whole or any portion of it and demand the correction or deletion of any false, misleading or inaccurate information about you.
The new law borrows heavily from the best practices in the world including the now famous European General Data Protection Regulation (GDPR) adopted by the European Parliament in April 2016 but which only became operational in May 2018.
The term “personal information” is broadly defined in the Act to include practically every conceivable aspect of information relating to an identified or identifiable human person. Incidentally, the law only protects information belonging to human beings as opposed to corporations.
In terms of geographical scope, just like the GDPR, the Kenyan statute has extra territorial application. Data controllers and processors based outside Kenya such as airlines and hotels which process personal information of people located in Kenya, are caught by the Act. It is highly probable that as more countries enact GDPR-compliant laws, it may only be a matter of time before a global enforcement mechanism based on the principle of reciprocity is devised. Soon there may be nowhere to hide for infringers of privacy.
The Act has three protagonists, namely, the data subject, data controller and data processor. The data subject is the person to whom the information belongs. The data controller is the entity that determines the purpose and means of acquiring the personal information such as a bank or a law firm. The data processor is the entity that collects, records, organises, stores, retrieves or discloses the personal data collected by or on behalf of the data controller.
Data controllers and processors will be required to register with the Data Protection Commissioner (DPC). However, since almost every business is a data controller, it would be practically impossible to require all of them to get registered. The law, therefore, allows the DPC to prescribe the applicable thresholds for mandatory registration based on factors such as the nature of the industry, volume of data involved and whether any sensitive data is being processed. This is a huge relief to SMEs which may not have the wherewithal to register.
Businesses whose core activities involve the collection and monitoring of data subjects or routinely handle sensitive personal information are required to employ data protection officers (DPOs) to manage issues of data protection as a special assignment. DPOs must have the relevant skills and knowledge relating to data protection to enable them to advise their employers appropriately on all matters relating to data protection and to ensure compliance with the Act. Universities and colleges should seize this challenge as an opportunity to start offering data protection courses sooner rather than later.
The heart of the Act comprises the principles of data processing which are largely borrowed from the GDPR. The bottom line is that personal data must be processed in accordance with the data subject’s right to privacy; lawfully, fairly and in a transparent manner; for an explicit, specified and legitimate purpose; adequate, relevant and limited to only what is necessary in relation to the purpose for which it was processed; kept in a form that identifies the data subject for no longer than is necessary for the declared purpose; and not transferred outside Kenya without the consent of the data subject and proof of sufficient safeguards of protection in the foreign country.
The underlying requirement throughout the Data Protection Act, 2019 is that no personal information should be obtained, processed or used without the express or implied consent of the data subject. There are, however, situations when consent is not required, namely, in the performance of a contract entered into by the data subject, in compliance with a legal obligation, in the public interest, or for historical, statistical, journalistic, literary, artistic or scientific research purposes.
Personal data processed only for research purposes is exempt from the Act provided that the results of the research are published in a manner that does not identify the data subject. This provision brings relief to research institutions and NGOs.
Personal data may also be processed without consent if it relates to purely personal and domestic purposes, is necessary for national or public interest or disclosure is required by law e.g. in criminal prosecutions.
Organisations engaged in the processing of personal data are required to have appropriate organizational and technical measures to safeguard the data against unauthorized access (hacking). Such measures may include pseudonymisation and encryption to ensure that in the event of hacking, the data is unintelligible and therefore of no use to the hacker.
The liability of data controllers and processors is not diminished by the fact the hacking was beyond their control or that they could not have prevented it. The liability arises due to their inability to install effective measures to not only prevent the hacking but ensure that in the event of such eventuality the personal information has been rendered useless to the hackers. The analogy appears to be that when a bank is robbed, its customers do not lose their deposits. Businesses will therefore have to invest in these measures.
In the event of a hack, the data processor must notify the data controller within 48 of becoming aware of the incident who should, in turn, notify the DPC within 72 hours.
The Act creates a separate category of personal data called ‘sensitive personal information’ which calls for a higher level of protection. This comprises a person’s most intimate details such as race, health status, ethnic/social origin, conscience, belief, genetic data, biometric data, property details, gender, sexual orientation, marital status and names of family members.
As a risk mitigation measure, businesses will have to evaluate the necessity of all the personal details which they normally require from data subjects and limit it to the most essential information.
Information relating to the health of an individual may only be processed by or under the supervision of a healthcare provider or a person bound by a professional confidentiality obligation. Employers will therefore have to ensure that their human resources personnel execute confidentiality agreements.
Transfer of personal data outside Kenya is highly regulated. No personal data may be transferred outside Kenya unless a) the data controller/processor has satisfied the DPC that the country to which the data is to be transferred has sufficient safeguards for the protection of the data; b) there are compelling legitimate reasons for the transfer and c) that the transfer is necessary for the specific purposes enumerated in the Act such as performance of a contract between the data subject and either the data controller or data processor.
It will therefore no longer be possible to export personal data to countries which have no effective data protection laws. The burden of proving the existence of such safeguards lies on the data controller/processor.
In certain cases, the Cabinet Secretary may require that the data centres of such organisations shall be located in Kenya in order to secure the strategic interests of the country.
The Act contains stringent provisions for the protection of personal information relating to children and minors. Personal information relating to minors may only be processed with the parent’s/ guardian’s consent and must be processed in a manner that protects and advances the interests of the child.
Organisations are required to incorporate age-verification mechanisms in their systems in order to obtain parental /guardian’s consent. It remains to be seen if such mechanisms will be able address the risk of minors impersonating their parents/guardians while using online platforms.
It will also be unlawful to subject a data subject to a decision based solely on the automated processing of his personal information including profiling e.g. a loan application should not be rejected on the basis of the data subject’s profile generated solely by a bank’s software without human involvement in the assessment of his credit-worthiness.
Businesses will pay a heavy price for breach of the data protection provisions. Using the GDPR as a bench-mark, the fines and penalties imposed for breach of data protection laws globally are generally steep and Kenya will be no exception. The general penalty under the Act is a fine of up to Ksh.3 Million or imprisonment for a maximum of 10 years or both. In addition, the DPC may impose penalties of up to Ksh.5 Million or one per cent of the undertaking’s annual turnover of the preceding financial year, whichever is the lower.
The Act also contains consequential amendments to 12 other statutes under which personal data is processed including the Births and Deaths Act, Employment Act and Kenya Citizenship and Immigration Act, among others. The processing of personal data under those statutes shall be done in accordance with the principles set out in the Act.
This law opens up a whole new arena of litigation by data subjects against organisations that hold and misuse personal information or are negligent in protecting such information.
Going by the quantum of fines and penalties that have been slapped on global behemoths for breach of the GDPR, Kenyan businesses can only ignore this legislation at their own peril. In July, 2019 British Airways was fined GBP 183 Million (Ksh. 23 Billion) while the Marriott Hotel was fined GBP 100 Million (Ksh.12 Billion). Google also suffered a US$ 56.8Million (Ksh.5.9 Billion) fine.
To mitigate risks, business will need to develop appropriate data protection policies, compliance matrix and an implementation framework.
Although the commencement date of the Act is 25 November, 2019, its implementation requires substantial financial resources which, given the current state of the economy, may not be immediately available. It will take a while before the necessary administrative and enforcement infrastructure has been set up including the recruitment of the DPC through a competitive process, acquisition of office space, recruitment of staff, among others. More importantly, the regulations will also need to be drafted, subjected to public participation and Gazetted.
Gazing at our crystal ball, it is perhaps not too far-fetched to predict that the impact of the new law may only be felt after the next Budget. Businesses would be well advised to take advantage of this window to get ready for compliance before the new sheriff hits town.
The article was featured in the Business Daily on 17 December and can be accessed here.