Data Protection Bill 2013 Analysis.

Right to Privacy

The Right to Privacy enshrined in Article 31 of the constitution of Kenya  restricts the transfer of personal data and seizure of the same. The constitution further imposes an obligation to enact laws that uphold this right.

Data Protection and Privacy as distinct rights

While Privacy and Data Protection are very closely interconnected, they are not synonymous. Data protection is about securing data against unauthorized access, essentially a technical issue while privacy is about authorized access, a legal issue. Simply put, Data Protection is the tool the law uses to ensure privacy as a fundamental human right is protected. Sadly, technology alone cannot ensure privacy; most protocols remain vulnerable to misuse of information by an authorized user. Example; When you transact through Mobile Money, you are trusting the merchant and mobile money transfer system with your data’s protection; to make sure, among other things, cyber-criminals can’t access your account information and secondly, you are trusting them to honor your data privacy by not misusing the information even though you gave it to them. This imposes not just a technological burden but a legal one as well on the authorized user to guarantee privacy hence the Data Protection Laws.

Below is a brief analysis on the adequacy of the draft Kenya’s Data Protection Bill 2013 currently with the AG in imposing a legal burden/responsibility on authorized users while conferring rights on persons to uphold the right to privacy as provided for in article 31 of the constitution of Kenya.

Definitions

Personal data has been defined to include information about both living and juristic persons and the bill provides an extensive list to include, age, gender, race etc. Though extensive, this definition fails to capture data subject who can be identified not just directly but also indirectly from the information; for example, information related to remuneration, earned incomes and assets and IP addresses.

The Bill doesn’t recognize sensitive personal data relating to financial information, racial or ethnic origin, political opinions, trade union membership, religious or philosophical belief, health or sex life of a natural person.

The definition of “disclosure” exempts the data controller from indirect identification, this needs to be revised to include indirect identification.

Data subject has been defined as a person who is the subject of personal data. The definition needs to extend to those that can also be identified indirectly from the data.

The term “Private Body” and “Exempt Information” need to be defined as there is presently no law on Access to Information

The term Informed consent has not been defined; this is crucial in establishing whether the data subject ties the consent to the purpose by clearly understanding purpose of collection of personal information, who it will be shared with, the possible consequences of the consent.

Objectives

The bill should seek to regulate, in harmony with the constitution and international standards the collection, processing and storing of personal information by public and private bodies in a manner that upholds the right to privacy subject to the limitations provided for by article 24 of the Constitution of Kenya that are aimed at protecting other rights and important interests. To achieve this, the objectives of the bill should be:

• To set out the rules and practices which must be followed when collecting, processing and storing personal information;
• To grant rights to persons in respect of their personal information;
• To provide sanctions for non-compliance; and
• To create an independent supervisory body with prosecuting powers to enforce these rights and established rules.

Limitations

Section 3(c) is inconsistent with article 24 of the constitution which provides for the limitations and no statue can impose any other limitations.

Principles of processing data

Section 4 provides for the principles of processing data. These should be simplified as below:

• Personal data may only be processed lawfully
• Processing must be carried out in good faith and must be proportionate
• Personal data can only be processed for the purpose indicated at the time of collection, that is evident from the circumstances or that is provided for by law.
• Consent for collection of personal data must be obtained directly.
• The collection of personal data and in particular the purpose of its processing must be evident to the data subject
• Data subject has right to access the information and correct/delete inaccurate information.
• Personal data shall not be transferred to a country or territory outside Kenya unless the country/territory ensures adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.
• In addition, proper processing requires:
• The processed personal data to be accurate and correct.
• The personal data to be protected against unauthorized processing by appropriate organisational and technical means.

Duty to Notify

Section 7 imposes a duty on the agency to notify the data subject of the intended collection but fails to provide for the duty to obtain informed consent from data subject. This is important to place a burden on the agency to make sure the data subject is well aware of what is being consented to and the possible ramifications of the consent especially in relation to sensitive data.

Collection of Personal Data

Section 8(3) provides that the Agency may collect the information “indirectly”; this is a very dangerous provision that can be misused and further negates the principle 4(b) that provides that information shall be collected “directly”.

Exemptions

• Section 9(c) shifts the burden of proof on the data subject which goes against the principles laid out in section 4. The agency should always have the responsibility of proving that the principles laid out on section 4 have been met regardless of the prejudice or lack thereof on the data subject.
• Section 9(d) (iii) provides the exception “for the protection of public revenue and property”; this clause is a loophole subject to misuse by the government agencies to tap into financial information i.e. M-Pesa, in the name of ensuring tax compliance.
• Section 9(e)-“compliance would prejudice purpose of collecting the information” and (f) “compliance is not reasonable practicable” are big loopholes that agencies can easily use to circumvent this whole act and are further contrary to the principles laid out in section 4 of the Act.
• Section 9(g) seeks to exempt the agency when a person can’t be identified directly. This exempts the agency from indirect identification which is against the principles set out in section 4 as all personal data must be obtained with consent regardless of the use and outcome of the use. The consent should not be tied to the purpose as the right to privacy must be upheld regardless. This clause also highlights the need to amend the definition of personal data to include that which can be identified indirectly.
• Clause H “information is collected pursuant to an authority granted under this act or any other written law”; again this clause is subject to misuse as the whole purpose of this act is to govern processing of data and all other laws should be subject to this act to the extent of data protection. The fact that Kenya unfortunately still has draconian laws that give sweeping powers to the government to obtain information without consent of data subject or warrants i.e. the Official Secrets Act Cap 187 and Preservation of Public Security Act goes on to show how this section can be misused.

Collection & Processing

This should be guided by the eight internationally accepted information protection conditions which are key in ensuring that the Act prescribes the minimum requirements for lawful processing of personal information namely; accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation. These have been well laid out in South Africa’s Protection of Personal Information Act  that we can borrow from.

Section 10 provides for access to information by the data subject regarding the nature of the information being collected, the identity of the agency and the purpose of the collection of the information.

Section 11 provides for security safeguards by the agency that only extends to protection against destruction and negligent disclosure by unauthorized persons, this provision (Section 11 (a) (ii)) needs to be amended to include negligent disclosure by both authorized and unauthorized persons as long as the data is collected by the Agency as they are liable in both instances where there are technical or organizational lapse.

Section 12(2) regarding access to data limited to exempt information is against the principles set out in section 4 and specifically the principle of openness and data subject participation. The data subjects’ access to their personal information should not be tied to the purpose of collection. Section 12(3) further quotes a law that is yet to come in place, the act cannot be tied blindly to any law without its enactment and verification. The procedure for obtaining the information should be properly laid out in this act or should be provided for in subsidiary regulations to be enacted in accordance with the act.

Section 13 attempts to provide for the correction and deletion of information by data subject but then waters it down to essentially be a qualified right that is dependent on the agency. A data subject should have the unqualified right to correct or delete personal information that is inaccurate, irrelevant and excessive, or which the agency is no longer authorized to retain. Furthermore, clear timelines for this must be provided and minimum penalties for the Agency should be provided and further tied to the damage caused on the data subject where not complied with.

Section 14 provides for use of information; it should be current, up-to-date and not misleading.

Section 15 ties down the timelines for stored information to purpose for collection.

Section 16 ties down the use of data to the purpose the data subject consented to. This is also highlights the need to have informed consent that is tied to the purpose.

Section 17 (b) waters down the provisions regarding misuse of information in section 16 by allowing use of personal data for commercial purposes without obtaining consent as long as it is allowed by any other law. This clause provides a loophole that can be exploited to evade the principles provided for in section 4. Furthermore, there is no provision prohibiting supply and sale of i.e electoral registers, registration of persons records for political and commercial purposes having regard to the nature of the data contained in the registers, including in particular that it is personal data compulsorily obtained for the specific purpose of enabling  Kenyans transact and qualifying electors to vote.

Transfer

The Act doesn’t provide for provisions regarding transfer of personal information to foreign jurisdictions. This should be allowed only if the recipient is subject to a law which upholds principles of reasonable processing of the information that are substantially similar to the principles contained in the Act, and includes provisions that are substantially similar to those contained in the Act relating to the further transfer of personal information from the recipient to third parties. Furthermore, the data subject needs to consent to the transfer.

Breach Notification

The Act doesn’t provide for situations where there are reasonable grounds to believe that a data subject’s personal information has been assessed or acquired by an unauthorized person. The Agency, or any third-party processing personal information under the authority of the Agency, must notify the data subject as soon as reasonably possible after the discovery of the breach. The notification should include such detail as to allow the data subject to take protective measures. This is especially vital when it is sensitive information that can potentially pose a threat to the data subject.

Electronic Marketing

The Act fails to provide for restriction of unsolicited electronic communications and the processing of the data subject’s personal information for the purposes of direct marketing without the data subject’s consent.

Sanctions

Section 19 creates the offence of interference with personal data and provides for a maximum fine of Kshs. 100, 000 or/ and two years imprisonment. This should be the minimum not the maximum and the sanction should be tied to the extent of damage inflicted on the data subject.

Custodian

The Act bestows custodial powers on the Commission on Administrative Justice established by section 3 of the Commission of Administrative Justice Act 2011. Section 8 Commission of Administrative Justice Act 2011 lays out the functions of the Commission as essentially to investigate conduct and complaints of state organs and public officers therefore limiting the scope of their powers and functions. The Data Protection Act applies to both public entities and private bodies therefore making the commission not suitable for the job as its scope is limited. This essentially makes Parts III, IV and V of the Data Protection Act null.

The above paragraph notwithstanding, the nature of Data Protection such that it requires a specialized regulator established for the purpose of data protection with extensive powers to assist the Cabinet Secretary in-charge come up with regulations to govern the procedural aspect of the act, advise the Parliament on laws and matters touching on data protection, ability to bring criminal proceedings, to conduct audits on agencies and check compliance, to act as mediator where there is a dispute, to receive and investigate complaints relating to alleged violations and enforce sanctions as laid out in the Act for non- compliance and publish periodic reports the same. The regulator should be drawn from experts in ICT, Law, and Civil Society sectors.

Miscellaneous Provisions

Section 28 provides for a immunity for the agency if the information is provided for in good faith. This essentially renders the whole act useless to the extent that the agency can get away with anything as long as the defence of good faith is pleaded. Right to privacy cannot be limited by good faith as provided for in Article 24 of the Constitution, same should apply to this act. Furthermore, this provision is contrary to the principles laid down in section 4 of the act. Section 28 is therefore a null provision.

Jurisdiction; it is important for the act to spell out who the act applies to i.e is it limited to Kenyan residents only or does it extends to any agency handling personal information within Kenya or/and Regarding a Kenyan in any part of the world.

Right to Legal Action

The Act needs to provide for a right of appeal against a decision of the Regulator by an Agency to the court and an unfettered right to institute legal action by the data subject in a court against the agency for breach of any provision of the Act.

Delegated Powers

The Cabinet secretary should make regulations to govern the procedural aspect of the act in consultation with the regulator.

Conclusion

It is clear the current draft Data Protection Bill 2013 offers no solid protection to  the data subject and doesn’t reflect the current best practices globally. With the current Bill, data subjects remain at the mercy of the data processors and controllers (agencies) as the legal burden/responsibility the act imposes on the authorized users is not sufficient and further the rights of the data subjects have not been adequately provided for.

It is therefore vial to revise the Bill extensively so that it can breathe life to Article 31 of the Constitution of Kenya and Article 17 of the 1948 Universal Declaration of Human Rights; which Kenya is among the more than 160 signatories.