The Ministry of Information, Communications and Technology (‘the ICT Ministry’) released, on 16 August 2018, the draft Privacy and Data Protection Policy 2018 (‘the Draft Policy’), and, on 17 August 2018, the Data Protection Bill, 2018 (‘the Bill’). The Bill seeks to establish the Office of the Data Protection Commissioner, regulate the processing of personal data, establish data subject rights and create data-related offences. Moreover, the Draft Policy outlines that its purpose is to lay the foundation to enforce the right to privacy, pursuant to Article 31 of the Constitution of Kenya.
Fiona Makaka, Associate at TripleOKLAW Advocates LLP, told DataGuidance, “The Bill, in its current form, does not sufficiently protect citizens’ right to privacy and personal data. It is a step in the right direction, but it needs substantial review. [In particular,] while the Bill may have comprehensive provisions, blanket exemptions are accorded throughout the legislation, this almost makes the whole document counter-intuitive. The previous Data Protection Bill 2013 remained a bill for over three years.”
The aim [of the Bill] is to empower the data subject and enable them to manage their personal data
In particular, the Draft Policy sets out the objectives of informing the development of privacy and data protection laws, facilitating statutory and regulatory compliance, enhancing effective application of the proposed laws, adherence to international good practices, and protecting children and vulnerable groups.
Makaka commented, “The Bill borrows heavily from the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). The six principles of data protection as envisioned in the GDPR are reflected in the Bill. The aim is to empower the data subject and enable them to manage their personal data. There are however some key provisions that are provided for in the GDPR that are conspicuously missing in the Bill, one such provision is the data subjects’ right to be forgotten […] A close look at the Bill and you will discover the issue of consent has also not been properly emphasised and addressed [either]. It is provided for as a tick box issue as opposed to [serving as] a data subject’s empowerment tool. There is, equally, no requirement to keep a record of consent that should be traceable in case of dispute.”
The ICT Ministry is currently seeking comments on both the Bill and the Draft Policy until 12 September 2018. In addition, the Cabinet Secretary of the ICT Ministry has set up a task force to develop the Policy and Regulatory Framework for Privacy and Data Protection in Kenya by defining the requirements for the protection of personal data. Relevant industry stakeholders have expressed some concerns with the Bill and presented them for consideration before the second reading.
Makaka concluded, “Most African countries find themselves on the same footing as Kenya as they now take steps to commence data protection policies. Less than ten countries have legislation in place that protects their citizens’ rights to safeguard personal information […] We anticipate seeing more companies review and amend their terms and conditions, privacy policies, conditions of carriages and contractual agreements in an attempt to comply.”
ADETOKUNBO HUSSAIN Junior Privacy Analyst