Data Protection Act Only Enacted On Paper
In September 2019 Jared Ouma received a text that he describes as ‘abnormal’. The message read
“Hello Jared, naomba kukujulisha nitang’ang’ania kiti cha MP wa Kibra katika uchaguzi mdogo ujao. Naomba kura yako. Nakutakia wikendi njema.”
This loosely translates to “Hello Jared, I would like to inform you that I’ll be vying for the Member of Parliament (MP) for Kibra in the upcoming by-election. I’m requesting for your vote. Have a lovely weekend.”
The text came in as a promotional message with the title ‘MARIGA’ similar to how mobile networks send theirs. Mcdonald Mariga was one of the aspirants during the by-election to replace the late Ken Okoth for the position of Member of Parliament.
Ouma, a resident and a registered voter in Kibera constituency explains that he had not interacted with Mcdonald Mariga and had never shared his phone number with him or anyone close to him. He therefore believes that someone or an institution must have shared the data with the politician.
On February 24th 2020, Willy Mutunga, former Chief Justice of Kenya also expressed his displeasure with how his data was used. Mutunga posted on his twitter account that he had received a text message from some company asking his to ask someone to pay his debt.
The text read ” Hello, kindly ask — Mutunga to pay his Pesaflash loan of Kshs- which is 2 days overdue, to avoid affecting his credit limit, denial of future loan plus the daily 2% penalty. If you don’t know- -Mutunga please ignore this message“
He went ahead to ask who knows the company and said that it seems to him that Safaricom is involved in sharing his cellphone number to the company that wants to use him as its debt collector for free. He also asked if there is another Mutunga who has received a similar message.
The former CJ also tweeted that his lawyer would follow up the issue because he feels that his right to privacy has been infringed.
Mutunga and Ouma’s cases are just some of the countless incidences where personal data has been used for the unintended purposes. It is for such reasons that the Kenyan government, enacted The Data Protection Act, 2019 on 25th November, 2019.
Unfortunately, several months later Kenyans cannot enjoy the benefits of the law because there is no Data Protection Commissioner to make it operational.
Section 5(2) of the Data Protection Act states that the Office is designated as a State Office in accordance with Article 260 (q) of the Constitution. Section 6 provides that the Public Service Commission shall, whenever a vacancy arises in the position of the Data Commissioner, initiate the recruitment process and that the Public Service Commission shall, within seven days of being notified of a vacancy invite applications from persons who qualify for nomination and appointment for the position of the Data Commissioner.
Good legislation, bad implementation
The Data Protection Commissioner is employed by the Public Service Commission upon appointment by the president and approval by the National Assembly.
The office of the Data Protection Commissioner is very important because among other things it oversee the implementation of and is responsible for the enforcement of the Act. This office is also responsible for establishing and maintain a register of data controllers and data processors.
Most importantly, they receive and investigate any complaint by any person on infringements of the rights under the Act.
Click on the link for the full list http://kenyalaw.org/kl/fileadmin/pdfdownloads/Acts/2019/TheDataProtectionAct__No24of2019.pdf
Kenyans will have to be more patient before they can enjoy the benefits that are expected to come with this new law. As it is now, there is no statutory institution to address their data related issues and complains.
But the absence of the Data Protection Commissioner is not the only issue with this law. John Mboya, an advocate of the High Court believes that it will be very difficult to implement it fully unless some parts are changed.
For example, the act provides that personal data may only be collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes. This, he says will take a long time to be achieved.
“There is no proper civic education on how Kenyans can protect their personal data. Currently we cannot enter most public buildings without sharing our personal data with the security agents. The sad part is, most people don’t bother to ask why they have to share that information. How do you prove in a court of law that your data was used for other purposes if it was not declared from the beginning? How do you identify the specific person or institution that misused your information while you have shared it countless times?” put part in indirect speech.
Speaking to RoGGKenya, Mboya also explains that it will take a long time for the Commission to deal with all the cases if Kenyans are to report every time their personal data is used for the wrong purpose.
For this to happen, he says the Commission must have a large secretariat which comes with a big budget. “It will be interesting to see how this commission will operate because the Act was enacted after 2019/2020 budget had already been passed and no money was allocated to implement it.” Mboya further explains that Kenyans might have to wait until the 2020/2021 budget is passed for the commission to have money.
The Act provides for the right of appeal against decisions and actions of the Data Commissioner.
Section 64 states that ‘A person against whom any administrative action is taken by the Data Commissioner, including enforcement and penalty notices, may appeal to the High Court.’
The Data Protection Act comes with many benefits if fully implemented. However, if the challenges are not solved and gaps filled then it will be one of the many Kenyan laws that look good on paper bet difficult to implement.
On 16 November 2020, Ms Immaculate Kassait took her oath of office as Kenya’s first Data Protection Commissioner as appointed by the Chief Registrar of the Judiciary.