Kenya Considers Protection of Privacy and Personal Data

Mozilla applauds the government of Kenya for publishing the Data Protection Bill, 2018. This highly anticipated bill gives effect to Article 31 of the Constitution of Kenya, which protects the right to privacy, and, if passed, will be Kenya’s first data protection law.

Most notably, the bill includes:

  • An empowered and well resourced data protection commission with a high degree of independence from the government.
  • Strong obligations placed on data controllers and processors requiring them to abide by principles of meaningful user consent, collection limitation, purpose limitation, data minimization, and data security.
  • Robust protections for data subjects with the rights to rectification, erasure of inaccurate data, objection to processing of their data, as well as the right to access and to be informed of the use of their data, providing users with control over their personal data and online experiences.

This bill comes at a pivotal time. Kenya is a rapidly digitizing nation with  46.6 million mobile subscribers with a penetration rate of 97.8%. Over 99% of Kenya’s internet subscribers access the internet via mobile phones. Several government services are now available only online, compelling citizens to provide personal data to access services like registration of births. Furthermore, the Registration of Persons Act requires demographic and biometric data to be contained in an electronic national identity card, which is crucial for every-day life. All these services have accelerated the collection and analysis of personal data but the lack of a comprehensive data protection law exposes Kenyan citizens to risks of misuse of their data.

This proposed law is therefore a welcome opportunity for the government to develop a model data protection framework that upholds individual privacy and safeguards the data of generations of Kenyans including those who are yet to come online. Kenya’s draft data protection legislation is clearly inspired by the EU’s General Data Protection Regulation, and Kenya is striving to be the first country to receive an “adequacy” determination from the European Commission — a certification that a country has strong privacy laws, and which allows Europeans’ data to be processed in that country and for companies in that jurisdiction to more easily enter European markets. This bill is also an important step toward fulfilling the African Union Convention on Cyber Security and Personal Data Protection, which calls for member states to adopt legal frameworks for data privacy and cybersecurity.

Mozilla’s comments on the Kenyan data protection bill can be found here. Our work on Kenya’s data protection bill builds on our strong commitment to user privacy and security as can be seen both in the open source code of our products as well as in our policies. We believe that strong data protection laws are critical to ensuring that user rights and the private user data that  companies and governments are entrusted with are protected. We have been actively engaged in advocating for strong data protection laws in India, Brazil, the EU, and the US, and are enthusiastic to engage in this timely and historic debate in Kenya.

We believe that a strong data protection law must protect the rights of individuals with meaningful consent at its core. It must have strong obligations placed on data controllers and processors reflecting the significant responsibilities associated with collecting, storing, using, analyzing, and processing user data; and provide for effective enforcement by an empowered, independent, and well-resourced Data Protection Authority. We’re pleased to see all of these values included in the Kenyan data protection bill.

The bill was developed in open public consultations, another crucial pillar of the Kenyan constitution, which provides the public with the opportunity to take part in government and parliamentary decision making processes. The consultations received wide ranging comments from governments, private sector, academia, civil society, and individuals. The result is a bill that Kenya should be proud of.

We commend the government for the thoughtful and thorough framework  and urge Kenyan members of parliament to pass this critical data protection legislation and reconcile it with other statues, which contain provisions that threaten the good intentions of this bill. Without a data protection law, Kenyans private data is currently at risk.

With this legislation, Kenya is emerging as a leader in the digital economy and we hope this will serve as a positive example to the many other African governments that are currently considering data protection frameworks.