Internet users in Kenya or persons who, because of the nature of their occupation, expose much of their information for use by other persons now wield some wand of power. Simply sharing their information to third parties without their consent will now attract a fine of ksh500,000 ($5000) in Kenya. This is after President Uhuru Kenyatta signed into law the Data Protection Bill of 2019. The new law provides for the legal framework for the protection of a person’s privacy in instances where personal data is collected, stored, used or processed by another person.
Here Is All You Need To Know
- Under the new law, every person has the right to privacy with respect to their personal data.
- Consequently, any person who collects or processes personal data in any manner contrary to the provisions of the law commits an offence and is liable, on conviction, to a fine not exceeding five hundred thousand shillings(ksh 500,000) or to a term of imprisonment not exceeding five years, or to both.
- However, the right to privacy under Article 31 of the Kenyan Constitution, with respect to personal data, may be limited for the purpose of safeguarding overriding legitimate interests. (2) The right to privacy may be limited for purposes of — (a) national security; (b) prevention, detection, investigation, prosecution or punishment of a crime; © safeguarding rights of the data subject or another person; (d) public interest; and (e) compliance with an obligation imposed by law.
- The controversial law also states that government agencies should not collect data on a person’s race and ethnic origin, religious beliefs, political persuasions or health status.
Rights Of Each Data Subject In Kenya Under The New Law
- Under the new law, a data subject has a right to — (a) be informed by the agency of the use to which the data is to be put; (b) access the data with respect to the data subject which is in possession of an agency; © object to the collection or processing of all or part of data by an agency; (d) correction of false or misleading data; (e) deletion of misleading, false or data which has been objected to; and (f) an explanation in respect of the processing of data and the outcome of such processing.
- In the light of the above, (1) Before an agency collects personal data directly from a data subject, the agency shall in so far as is reasonably practicable, inform the data subject — (a) the fact that the information is being collected; (b) the purpose for which the information is being collected and specify the use to which such information shall be put; Duty to notify. © the intended recipient of the information; (d) the name and address of the agency that is collecting the information, the agency that will hold the information and whether or not any other agency will receive the information; (e) where the information is collected pursuant to any law — (i) the law requiring or authorising the collection of the information; (ii) the procedure required to be undertaken in order to comply with the law; and (iii)whether the supply of the information by that data subject is voluntary or mandatory; (f) the consequences if any, where the data subject fails to provide all or any part of the requested information; and (g) the right of access to, and correction of, personal data provided under section 13 and 15 of the Act.
Use Of Personal Data Outside of Kenya
The new law provides that a data agency shall not transfer personal data of a data subject outside the territory of the Republic of Kenya unless- (a) the third party is subject to a law or agreement that requires the putting in place of adequate measures for the protection of personal data; (b) the data subject consents to the transfer; © the transfer is necessary for the performance or conclusion of a contract between the agency and the third party; and (d) the transfer is for the benefit of the data subject.
Read also: Kenyan Logistics Startup Lori Systems Raises $30 Million Series A Funding Led By Chinese Investors
Commercial Use of Personal Data Or Misuse of Data
Kenya ‘s new law also provides that person shall not use, for commercial purposes, personal data obtained pursuant to the provisions of this Act unless — (a) it has sought and obtained express consent from data subject; or (b) it is authorised to do so under any other written law and the data subject has been informed of such use when collecting the data from the data subject.
In the light of the above, the law provides that subject to the Act or any other written law, an agency that holds personal data that was obtained in connection with one purpose shall not use the data for any other purpose.
According to the law, ‘‘agency” means a person who collects or processes personal data.
Comments
This new piece of legislation would obviously be a thorn in the flesh of most tech startups and companies in Kenya, such as M-Pesa, Facebook, Google and hundreds of other startups engaged in data mining to survive. For one thing, once Kenyans become more aware of the new law and how to use its instruments to attack data compromise, these companies would be up for a tough time, especially in the wake of the famous Cambridge Analytica scandal, and strings of data mining war going on unnoticed.
In simple terms, expect more claims on data privacy breach piled up in Kenyan courts a year from now.
Charles Rapulu Udoh
Charles Rapulu Udoh is a Lagos-based Lawyer with special focus on Business Law, Intellectual Property Rights, Entertainment and Technology Law. He is also an award-winning writer. Working for notable organizations so far has exposed him to some of industry best practices in business, finance strategies, law, dispute resolution, and data analytics both in Nigeria and across the world