- Kenya is yet to pass data protection laws to safeguard and protect the use of personal information.
It has become commonplace that governments are finding themselves in a national security bubble that bears striking similarities to the “dot com bubble.”
In the late 1990s to 2000 when the internet bubble swept over, it enabled hucksters of every stripe to throw a dubious business plan and they would score an infusion of venture capital.
One of the most profound stories is the company Fortress America which actually didn’t have any asset, product, revenue, nor concrete business plan apart from the vague promise that it would acquire companies in the “homeland security industry” and when the company held its IPO just seven months after being founded it managed to raise $46.8 million.
The national security bubble is also scoring a similar invest-first, ask-questions later approach. New technologies are being employed by government saying it’s for the benefit of its citizens but many have failed to live up to the salespeople’s patter.
In Kenya, the government is set to roll out a mass registration exercise aimed at collecting massive citizen data also known as ‘Huduma Namba’, a unique identifier linking one’s ID, passport, driving licence, birth certificate, National Social Security Fund, National Hospital Insurance Fund and Kenya Revenue Authority PIN under it. Since technology sales are big business, the exercise is slated to cost Sh6 billion and been awarded to a consortium of technology companies.
The calamitous problem about this “Huduma Namba” exercise is that it’s being done when Kenya is yet to pass data protection laws to safeguard and protect the use of personal information. But the government has already entered into a commercial deal with Mastercard to link the Huduma number to a prepaid card with a chip that will be used by citizens to pay for access of government services.
There has been an undertaking to try and pass data protection laws, but it’s a proverbial case of belling the cat.
First, the proposed bill from the ICT ministry was at the public participation stage but the final draft clearly embossed “Final Draft Bill” is already out but not released to the public. That it was sent to a handful of private sectors players for review some months ago defeats the purpose of public participation.
Second, that final draft bill has one problematic provision, section 38, which entails the right to data portability, subsection (6) states that “a data controller or data processor shall comply with data portability requests, at reasonable cost and within a period of 30 days.”
The previous draft bill had it that no cost would be instituted to anyone who would want to port but this has now been changed.
Now, the canonical understanding of protection of personal data is that, persons (data subject) should be the ones in charge of their private information and so when it comes to data portability, the framework is that one should be able to port freely without any inhibitors like cost charges
For example, if I am in Bank A and wish to move to Bank C, ideally I should just instruct Bank A about my intended move and ask them to forward my personal details to Bank C because I am in charge of the use of my data. But what the proposed law suggests is that Bank A should charge me for porting, undermining the cardinal principle of private data protection.
And this has been one market failure in our telecommunication industry, a few years back, Safaricom was accused by its competitors of making it expensive for its customers to port leading to interoperability failure in the sector. It doesn’t come as a no surprise that when you read through the public submission during the public participation, Safaricom is one of the entities that requested for introduction of charging owners for their own data.
So, the ball is in Parliament’s court, a lot is at stake with this provision and the implications are huge. May they rise to the occasion.