Ideas & Debate

What Kenya needs to ensure new data protection laws work for everyone

Personal information could potentially be used to steal, blackmail or frame individuals. FILE PHOTO | NMG 

Data is the new oil”, Clive Humby, chief data scientist at Starcount, a UK data science company, stated this back in 2006. This metaphoric likening of data to ‘black gold’ was meant to animate the minds of those who were keen, as to the opportunities that lay ahead, and that were ripe for reaping, at a time when the value of data was yet to be as apparent as it is becoming.

At the time, Carlos Slim Helu, a Mexican tycoon with huge interests in oil and gas, was one of the top three richest men in the world, according to Forbes.

Fast-forward to 2019; the richest man in the world is Jeff Bezos, an American technology entrepreneur and CEO of Amazon. Carlos Slim Helu is now ranked fifth.

If oil propelled the engines of the industrial age, data is the lifeblood of the information age. From consumerism, to voting demographics, to agriculture, to urban planning, to financial forecasting, banking, and even healthcare. The dynamic use and emerging reliance on data permeates several facets of modern civilisation, and it is as dynamic as it is pervasive.

As such, students of history and philosophers of the human condition, would easily opine that such a gold mine would be the perfect candidate, ripe for abuse and exploitation. It is introducing new forms of neo-imperialism through the infringement of private rights, and on global-scale, even re-igniting wars between the superpowers; from the new Sino-American trade war, to a new Russo-American cold war.


Supervisory authorities in various EU member states received numerous complaints of data breaches. In Ireland, for example, the Data Protection Commission (DPC) received 6,624 complaints arising from various data breaches; Netherlands received 15,400 complaints; Germany received 12,600. These were only the reported cases of the privacy breaches. And the complaints are increasing exponentially; in 2018, the Dutch Data Protection Agency received 20,881 breach notifications, double of what they received in 2017.

Personal data

Inevitably, a myriad of questions arise as debate rages on the mode of collection and processing of personal data collected from data subjects.

As is usually the case, public law and policy is late to this party. Legislators and policy makers in various countries, and especially in EU member states, have been making deliberate efforts to cure and prevent the breach of private rights occasioned by the new ventures and frontiers that data has opened up. In fact, the EU, through its established organs has collectively activated mechanisms to progressively review and implement laws and regulations to prevent invasions of privacy, and subsequent exploitation of improperly or illegally obtained data.

On April 14, 2016, the EU approved the General Data Protection Regulation (GDPR), which had been four years in the making through preparation and debate in various fora. It replaced a more rudimentary regime – the Data Protection Directive, which was a creature of the 1990s, when the Internet was effectively in embryo. After approval, GDPR commenced two years later on May 15, 2018, giving stakeholders and member states reasonably sufficient time to get their houses in order.

The enforcement regime under GDPR heavily relies on fines for data breaches. This is arguably a fitting remedy for capitalism’s audacity, but the jury may still be out on whether it is the most sufficient deterrent when data breaches are enabling the kind of espionage that is igniting trade wars and cold wars.

So far, a number of companies have been fined heavily for offences under the GDPR. In January 2019, Google was hit with a 50 million euro fine by the French data regulator CNIL for among other reasons, “lack of valid consent regarding ads personalisation”.

Civil society is also awakening to this brave new world, and advancing how we think about data; it is not enough to avoid breaches, we also need to know the nature and extent of the data already in the custody of tech corporations, that we may have knowingly or unknowingly granted access to.

Digital Rights activists, NOYB (None of Your Business), have filed complaints against streaming sites Amazon, Spotify, Google and Netflix for violations of Article 15 of the GDPR that guarantees data subjects the right to access their information held by a processor or controller.

Kenya, an information technology hub, home to the Silicon Savannah, and the geo-strategic gateway into the region, is on the verge of having laws and policies in place to protect personal data in accordance with Article 31 of the Constitution. The National Assembly is presently seized of the Data Protection Bill. The principles and policies that inform the Bill mirror the EU GDPR.

The Bill is, however, broader and more detailed in its definition of personal data, which is a good thing in the sense that a law needs to be anticipatory in its construct, that is, pre-empting future developments. As has already been demonstrated, our understanding of personal data will be anything but stagnant.

Beyond the Data Protection Bill, there needs to be a broader appreciation across the board of what proper compliance will entail, as well as how various stakeholders will need to be involved in order to maintain civility and avoid anarchy as the information age evolves.

As such, there needs to be in place a complimentary infrastructure to support both the new data laws, as well as the existing ones, so that proper synergies result in more meaningful outcomes, both for private rights, as well as the business environment. There are already in place, a host of laws, and agencies that will overlap in the roles as regards data protection, and it will be important that these, even in their independence develop co-dependence, and work in harmony for the benefit of all.


Effectively, we need an entire ecosystem that will factor in: a means and agency of enforcement; a system for complaints and follow-ups; clarity on which body will receive the fines and how these will be used; a means to address cross-broader violations; and a means to address violations that touch on national security issues. These considerations needn’t only be at a governmental or regulatory level; private sector and civil society also have a key role to play in helping foster a positive culture, beyond law and policy.

We also need to recognise that, though we may draft laws that are aimed at addressing issues within our jurisdiction, the Internet is less fussy about immigration, and thus without a passport, someone in one part of the world can engage rights and obligations elsewhere without the appropriate means of seeking redress or enforcement. For example, a data processor or controller in Kenya who processes data for anyone in the EU, can be bound by GDPR.

Increasingly, consumer education will be indispensable, as a well informed and aware citizenry will be a key ally in ensuring compliance as ultimately, it will be in their interest to safeguard their private rights, and to ensure that their personal data is not being used to generate illicit profits gained from the violation of laws.

Big data companies like telecoms operators, banks, and insurance firms should employ or retain the the services of relevant professionals, to guide them on matters compliance and setting up seamless processes that will ensure that personal data of data subjects are safely handled, and where there are violations, clear processes of reporting, remedying, or mitigating are in place.

Ultimately, it will be interesting to engage in the conversations and debates that will be sure to ensue once the Bill is assented to.

Karanja is a data protection compliance & commercial law practitioner. Email: [email protected]