Facebook, Twitter put on notice for Kenyans’ personal data breach


Parliament buildings in Nairobi. FILE PHOTO | NMG

Technology giants like Twitter, Facebook and Google will soon come under government scrutiny for their handling of personal information belonging to Kenyans, the nominee for the position of Data Protection Commissioner told Parliament Wednesday.

Appearing before the National Assembly’s ICT committee for vetting, Immaculate Kassait said the multinational technology companies will be held liable for the use of data belonging to Kenya or Kenyans whether they operate locally or outside the country.

The data protection law, approved in November last year, sets out restrictions on how personally identifiable data obtained by firms and government entities can be handled, stored and shared.

The Data Protection Act 2019 gives the commissioner sweeping powers on the investigation of data breaches. These include powers of entry and search and issuing administrative fines.

“Even if they are internationally based companies and as long as they have data about Kenya, they have responsibility to adhere to laws of Kenya,” Ms Kassait, the current director of voter education at the Independent Electoral and Boundaries Commission (IEBC), said.

Facebook said in 2018 the personal information of up to 87 million users may have been improperly shared with political consultancy Cambridge Analytica.

Best known for helping Donald Trump’s presidential bid in the 2016 US elections, the London-based Cambridge Analytica was also involved in the campaigns for Kenyan President Uhuru Kenyatta in the 2013 and 2017 elections.

The Kenyan data protection law demands that a data controller or a technology firm notify the commissioner where personal records have been accessed or acquired by an unauthorised persons.

Offences under the Act attract a fine of up to Sh5 million and or imprisonment for a term not exceeding to 10 years or both.

The commissioner establishes and maintains a register of data controllers for oversight.

Ms Kassait told MPs that multinational tech companies such as Twitter, Facebook and would have to adhere to the law.

“We will investigate and give penalties where necessary. The Data Commissioner is supposed to enforce the law and it will be my role to do that,” she told the vetting panel.

Ms Kassait said Kenyans have rights to portability where they can move, copy or transfer personal data easily from one IT environment to another, adding that they can ask firms like mobile phone-based lenders and others how their data is stored or used.

“You can ask Google how much information they hold about you, where they store and whether it is it accurate,” she said.


“If convicted of an offence and you are cleared, you have a right to ask Google to correct that information, that the information be forgotten, erased or updated. The multinational technology firms must give you data in a manner that is readable. This is what the new law says.”

Ms Kassait said if appointed the first Data Commissioner, she will put a regulatory framework in place to ensure that all data, including Huduma Namba data, is secured.

A lack of data protection legislation derailed the government’s efforts to digitise identity records for citizens.

The registration, which the government said would boost its provision of services, suffered a setback last year when the exercise was challenged in court.

“The government and the private sector will have to adopt a risk analysis approach. They must know the process of data collection, retrieval and destructions. Under the new law, a Kenyan can request that their data be updated, object its use or be deleted,” Ms Kassait told the committee.