Kenyans bank on new law to boost data privacy


If you really want your data to stay private in this digital age, have no phone or access to the internet. FILE PHOTO | NMG

The Data Protection Act that came into effect last month is expected to provide a framework for data protection in the country, and help boost privacy of the citizens.

Before the Act was passed, Kenya did not have a specific data protection law that regulated the sector, exposing private data of citizens to misuse.

The law conceived in 2015 is meant to provide a regulatory provision in the collection, retrieval, processing, storing, use and disclosure of personal data.

Under Article 31(c), the Act outlines the right of every person not to have “information relating to their family or private affairs unnecessarily acquired or revealed” and Article 31(d), confers individuals the right not to have “the privacy of their communications infringed”.

Robert Nyamu, a Financial Services and Risk Advisory Leader at East Africa Ernst and Young LLP, says the legislation is timely as it will address customers’ data infringements among telcos, hospitality industry, various companies and financial institutions.

“Of great importance is the customer’s personal data that is comprehensively discussed in the new Act,” Mr Nyamu says.

He adds that anyone handling customer data in whatever form needs to fully understand the customer’s rights in regard to data protection law.

“It (new law) gives a right to customers in terms of their own data, and as an organisation if you are handling data in whichever format you need to be aware of it,” he adds.

The financial sector, he notes ought to understand the implications of data breach as any compliance failure will result in significant penalties.

The new law, he added, will cause disruption to some players, particularly in the financial sector.

“It is going to cause disruptions in their operating model, and data governance as they have to put in place mechanisms to ensure that they comply with the Act,” he adds.

The law is expected to bring clarity on what data should be classified as well as on the rights and responsibilities of organisations that handle customer data, and more fundamentally on the right of customers in terms of that data.

“Organisations might see it as a burden but actually is a good thing as there have been abuses,” Mr Nyamu says.

The vulnerability of private data held by various agencies, companies, tech giants and organisations has pushed States to enact strict laws to protect privacy of citizens.

Early this June, several Kenyan government websites running on the Unix-based FreeBSD operating system were hacked. This exposed crucial data to abuse.

In 2018, President Uhuru Kenyatta assented to the Computer and Cybercrimes Bill, 2017. The legislation allows authorities to search and seize stored computer data and to collect and intercept data in real-time.

Under the law, hackers face a fine of Sh5 million ($50,000) or a three-year jail term or both for unauthorised access, interference, interception and disclosure of passwords and cyber espionage.

The new law also covers computer forgery, fraud, cyber harassment, cybersquatting, identity theft and impersonation, phishing, interception of electronic messages or money transfers. Other areas covered are willful misdirection of electronic messages and fraudulent use of electronic data.

The new set of laws is in line with the European Union’s General Data Protection Regulation that was passed in 2018 for data protection and privacy for all individuals of EU and European Economic Areas.

Breach of data privacy is a global spectre. Early this month, Facebook introduced the Twitter Privacy Centre following a series of data infringements on its platform. The centre will host information about Twitter’s initiatives, announcements and new privacy products, as well as other communication about security incidents.

Last year, the social media giant was fined Sh56.4 million by the UK’s Information Commissioner’s Office after allowing third party developers access user information without consent in the Cambridge Analytica scandal.

It was found that information of about one million UK users were infringed, consequently putting them to misuse.

Also last year, the company faced Sh180.9 billion fine by the Irish Data Protection Commission over massive data breach.

The breach was detected September last year and it gave hackers opportunity to take over user accounts.

Meanwhile, last month, the US District Court in San Francisco accused the Saudi Arabia government officials for hiring two Twitter employees to intercept confidential information on influential individuals and dissidents.

It said the accounts were those of government’s sternest critics with more than 1 million followers and a news personality. However, it failed to mention the individuals.