Mandatory Registration of all Data Processors Tantamount to an Additional Tax on Kenyans

published on october 12, 2018 / reading time approx. 5 minutes

The right to privacy became a constitutional right in Kenya in 2010 with the passing of the Constitution. Article 31 of the Constitution grants this right in the following terms: right not to have information relating to their family or private affairs unnecessarily required or revealed. As such, the Constitution recognizes that there are certain matters (family or private affairs) whose privacy the state commits to upholding and protecting.

Eight years after this Constitutional right was granted to each Kenyan, we have two separate draft data protection Bills, one a draft Senate Bill and the other a draft Parliamentary Bill- It appears the drafting of the Senate Bill awoke the ICT ministry, causing the Cabinet Secretary to constitute a task force to develop a privacy policy and regulatory framework for privacy and data protection in Kenya.

Notwithstanding the sloth speed from passing the Constitution to its implementing framework, it is laudable that we are finally taking both personal data and privacy seriously. In the era of the '4^th Industrial Revolution,' data and personal data is increasingly going to be front and center of economic activities of peoples and nations. The fact that in Kenya today, one of the telcos provides a 'service' where one person's full names are revealed to another person as soon as the latter sends the former ten shillings (without an opportunity by the former to object and with the result that the latter person then knows the full names and mobile number of the former) easily demonstrates the enterprise that is already built around unprotected personal data in Kenya.

In principle, both a policy and legislation governing processing personal data ought to be examined with the narrow lens of an individual's privacy as enshrined in the Constitution; protecting the individual from instances where personal information would be unnecessarily required (such as when information collected is used for a different or even an additional purpose) and unnecessarily revealed (such as when personal data collected is disclosed without permission, or where the collectors do not take certain minimum steps to prevent the information being disclosed). Consequently, all provisions of the data protection policy and law should speak to this.

A new tax on all Kenyans

The taskforce set up by the ICT CS held a public consultation and participation forum on 3^rd October 2018, and the public now awaits a version of the Bill to be tabled in Parliament. The draft parliamentary Bill, as at 3^rd October seeks to regulate, among others, the processing of personal data.

Processing is defined, as it is for example under the EU's General Data Protection Regulation, to include collecting, recording, storing, disclosing and erasing personal data. Personal data is data about a person that makes that person identifiable, whether directly or indirectly. Such data includes a person's name, ID number, biometrics (finger print etc), residential address, IP address, photo or image.

By definition, the processing of personal data invariably makes potentially everybody a data processor- one only need ask a person for his name to become a processor! From an enterprise perspective, personal data is processed left, right and center: by a security guard who asks for your ID and telephone number in order to grant a person access to a building or neighborhood; by the telcos who require a subscribers ID or passport to register them; by employers who require personal information, including identification details about an employee and sometimes even about an employee's family; by a medical institution which requires personal information, some particularly sensitive about a patient

The draft Bill's extensive provisions on registration of all data processors (registration lasting only 3 years, after which it is subject to renewal) is consequently ill-advised, unworkable, and speaks to a revenue generating and taxation motive in a law that ought to be focused on ensuring personal data is not unnecessarily required or revealed.

Though there are some attempts in the draft Bill that appear to provide some de-minimis thresholds, these are similarly ill-advised as follows: section 4 introduces categories of processing that are not to be subject to the law:

• the exchange of information between government departments and public sector agencies where such exchange is required on a need-to-know basis;
• the processing of personal data by an individual in the course of a purely personal or household activity; or
• Processing of personal data exempted under section Part VII.

We believe that there ought not to be blanket exemptions from application of the data privacy law because primarily all data processors (potentially all persons and institutions) ought to comply with it. This is consistent with the intention of the law. Secondly, an exemption of processing data in a 'purely personal or household activity' is not only vague (and no attempt has been made to define what contexts or situations would be covered) but is also unjustified; a person's private matters ought to be protected by law even where this information is collected from his bedroom!

Effective monitoring without Taxation

We are therefore of the view that if it is perceived that the regulator would be unable to effectively monitor compliance on its own (compliance that personal data is being processed in accordance with the laid principles for example), then the law may provide for:

1. mandatory registration of certain categories of personal data processors with the regulator; or
2. mandatory designation of 'compliance officers' in certain categories of personal data processors, which officers are then tasked with notifying the regulator of compliance by the organizations, and these officers may be required to be registered.

In either case, the regulator would then be in a position to effectively monitor compliance with the law by entities or organizations that meet certain de minimis thresholds: those that either process large amounts of personal information or who process particularly sensitive personal information.

Such categories may include:

1. 'big data' companies- the likes of Google, Facebook, Uber, Microsoft
2. telecommunication companies and financial institutions-the likes of Airtel and Safaricom, banks, microfinance and insurance companies, who by virtue of their customer base, process large amounts of personal data and whose failure to comply with the law would affect a large number of Kenyans;
3. medical institutions and security firms, by virtue of the nature and amounts of personal data they require and collect, and which is susceptible to misuse (use beyond the purposes for which it was revealed to the person)
4. all entities or persons who make commercial use of personal data itself-however collected- which would cover, in addition to the above, retail stores and eateries who often use data collected as part of the check-out process for purposes of selling, advertising and marketing.  This would reduce instances of unauthorized exploitation of personal data where a person (data subject) has not consented.

We surmise that such a registration or licensing mechanism would be consistent with the focus of the law being the privacy of the individual and would also make compliance monitoring effective.