by Alice Munyua
Kenya has joined the list of fewer than 30 African countries in enacting Data Protection Legislation. This is the first data protection law in Kenyan history, and marks a significant step forward in the protection of its citizens’ privacy. Mozilla was involved from the onset when the Kenya Privacy and Data Protection Bill 2018 was gazetted for public comments in 2018.
We shared a comprehensive memorandum focussing on the areas where we felt protections were missing, and where the proposals and recommendations made could strengthen the bill based on our experience and expertise advocating for individual security and privacy all over the world.
We also expressed deep concerns when an amendment to the national identification (ID) law was passed establishing the National Integrated Identity Management System (NIIMS), which made Kenya home to the most privacy-invasive national ID system in the world, without a data protection framework in place.
We did all this because we believe that a strong data protection law requires; a robust framework of rights of individuals with meaningful user consent at its core; strong obligations placed on data controllers and processors reflecting the significant responsibilities associated with collecting, storing, using, analysing, and processing user data; and effective enforcement mechanisms including an empowered, independent, and well-resourced Data Protection Authority.
We’re pleased to note that the newly enacted law outlines these fundamental principles. Modelled after the European Union’s General Data Protection Regulation (GDPR), the Kenya’s Data Protection Act (2019) gives effect to Article 31 (c) and (d) of the Kenyan 2010 Constitution which protects the right of every person not to have their “information relating to their family or private affairs unnecessarily required or revealed” and Article 31(d), the right not to have “the privacy of their communications infringed”, setting a very high standard for the continent.
The law establishes the Data Protection Commission (DPC) expected to implement and enforce this new legislation. However, this new law must now be accompanied by a timely and effective implementation to ensure the success of all these positive aspects. A key to this is the appointment of an independent, empowered and well-resourced Data Protection Commission (DPC) to guarantee effective implementation.
The DPC will have an invaluable role in interpreting this new law, providing guidelines, monitoring the activities of data controllers and processors to ensure compliance with their obligations, investigating violations of rights, and ensuring there is a venue for redress for data subjects.
If the process of appointing a data protection commission is not started within fourteen (14) days as stipulated by the law, it will severely undermine the impact of this robust data protection framework making it difficult to meet international and regional standards, such as the African Union Convention of Cybersecurity and Personal Data Protection (Malabo Convention), and the European Union General Data Protection Regulation, and various Digital Transformation initiatives including the African Continental Free Trade Area (AfCFTA).
AfCFTA, which was launched in June 2019, aims to create a single continental market for goods and services and unite 1.3 billion people, creating a $6.7 trillion economic bloc by 2030. Implementation of AfCFTA will involve cross border personal data transfer but the continent has still not ratified the Malabo Convention, which if harmonized sets a strong baseline intention for the region to protect privacy and personal data, while boosting intra-regional trade.
The recently concluded 3rd Specialised Technical Committee on Communication and Information Technologies (STC-CICT-3) declaration noted that the “harmonisation of ICT policy, legal and regulatory frameworks is a prerequisite for the creation of a common Digital Single Market” called for “acceleration of the ratification of the AU convention on cybersecurity and Personal Data Protection” and directed the African Union Commission (AUC) to develop guidelines on privacy and as well as a continental framework on data policy by 2021.
For a country that is a leading hub for the most advanced technological innovations in the region, and views data protection legislation as crucial for encouraging more investment in the tech sector, we hope Kenya will lead the way in implementing this robust data protection framework and ratifying the Malabo convention.
As a global community of technologists, thinkers, and builders working together to keep the internet open, accessible, and secure Mozilla is continually investing in the security of its products and the privacy of online users. Our commitment to user security and privacy can be seen both in the open-source code of our products as well as in our policies and data privacy principles. We are enthusiastic about engaging with the African Union Commission (AUC), Kenya and other countries in critical work on privacy and data protection, which is in line with our five policy hotspots that are key to Africa’s digital transformation.
Mozilla is a global community of technologists, thinkers, and builders that began in 1998 as an open-source project with an aim to keep the Internet open and accessible so that people worldwide can be informed contributors and creators of the Web. Mozilla Corporation is a wholly owned subsidiary of the nonprofit Mozilla Foundation, which allows it to put people before profit. Today, it’s an internet leader via its well-known web browser, Firefox, which protects user privacy with features like Enhanced Tracking Protection – a default setting that blocks cookies so companies can’t track you. Mozilla works to preserve an open, global internet by advancing public policy and creating technologies that protect people’s right to explore and create online without fear of surveillance.
About the Author: Alice Munyua
Alice is an experienced public policy and internet governance professional with a demonstrated history of working in the information technology and services industry. She is skilled in Nonprofit Organizations, ICT policy and regulation, Entrepreneurship, Internet Governance, International Relations, capacity development and Management. She graduated from Pontificia Universitas Gregoriana in Rome, Italy, and is currently Mozilla’s Policy Advisor in Africa.