LEGAL CONSIDERATIONS OF THE UPCOMING DATA PROTECTION (GENERAL) REGULATIONS KENYA

Introduction

In the advent of the Data Protection Act of Kenya and the appointment of Kenya’s first Data Commissioner, Ms. Immaculate Kassait, the mandate of the Office of the Data Protection Commissioner (ODPC) has officially been set in motion and is operating at full throttle. On the 15th day of January, 2021 the Minister of ICT, Innovation and Youth Affairs gazetted the Taskforce on Development of Data Protection Regulations and commissioned it to:

     i.       undertake a comprehensive audit of the Act;

    ii.       identify any gaps or inconsistencies in the Act and the Data Protection Policy and propose specific review requirements;

   iii.       propose any new policy, legal and institutional framework that may be required to implement the Data Protection Act;

  iv.       develop the Data Protection (General) Regulations, sensitize and undertake stakeholder and public participation on these regulations; and

   v.       any other activities required for the effective discharge of its mandate.

At the end of its six month tenure, the Taskforce is expected to submit to the Cabinet Secretary, a final report on the recommended reviews and amendments of the Data Protection Act as well as other existing legislation. According to the recently published ODPC website, various guidelines have been developed and are currently awaiting public participation. These include:

     i.       Registration of data controllers and processors;

    ii.       Seeking consent from data subjects (available on website);

   iii.       Certification of data controllers and processors;

  iv.       Data protection impact assessment (available on website);

   v.       Appointment of data protection officers;

  vi.       Data sharing code and enforcement.

As we await publication of these guidelines and the release of the Taskforce Report, I sought to highlight some key considerations that ought to be elucidated in the Data Protection (General) Regulations.

1.    Registration of data controllers and processors

The Data Protection Act empowers the Data Commissioner to prescribe thresholds required for mandatory registration of data controllers and data processors depending on the nature of industry, volumes of data processed and whether sensitive data is being processed. In filing the application, the data controller and the data processor must provide particulars regarding the personal data to be processed, the purpose of processing the personal data, the category of data subjects and the security measures adopted to ensure the protection of personal data, amongst others. Details regarding the certification of data controllers and data processors remain unclear as the Act provides that the duration and validity of the certificates shall be determined at the time of application.

In anticipation of the Data Protection (General) Regulations, it is expected that the registration and certification guidelines provide further details on the mode of application and whether such registration extends to both legal entities and natural persons. It is imperative that the duration of certification be clarified, whether indefinite or for a limited period of time. Any changes in particulars of the application must be notified to the Data Commissioner. Thus, if the scope of a business entity expands or the business model evolves in such a way that the purpose of processing personal data varies, how will the previously acquired certification be affected?

In determining the type of entities required for registration, the Data Commissioner may adopt the approach of the Financial Reporting Centre (established under the Proceeds of Crime and Anti-Money Laundering Act) which lists “reporting institutions” that must be registered with Centre, based on the nature of their operations.

2.    Appointment of data protection officers

The Data Protection Act mandates every data controller and processor to appoint a Data Protection Officer (DPO) where the core activities of the entity require the regular and systematic monitoring of data subjects as well as the processing of sensitive categories of personal data. The DPO is responsible for the data protection compliance activities within an entity. The DPO post need not be a dedicated one and can be performed by an existing staff member provided that the current duties of the staff member do not conflict with those of the DPO. In fact, a group of entities may appoint a single DPO provided the officer is accessible by each entity.

Be that as it may, the Act is amorphous on the professional accreditation required by a DPO. Section 24 provides that a person may be designated or assigned as a DPO if that person has relevant academic or professional qualifications which may include knowledge and technical skills in matters relating to data protection. This leaves wide room for interpretation as no minimum standards are set as to the qualifications of a DPO. In the event that this role is left to an individual who is not adequately qualified, the data controller or data processor may be susceptible to strict sanctions and hefty fines as a result of non-compliance. Additionally, the parameters of accessibility of a single DPO by a group of entities ought to be interpreted by the guidelines. Though data protection is a novel area of expertise and certifications may vary from one jurisdiction to the other, it is imperative that the guidelines for appointment of DPOs set minimum qualifications of a DPO and issue certifications to DPOs, so as to benchmark international standards of data protection. On an international scale, the International Association of Privacy Professionals (IAPP) issues certification to various professionals in data protection from the EU, US, Canada and Australia. In the bigger picture, I dare say, Kenya in collaboration with other African Union member states, can lobby for a Certified Information Privacy Professional (CIPP) certification for Africa from the IAPP.

3.    Data Protection Impact Assessment

The Data Protection Act requires a data controller or data processor to carry out a data protection impact assessment (DPIA) where a processing operation is likely to result in high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context and purposes. The DPIA report should be submitted to the Data Commissioner 60 days prior to processing of personal data and shall include (i) a systematic description of the processing operations and purpose of processing; (ii) the necessity and proportionality of the processing in relation to the purpose; (iii) the risk to rights and freedoms of the data subjects; and (iv) the safeguards, security measures and mechanisms adopted to address the risks.

The essence of DPIAs is to embody “data protection by design and default” which requires implementing of appropriate technological and organizational measures, such as pseudonymization and encryption, so as to implement the data protection principles in an effective manner and to integrate the necessary safeguards for that purpose into the processing operation. Furthermore, the data controller and the data processor should only collect information that is necessary for fulfilling the purpose of collection and should not use such data beyond that purpose.

It is evident that the provisions of the Act did not determine what processing operations would be deemed “high risk” and the manner in which the DPIA would be conducted. Nonetheless, the guidelines of the DPIA have clarified this position to a comprehensive extent by listing eight criteria that would be considered for high risk processing operations. These include:

     i.       Automated decision making with a legal or significant effect e.g. profiling and predicting data subject’s economic situation, health, personal preferences etc;

    ii.       Systematic monitoring through networks and public surveillance equipment as the data subject may not be aware of the data collection and purpose of use;

   iii.       Sensitive personal data;

  iv.       Data processed in large volumes;

   v.       Matching or combining data sets in a way that would exceed the reasonable expectations of the data subject;

  vi.       Data concerning vulnerable data subjects such as children, persons with disabilities, asylum seekers and refugees;

 vii.       Applying new technological or organizational solutions; and

 viii.       When the process prevents data subjects from exercising a right.

Although the requirement for DPIA is restricted to high risk processing operations, it is recommended that all data controllers and processors carry out the assessment so as to ensure data protection compliance. The approach to data processing should be proactive not reactive; preventative not remedial. Furthermore, any data processing whose conditions of implementation (e.g. scope, purpose, personal data collected) have changed since the initial approval of the Data Commissioner should be subject to a secondary DPIA. Updating the DPIA throughout the lifecycle project will ensure that the data protection and privacy are considered and will encourage creation of solutions which promote compliance. The standard format of a DPIA report is available on the ODPC website.

4.    Data retention

The Data Protection Act stipulates that the data controller or data processor shall retain personal data as may be reasonably necessary to satisfy the purpose for which it is processed unless the retention is required by law, authorized by the data subject or for historical, statistical, journalism and literature purposes. It is apparent that many data controllers and processors are regulated and licensed by different government institutions depending on the nature of industry they are in, thus, the requirement for data retention may vary. For example, the Proceeds of Crime and Anti-Money Laundering Act requires all reporting institutions to maintain customer records for a period of at least seven years from the date the relevant transaction was completed. Alternatively, the Employment Act requires every employer to keep written particulars of an employee for a period of five years after the termination of employment. In this regard, two competing interests arise, one of data storage limitation and the record keeping obligation under statute. The ideals of data protection as envisaged in the Act present that personal data should be deleted, anonymized or pseudonymized once it has served its purpose. Nonetheless, this does not apply to data that ought to be retained in its original form as a requirement of the law. Thus, the Data Protection (General) Regulations should shed some light on further safeguards and measures to be applied to this type of data beyond fulfillment of purpose and prevent any further processing of the same. Furthermore, the Regulations should provide a minimum data retention period for all data controllers and processors who are currently not regulated, and whose violation would constitute an offence. This would ensure that no personal data is retained for dubious purposes.

5.    Data breach

The Data Protection Act provides for incident reporting procedures in relation to unauthorized access to personal data which present a real risk of harm to the data subject. Different parameters are set amongst data controllers and data processors. Data controllers are required to notify the Data Commissioner within 72 hours of becoming aware of such breach and communicate to the data subject within a reasonably practical period. Where notification is not given within 72 hours, reasons should be given for the delay. Where a data processor becomes aware of such breach, the data processor should notify the data controller within 48 hours. No obligation has been set on the data processor to notify the Data Commissioner. Moreover, where the data controller and the data processor have implemented appropriate security safeguards including encryption of personal data, no communication shall be required to the data subject in case of a data breach.

The infrastructure on reporting data breaches to the Data Commissioner has been provided for on the ODPC website. This comes in the format of an online submission form which requires details relating to the data breach including description of the incident, type of personal data, number of data subjects involved and the remedial action taken. Furthermore, data subjects can file complaints with respect to data breaches directly to the Data Commissioner in a similar format as provided on the website. Additional provisions have been made for complaints against the ODPC. Nonetheless, the ODPC is yet to provide hotline contacts for filing such reports via telecom. We will be keen to note the incident response timeframe within which a data breach is addressed.

6.    Cross-border transfer of data

The enactment of General Data Protection Regulations in 2018 saw an uproar on matters pertaining to cross border transfer of data as companies domiciled in the EU, entities procuring services from the EU and service providers catering to EU citizens sought to comply with the stringent but essential regulations. As a general rule, transfers of personal data to countries outside the EU may only take place if these countries are deemed to ensure an adequate level of data protection. Similarly, the Data Protection Act has enforced the same conditions as a data controller or a data processor may transfer personal data to another country only where the data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of personal data including jurisdictions with commensurate data protection laws. The transfer should be necessary for the performance of a contract between a data subject and a data controller or data processor, for a matter of public interest, for the exercise or defense of a legal claim, to protect the vital interests of a data subject and for the purpose of compelling legitimate interest pursued by the data controller or data processor. More importantly, consent must be obtained from the data subject.

Nonetheless, the degree of proof as to the safety and security of personal data and the manner in which such proof is substantiated has not been elucidated in the Act. Whether this requires the filing of a DPIA or written approval from the ODPC is a matter that is yet to be unraveled. Thus, it is crucial that the Regulations provide ad-hoc parameters for the cross-border transfer of data. Case in point, the EU Commission has implemented the “adequacy decision” model which is based on a thorough assessment on whether the third country has appropriate legal safeguards for data protection equivalent to those in the EU. So far, countries such as Canada, Japan and New Zealand have been whitelisted as safe countries to transact personal data from the EU. Alternatively, the ODPC can adopt standard contractual clauses that facilitate data controllers and processors in providing sufficient safeguards on data protection when transferring data to a data controller or processor outside the Kenyan jurisdiction.

As much as cross-border transfer of data is permitted, there exists certain restrictions where the Cabinet Secretary of ICT is empowered to prescribe certain nature of processing of data to be effected through a server or data center located in Kenya. This is based on the strategic interests of the state or protection of revenue. Data is the new oil they say, and Kenya need not be another victim of data mining. Therefore, this measure is seen as an effort to preserve national interests, preventing external parties from exploiting data sets and resources derived from the Kenyan jurisdiction.

7.    Enforcement

The Data Protection Act provides that a data subject who is aggrieved by a decision of any person under this Act may lodge a complaint with the Data Commissioner. The complaint shall be investigated and concluded within 90 days. Where the ODPC is satisfied that the person has failed to comply with a provision of the Act, the Data Commissioner may serve an enforcement notice requiring that person to take certain steps to remedy the default within a specified duration (not less than 21 days). Any person who fails to comply with an enforcement notice commits and offence and is liable on conviction to a fine not exceeding Kshs. 5M or to imprisonment to a term off 2 years or both. Moreover, if the Data Commissioner is satisfied that a person has failed to adhere to the enforcement notice, the Data Commissioner may issue a penalty notice requiring the person to pay to the OPDC an amount specified in the notice. The maximum amount of penalty that may be imposed by the Data Commissioner in a penalty notice is up to Kshs. 5M, or in the case of an undertaking, up to 1% of its annual turnover, of the preceding financial year, whichever is lower. The mode of enforcement adopted by the Act is that of administrative action where the Data Commissioner uses her discretion to adjudicate on matters of data protection violation. The right of appeal is applicable to any action taken by the Data Commissioner and is subject to the High Court of Kenya.

On the other hand, any person who suffers damage by reason of a contravention of the Act is entitled to compensation for that damage from the data controller and the data processor. The modalities of seeking legal redress with reference to such compensation, and the manner of establishing the quantum of damages is not clarified in the Act. Needless to say, the Act empowers the Data Commissioner to facilitate conciliation, mediation and negotiation of disputes arising from the Act. Thus, it would be of great significance if the Regulations provide further guidelines on the compensation of data subjects. In addition to the foregoing, the ODPC ought to confirm the position of alternative dispute resolution mechanisms as relates to the administrative action envisaged in the Act i.e. will the former take precedence over the latter?

Conclusion

In conclusion, the Data Protection Act of Kenya sets a remarkable precedent in the protection of personal data and the advocacy of the fundamental human right to privacy. The Office of the Data Protection Commissioner has made great strides through its proactive approach in formulating guidelines relating to data processing operations as well as establishing mechanisms for data breach reporting. Now, it’s time to separate the wheat from the chaff and get cracking on the practical implementation of the Data Protection Act. Looking forward to reconcile the loopholes presented above with the Data Protection (General) Regulations, once published!