In two months, Kenya’s data protection law turns five. Indefatigable advocate and Busia Senator Okiya Omtatah’s 2019 petition challenging constitutionality of the Data Protection Act (DPA) comes for mention next Wednesday.
Given the intense competition to grab Kenya’s lucrative data landscape and repeated personal data breaches, is this petition in the national public interest?
The passing of the Data Protection Act (2019) was preceded by one of the most intense legal and political battles to protect Kenyans from state bullying and privacy rights violations.
A Registration of Persons Act miscellaneous amendment kicked off the Huduma Namba and National Integrated Identity Management System (NIIMS) programme in December 2018.
By the time the DPA had passed, citizens had been threatened with withdrawal of immigration, health and telephone services.
Our personal data had been unlawfully exposed during the national population census and the State had toyed with making CCTV cameras a must in all public spaces.
The Data Protection Act re-injected life into Article 31 and our constitutional right to privacy. The spirit of the Act is that our personal information must not be secretively and arbitrarily collected, stored and shared without our express consent.
Five years on, Kenya is a trail blazer among 137 out of 195 countries now implementing privacy and data protection laws.
While the Act is fundamentally aligned to African and European best practices, the challenges of cyber hacking, machine learning, artificial intelligence and block chain technology, multinational data mining and transfer to host countries, remain.
Public interest litigation suits have invoked the Act to ensure Government national digital ID Huduma Namba and then, Maisha Namba programmes can protect our personal information. When WorldCoin went on an iris biometric buying spree in 2023, the Act was applied to protect Kenyans.
The Act states our personal data cannot be stored, used, sold or transferred abroad without our permission. It gives citizens power of choice to correct, delete or add data. All organisations must do data protection assessments for all information they hold and appoint staff to manage data.
Over the last five years, the Office of the Data Protection Commissioner (ODPC) has registered 5,739 data controllers and processors nation-wide. They have issued 150 advisories, reviewed 200 impact assessments, addressed 161 data breaches and resolved 86 per cent of the 5,215 complaints referred to them.
Within this context, Omtatah’s petition is not in public interest. Filed two weeks after the Act was assented on November 8, 2019, he argues the DPA was not subjected to effective public participation, affected counties and therefore should have been adopted as a joint resolution of both Senate and National Assembly.
While the court will determine validity of these arguments, it is worth noting that the Bill received no less than 700 submissions from the public, businesses and human rights bodies, Amnesty International included.
The DPA and the OPDC also featured in the Communications and Digital Economy Sectoral Working Group report to the ICT Cabinet Secretary two weeks ago.
While generally a thoughtful and well-written report that proposes registration and vetting of Data Controllers and Processors, it seeks to expand the ODPC to a Board of three Commissioners answerable to Parliament.
It is unclear what problem is being solved by this recommendation. Given the importance of the DPA for Article 31, the ODPC should be modelled as a constitutional commission and remain appointed by the President following an open, competitive recruitment process by a selection panel.
Does the Kenyan taxpayer need more expensive jobs and overheads? Will a politically accountable ODPC increase or erode business and public confidence in a regulator?
If the Act is declared constitutional, what implications would this have for all penalties paid by violators and the massive public investment in the ODPC to date?
While Omtatah’s petition has been overtaken by events and is best withdrawn, Parliament must resist new attempts to undermine the Office of the Data Protection Commissioner’s independence.