Data Protection Bill: Election servers must be hosted in Kenya

Ballot boxes and other election materials at Moi Secondary school in Nakuru on March 2, 2021. [Kipsang Joseph, Standard]

Election servers should be hosted in Kenya, according to a new regulation that also gives the government more control over the management of all election data. 

In the past, truths and half-truths have been made about how elections are conducted. Theories and facts of previous elections have been shared widely, with rival political camps pulling their side. In the 2017 election, Kenya tried its hand in digital and physical counting of votes, a hybrid that elicited huge controversy that culminated with the Supreme Court nullifying the presidential election results.

In the lengthy court proceedings that followed, the Independent, Electoral and Boundaries Commission (IEBC) was hard-pressed to open the servers and allow the opposition access to data on the exercise.

But the new Data Protection (General) Regulations, 2021 currently awaiting public participation, requires that any company handling election data must host the servers and data centres locally in Kenya.

“Pursuant to section 50 of the Act, a data controller or data processor who processes personal data for the purpose of actualising a public good shall be required to ensure that such processing is effected through a server and data centre located in Kenya; and it includes the conduct of elections in the country,” read the regulations in part.

The new law will introduce a requirement for compliance on the part of companies that bid for tenders to conduct voter registrations and elections for both general elections and by-elections. It also provides the government, through the IEBC stronger influence in management and handling of electronic data.

This comes in the wake of the 2017 elections, where IEBC’s first deployment of technology run into headwinds after the government could not access its own data from the French company it had contracted.

With the elections five months shy, the electoral commission hurriedly cancelled the Kenya Integrated Elections Management Systems (KIEMS) it had awarded to Gemalto company and gave the tender to French firm Safron.

In a letter, then IEBC boss Ezra Chiloba cited inadequate budget, limited operational time and substantial "technological change" as reasons for the cancellation.

Gemalto wrote back to the commission requesting a meeting with the poll chiefs and pleading with them to restore the tender. Charles Mevaa, Gemalto's Vice President who signed the letter, also poked holes into the reasons for cancellation, falling short of calling them unconvincing.

The commission said Safran met the cut for direct procurement on account of its previous engagement in the 2013 election voter registration.

The mismatch and confusion that marked the 2017 elections saw the IEBC revert back to manual transmission of votes from the online transmission it had started with.

When the then-NASA coalition took its petition to the Supreme Court, they pleaded with the court for the servers to opened, to determine authenticity of the results.

The Jubilee side led by senior counsel Paul Muite informed the court that the servers were hosted in France which is in another time zone and they will probably be sleeping.

“It has come to our knowledge that one of these VPNs terminated at a cloud server registered in Spain but operated from France under the control of OT-Morpho. Both VPNs were fully paid for by the IEBC,” the Raila Odinga-led team said at that time.

The law is however likely to elicit sharp reaction from technology firms, which have rebuffed attempts by the government to compel them to host their servers locally.

In public submissions to the Data Protection Act 2020, US tech giant IBM questioned the government’s push for data localization, stating that it could increase the cost of doing business.

“Is the purpose to provide easy access to local surveillance/enforcement agencies,” queried IBM in its submissions to Parliament.  

“In our view, this provision will create additional compliance and enforcement costs for data controllers/processors and their supervisory authorities, respectively.

IBM said it would lead to a competitive disadvantage for innovative, digital businesses in Kenya, and an overall economic disadvantage for the whole economy as “any business processing data, has to make sure they are not only stored ‘in the cloud’ (e.g. if using simple SaaS-services as calendar tools), but also physically on servers in Kenya,” the firm noted.