The year 2020 has changed the way that business interactions run. Buying and selling of goods and services online has taken center stage, with lock-downs and restrictions gathering forcing the move of work online. With more online activity, there has been an increase in the number of service providers, the volume of data generated and the places and ways that this data is processed and used. In fact, by November 2020 the CBK reports that mobile money agents had handled cash in-cash out transactions worth 526 billion. Online video subscriptions provider, Netflix, reportedly saw a 700% increase in subscriptions in Kenya to 29,500. These examples show the growing extent of the digital economy.
This online business activity is the digital economy and at its core is the data generated by users. The great advantage of a global digital economy has been the ability to move data across borders to places where the tools for processing and innovative use are easily and more cheaply available. This has created tensions with countries making strides towards increased privacy protection.
Led by Europe with the General Regulations on Data Protection that came into force in 2018, Kenya was among many other countries that enacted the Data Protection Act in November 2019. The Act sought to: establish the office of the Data Protection Commissioner (DPC); who was appointed in November 2020, protect the people generating data and regulate how those collecting, managing and processing the data. The world has witnessed push back from the digital business community for data protection and privacy laws. Most notable are Facebook’s battles across Europe since the GDPR came into force in March of 2019. A case lodged in Ireland made its way to the European Union Court of Justice and led to the finding that the EU-US privacy shield, enacted before the GDPR, was insufficient to protect the privacy of EU citizens.
The issue for the digital economy plays out in the above case. How can digital service providers operate freely while meeting the increasing obligations of privacy regimes across the world?
Privacy, while it has no standard definition, includes the right to have one’s information not be misused or inappropriately revealed. Data, which is a crucial asset to the digital economy, is produced daily at unprecedented volumes. While the business community sees opportunity, the advocates and regulators see risks and increasing potential harm to the public.
Among the strategies being used to protect privacy is data localization. This is the requirement that data transfers beyond the border of the native country of collection is restricted. In Kenya, to transfer data across borders, there must be either user’s free, informed, unequivocal and specific consent proof of sufficient data protection safeguards. This is especially strict for sensitive personal information where health and financial information fall under section 25.
Proponents for data localization argue that it keeps data in the country where more robust protection is available that goes beyond collection, storage and management to processing and use. This was among the arguments presented in the EU-US privacy shield case earlier discussed. Automated decision making that affects users, profiling, breach of anonymity are some of the ways that data subjects may have their privacy infringed.
Kenya’s approach provides the consent option for the transfer of personal data outside Kenya. This has operated as a more popular option for digital service providers and is likely to remain so unless the regulatory environment changes with the DPC, the Act and any future regulations. The Act is currently under review by a task force appointed by the Ministry of ICT. Changes to the law and policy are likely to be implemented following this audit.
That being said, the consent approach is insufficient for data protection and does not achieve the right to privacy secured for Kenyans in the Constitution 2010. The impetus of business is to maximize profit while minimizing cost. This is likely to remain the priority of digital service providers as computational power and data science advances and profit-making opportunities multiply.
Kenya is already doing well with the two-sided approach to data transfers and cross border data flows. This has kept Kenya open for business and grown data-heavy sectors such as digital credit and other fintech. By not setting a hard rule against data transfers, Kenya maintains a low digital trade barrier while providing herself the opportunity to observe the changes to the space and reserving the power through the Commissioner to investigate and affect policy.
Digital service providers will do well to ready themselves for more robust regulatory enforcement. Should the EU serve as an example, heavy fines and litigation are likely to be on the horizon as data protection frameworks mature and digital business increases in Kenya. Data flow agreements can also be expected within generalist trade or digital trade agreements, with obligations and remedies that may arise. Early precaution may include the provision of a company complaints mechanism, industry standard-setting, complaints mechanism and sector enforcement that has a deterrent effect to data processing activity that breaches privacy.
Eventually, keeping digital borders open for data flows may be crucial for business but the right to privacy must remain and find its way into more boardroom conversations and bottom-line considerations.