LawyersHub

lawyershub_blog

The year 2020 has changed the way that business interactions run. Buying and selling of goods and services online has taken center stage, with lock-downs and restrictions gathering forcing the move of work online. With more online activity, there has been an increase in the number of service providers, the volume of data generated and the places and ways that this data is processed and used. In fact, by November 2020 the CBK reports that mobile money agents had handled cash in-cash out transactions worth 526 billion. Online video subscriptions provider, Netflix, reportedly saw a 700% increase in subscriptions in Kenya to 29,500. These examples show the growing extent of the digital economy.

This online business activity is the digital economy and at its core is the data generated by users. The great advantage of a global digital economy has been the ability to move data across borders to places where the tools for processing and innovative use are easily and more cheaply available. This has created tensions with countries making strides towards increased privacy protection.

Led by Europe with the General Regulations on Data Protection that came into force in 2018, Kenya was among many other countries that enacted the Data Protection Act in November 2019. The Act sought to: establish the office of the Data Protection Commissioner (DPC); who was appointed in November 2020, protect the people generating data and regulate how those collecting, managing and processing the data. The world has witnessed push back from the digital business community for data protection and privacy laws. Most notable are Facebook’s battles across Europe since the GDPR came into force in March of 2019. A case lodged in Ireland made its way to the European Union Court of Justice and led to the finding that the EU-US privacy shield, enacted before the GDPR, was insufficient to protect the privacy of EU citizens.

Led by Europe with the General Regulations on Data Protection that came into force in 2018, Kenya was among many other countries that enacted the Data Protection Act in November 2019. The Act sought to: establish the office of the Data Protection Commissioner (DPC); who was appointed in November 2020, protect the people generating data and regulate how those collecting, managing and processing the data.

The world has witnessed push back from the digital business community for data protection and privacy laws. Most notable are Facebook’s battles across Europe since the GDPR came into force in March of 2019. A case lodged in Ireland made its way to the European Union Court of Justice and led to the finding that the EU-US privacy shield, enacted before the GDPR, was insufficient to protect the privacy of EU citizens.

The issue: cross border data flows and privacy

The issue for the digital economy plays out in the above case. How can digital service providers operate freely while meeting the increasing obligations of privacy regimes across the world?

Privacy, while it has no standard definition, includes the right to have one’s information not be misused or inappropriately revealed. Data, which is a crucial asset to the digital economy, is produced daily at unprecedented volumes. While the business community sees opportunity, the advocates and regulators see risks and increasing potential harm to the public.

The arguments

Among the strategies being used to protect privacy is data localization. This is the requirement that data transfers beyond the border of the native country of collection is restricted. In Kenya, to transfer data across borders, there must be either user’s free, informed, unequivocal and specific consent proof of sufficient data protection safeguards. This is especially strict for sensitive personal information where health and financial information fall under section 25.

Proponents for data localization argue that it keeps data in the country where more robust protection is available that goes beyond collection, storage and management to processing and use. This was among the arguments presented in the EU-US privacy shield case earlier discussed. Automated decision making that affects users, profiling, breach of anonymity are some of the ways that data subjects may have their privacy infringed.

Further proponents question the quality of consent given. The Act requires that consent is unequivocal, informed, free, express and specific. In many contexts, consent is sought through prompts that hyperlink the privacy policy and terms for the user to read. Unfortunately, these are often not read by users due to their length, legal jargon. One is often then required to indicate that they have ‘read’ and ‘accepted’ the terms or policy. This has likely led to many users agreeing to processing activities but with great suspicion on their understanding of activities described.

Opposers argue that localization and its proponents are creating digital trade barriers. Businesses operating particularly in emerging economies such as Kenya, may not find the robust computing power required to offer their services locally. This creates a need to transfer the data to places where such processing is more cost-effective. Further, the sharing of data between service providers is seen as a way of enabling them to make better goods and services by tailoring products for the user. Depending on the extent of privacy laws, this may be hindered. Privacy laws and compliance are seen as increasing compliance costs for companies where governments and privacy advocates value privacy differently and more intensely than data subjects who make their own decisions as far as consent is concerned. Essentially, governments are overstepping what should be a personal consent issue and creating more cost in a market where the consumers do not intend as much.

Opinion

Kenya’s approach provides the consent option for the transfer of personal data outside Kenya. This has operated as a more popular option for digital service providers and is likely to remain so unless the regulatory environment changes with the DPC, the Act and any future regulations. The Act is currently under review by a task force appointed by the Ministry of ICT. Changes to the law and policy are likely to be implemented following this audit.

That being said, the consent approach is insufficient for data protection and does not achieve the right to privacy secured for Kenyans in the Constitution 2010. The impetus of business is to maximize profit while minimizing cost. This is likely to remain the priority of digital service providers as computational power and data science advances and profit-making opportunities multiply. 

Kenya is already doing well with the two-sided approach to data transfers and cross border data flows. This has kept Kenya open for business and grown data-heavy sectors such as digital credit and other fintech. By not setting a hard rule against data transfers, Kenya maintains a low digital trade barrier while providing herself the opportunity to observe the changes to the space and reserving the power through the Commissioner to investigate and affect policy. 

Digital service providers will do well to ready themselves for more robust regulatory enforcement. Should the EU serve as an example, heavy fines and litigation are likely to be on the horizon as data protection frameworks mature and digital business increases in Kenya. Data flow agreements can also be expected within generalist trade or digital trade agreements, with obligations and remedies that may arise. Early precaution may include the provision of a company complaints mechanism, industry standard-setting, complaints mechanism and sector enforcement that has a deterrent effect to data processing activity that breaches privacy.

Eventually, keeping digital borders open for data flows may be crucial for business but the right to privacy must remain and find its way into more boardroom conversations and bottom-line considerations.






Add Comment

Your Email address will not be published
The Lawyers Hub
Data Privacy and the Digital Economy
blogimg
Data Privacy and the Digital Economy
Feb. 26, 2021


blogimg
ISPs, Fair Use Policies and Consumers: A Complex Relationship
Feb. 23, 2021


blogimg
LEGAL ALERT BENEFICIAL OWNERSHIP IN KENYA
Feb. 2, 2021


blogimg
The NIIMS Regulations, 2020 Public Policy Discussion
Nov. 2, 2020


blogimg
Meaningful Connectivity: The Lawyers Hub at #FIFAfrica2020
Oct. 23, 2020


Address

Bishop Road First Ngong Ave, Nairobi, Kenya

Contact

Email: info@lawyershub.ke
Phone: +254 784 840 228

Subscribe
Social