The Data Protection Act 2019, was assented to by the president on 8th November 2019 and came into effect on 25th November 2019. The Act is mandated to establish the office of the Data Protection Commissioner, to make provision for the regulation of processing personal data, provide for the rights of data subjects and obligations of data controllers and processors.
The Lawyers Hub Kenya held a fireside chat on November 22, to breakdown the DPA to stakeholders for a clearer understanding of the implications of the new Act to data handlers and subjects. The fireside chat titled Fintech, Digital KYC and Data Protection attracted lawyers, law students, and business stakeholders who handle customers’ data.
In the panel was Linda Bonyo, a lawyer and the CEO of the Lawyer’s Hub Kenya, Mark Straub, CEO of Smile Identity and Karimi Ruria, Legal Public Policy and Government Relations Expert at Safaricom.
According to the Act, a data processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller, while a data controller is a natural or legal person, public authority, agency or another body which alone or jointly with others, determines the purpose and means of processing of personal data. Businesses and entities that collect data from individuals are classified as either data processors or controllers, or serve both functions as Karimi explained. She highlighted that according to the Data Protection Act, the burden of proof of consent lies with the data controller, and not the data subject.
Mark Straub pointed out that the Data Protection Act was clearer than the EU GDPR. He said that this Act gave more power to data subjects to control how their data was being used. Smile Identity uses facial recognition technology to help telcos and fintech providers identify their clients and they handle personal data from data subjects on behalf of data processors who are their clients.
He observed that fraud usually happens at the initial touchpoint with the data processor, such as the agent. There's, therefore, a need to also educate the population on the importance of data and its value. Lauding the step that Kenya has taken, he said that countries like the US might look to Kenya as a model in data protection.
Karimi observed that Bottom of the Pyramid (BOP) consumers are likely to fall prey to foul play, from businesses, therefore we need to ensure that the first layer of Data processors (businesses like M-Pesa agents), who have early touchpoints with consumers are compliant. She pointed out that the Data Privacy Act was geared towards self regulation by businesses that handle clients' data.
Anyone within the boundaries of Kenya enjoys the protection of the Data Protection Act, as long as they reside in Kenya irrespective of their citizenship.
Linda Bonyo clarified that this Act gives a data subject power to give or withdraw consent at any time, limiting the duration that businesses can keep their customers’ data before processing it. If consent is withdrawn after personal data has been processed, a business can still use it, but if a data subject withdraws consent before their data is processed, then the data cannot be used.
Consent in the digital space has the following characteristics:
- Freely given- It needs to be affirmative and action is required to be taken by the data subject.
- Unambiguous- It should be easily understandable to the layman, instead of blanket terms and conditions full of jargon.
Ms Bonyo suggested that it may be in the interest of data controllers (businesses) to set up their strictures to have a separate entity acting as a data processor, collecting data on their behalf.
There is a provision for all data controllers or data processors to register with the controlling authority, with a possibility of waivers under certain thresholds.
On credit scoring and the Data Privacy Act, financial providers need the information to base the pricing of credit, otherwise, Kenyans will be forced to go to banks to apply for loans that may not be affordable. Sharing information and building a secure database like the Credit Reference Bureau gives access to credit.
For research purposes, a data protection Impact Assessment should be done and submitted to the office of the Data Protection Commissioner before carrying out scientific or any kind of research.