top of page
Writer's pictureIrungu Houghton

Resist attempts to clip Data Protection Commissioner's powers

In two months, Kenya’s data protection law turns five. Indefatigable advocate and Busia Senator Okiya Omtatah’s 2019 petition challenging the constitutionality of the Data Protection Act (DPA) comes for mention next Wednesday. Given the intense competition to grab Kenya’s lucrative data landscape and repeated personal data breaches, is this petition really in the national public interest?

 

The passing of the Data Protection Act (2019) was preceded by one of the most intense legal and political battles to protect Kenyans from state bullying and privacy rights violations. A Registration of Persons Act miscellaneous amendment kicked off the Huduma Namba and National Integrated Identity Management System (NIIMS) programme in December 2018. By the time the DPA had passed, citizens had been threatened with the withdrawal of immigration, health and telephone services if they declined to register. Our personal data had been unlawfully exposed during the national population census and the State had toyed with making CCTV cameras mandatory in all public spaces.

 

The Data Protection Act re-injected life into Article 31 and our constitutional right to privacy. The spirit of the Act is that our personal information must not be secretively and arbitrarily collected, stored, and shared without our express consent. Five years on, Kenya is a trail blazer among 137 out of 195 countries now implementing privacy and data protection laws. While the Act is fundamentally aligned to African and European best practices, the challenges of cyber hacking, machine learning, artificial intelligence and block chain technology, multinational data mining and transfer to host countries pose seriou.

 

Public interest litigation suits have invoked the Act to ensure Government national digital ID Huduma Namba and then, Maisha Namba programmes can protect our personal information. When WorldCoin went on an iris biometric buying spree in 2023, it was the Act that was applied to protect Kenyans. The Act states our personal data cannot be stored, used, sold or transferred abroad without our permission. It gives citizens the power of choice to correct, delete or add data. All organisations must do data protection assessments for all the information they hold and appoint staff to manage data.

 

Over the last five years, the Office of the Data Protection Commissioner (ODPC) has registered 5,739 data controllers and processors nation-wide. They have issued 150 advisories, reviewed 200 impact assessments, addressed 161 data breaches and resolved 86 per cent of the 5,215 complaints referred to them.

 

Within this context, Omtatah’s petition is not in the public interest. Filed two weeks after the Act was assented on 8 November 2019, he argues the DPA was not subjected to effective public participation, affected counties and therefore should have been adopted as a joint resolution of both Senate and the National Assembly. While the court will determine the validity of these arguments, it is worth noting that the bill received no less than 700 submissions from the public, businesses and human rights organisations, Amnesty International included.

 

The DPA and the OPDC also featured in the Communications and Digital Economy Sectoral Working Group report to the ICT Cabinet Secretary two weeks ago. While generally a thoughtful and well written report that proposes the registration and vetting of Data Controllers and Processors, it seeks to expand the ODPC to a Board of three Commissioners answerable to Parliament.

 

It is unclear what problem is being solved by this recommendation. Given the importance of the DPA for Article 31, the ODPC should be modelled as a constitutional commission and remain appointed by the President following an open, competitive recruitment process by a selection panel. Does the Kenyan taxpayer need more expensive jobs and overheads? Will a politically accountable ODPC increase or erode business and public confidence in a regulator? If the Act is declared constitutional, what implications would this have for all penalties that have been paid by violators and the massive public investment in the ODPC to date?

 

While Omtatah’s petition has been overtaken by events and is best withdrawn, Parliament must now resist new attempts to undermine the Office of the Data Protection Commissioner’s independence.


This opinion was also published in the Saturday Standard,  28 September 2024.

Comments


bottom of page