Regulating the new oil
A brief review of the Kenya data protection bill
For those of us who have tried to install mobile lending apps like Mshwari and Tala, you have realized that for you to use the app you have to give them permissions to read your messages, access your contacts, call logs, and location. These apps get data on your mobile device to determine your loan limit. The mobile loan applications will be able to tell how much you are worth from mining your Mpesa messages, which have the amounts you send and receive, the goods and services you buy, your balance and the people you transact Mpesa with. From your location they can also know your social class. Most days at 10Pm you are in Kariobangi, same to the other adults who may be considered your spouse or brother from your call logs. Your social net worth can be determined by the number of calls you make and receive in a day, the duration of the calls. There is a lot of data in your phone that can tell a lot about you. Soon your insurance company will raise your premiums from your Mpesa and Airtel money transactions at Burger King and at Whiskey Rivers. Because they tell so much about your health risk factors. Data is the new oil, and analytics is the refinery!
The data protection bill
Up to date data protection laws are critical for ensuring trust in the data economy, for provision of public services, for promoting security and for e-commerce. The government has now started planning for a central database for Kenyans, like India’s Aadhar, that will help in the distribution for resources and service provision. The taxman is in the process of mining data from third parties in an effort of equalizing tax obligations. Let’s say everyone is looking at data processing solutions to maximize efficiency. How this is done, and whoever is doing it, should not compromise on social justice and human rights.
Three months ago, the Ministry of ICT(MOICT) published its proposed privacy and data protection bill, calling for public input. The proposed bill borrows heavily from the EU General Data Protection Regulations (GDPR). The GDPR seem to provide the global standards for data protection, a point of reference for countries that are developing or updating privacy laws to respond to the recent trends in the global data economy. Some examples include the Brazilian, California’s Consumer Protection Act and Ghana’s Data Protection Act.
The MOICT proposed bill seeks to empower citizens to manage their data that is stored by companies within and outside Kenyan borders. The regulation of data processing follows the following principles; Lawful processing — that the processing of data is done within the existing legal frameworks; minimization of collection — that data processors only collect the data that is needed for its purpose; Restriction to further processing — that data is only processed for what it was intended for; Data quality — same to data integrity; and security safeguards — that data is stored and processed in such a way that prevents insecurity incidents, and minimizes harm to the data subject in case of insecurity.
The policy also focuses on the need to grow a local data economy for big companies and the Small and Medium Size Enterprises (SMEs), and therefore puts in reasonable mechanisms for compliance.
The human rights approach puts the data subject at the center of this policy. Data processors are required to obtain consent from the data subject before collection and processing. Your insurance company should request you to agree for it to access what kind of data, inform you the purpose of its collection, and the parties that are going to handle it. At any point, you have the right to ask it to give you information on your personal data that they have collected, ask for its deletion or correction. In case you want to move to another insurance company, you are allowed to request transfer of your data to your new insurance provider. Of course, this may happen at a cost, but should be reasonable.
Governments and big tech companies have continued to face ethical and human rights concerns in automated data processing. The challenge is to create meaningful balances between the conflicting values. For instance, policies need to be clear about the levels of transparency on decision making algorithms in Artificial Intelligence. However, they should also consider balancing patent rights and Informed consent — the need to inform the end users on how decisions about them are made. Automated decision making, especially when providing public services ought to allow for human intervention. When you are denied a driving license through an automated system in the e citizen portal, you should be allowed to reach out to a public officer for a human decision, or for clarity. (the more reasons why this law should not exempt the government as a data processor)
The data processors will have to prove that they obtained consent from the data commissioner, to collect and process their data. This consent can be withdrawn by the data subject at any time. For us to build a culture of informed consent, this will require a lot of awareness initiatives. The data processors should also be encouraged to develop comprehensive consent contracts to the level of an average Kenyan.
Data controller or data processor shall bear the burden of proof for establishing a data subject’s consent to the processing of his personal data for a specified purpose
Currently, the draft only provides regulations for processing of sensitive data. It states, any automated processing of personal data intended to evaluate certain personal aspects relating to an individual shall not be based on sensitive categories of personal data.’ This holds that a data processor cannot use data that is classified ‘sensitive’ as a variable in automated processing. However, implementing this will be a challenge, because there are ways to navigate these using other variables that are considered non-sensitive. In addition, without exception for purposes of processing data, the health sector may face accuracy challenges in AI assisted diagnosis.
The bill proposes to establish a data protection commission to implement and regulate the processing of data. Data processors will be required to register with this commission and submit reports and renew registration after three years. This is a way of monitoring and regulating data processing. Registration is not a form of licensing. The policy proposes that the commission is funded from the public purse, through the ministry. This has raised questions on its independence, especially when the data commissioner needs to arbitrate conflict between the government and the citizens. Though this seem to be the current best option. Housing the policy in an already existing commission will slow down its implementation as experienced with the Access to Information Act.
Creating a data privacy and security culture
GDPR came to force in May 25th and everyone is still talking about it. The billion dollars fines charged to the big brothers have got everyone running to legal advisors and HR experts to help weave in a culture of data security and privacy in their organizations. The principle of lawful processing promotes privacy by default, and homes data protection as a value. Organizations will take the responsibility of training their staff on data protection, and update their systems to comply with these laws.