The Need to Tame Commercialised Use of Data
When an individual is afflicted by a dependency condition, we do not treat them by according them unfettered access to the substances they are dependent on. It is instructive that such an individual is placed in a controlled environment, devoid of the substance causing dependence and weaning them of the substance. Depending on the substance, the individual may in future be granted restricted access to it.
The illustration above reflects how business entities in Kenya deal with data. Over the decades, private domestic and international business organisations have had a free hand in the collection, collation, analysis and storage of data. As technology advances, these corporations have even higher access to large volumes of private data. In many situations, the data owners have no idea that business entities are trading in their data or using their data for financial gain.
Several arguments are made by businesses to maintain the status quo in relation to data use. One, they argue that data owners freely make their data accessible. Hence, what is the harm in dealing with data that is seemingly low hanging fruit? Two, that since data is important for development and economic growth, there is no need to control how businesses deal with it. Three, that any restrictions to data use would be a barrier to the ease of doing business in Kenya. Four, that we cannot compare Kenya to jurisdictions like the European Union that has set in place strict data protection laws.
I have listened to and analysed some of the excuses posited by business in Kenya in support of minimalistic data protection regulations and my conclusion is that the arguments lack merit. As I have indicated in one of my previous articles, businesses have demonstrated that they cannot control themselves in terms of data use. Intrusive marketing strategies, trading in personal data and breach of privacy are examples of how they cannot be trusted with data anymore. Thus, there is need for strict controls on how businesses collect, collate, analyse and store data in Kenya.
For international corporations, they drop the ball once they know that they are dealing with data within a jurisdiction like Kenya where there are no data protection regulations. While they adhere to strict data protection laws in the European Union for example, in Kenya they just operate on a bare minimum template. Social media companies posit that since they provide services at no costs, then they should have a free reign on data use. The issue of lack of data protection laws in Kenya may not be blamed on these international corporations, but, how they deal with data here is tantamount to double standards. We have a recent example of Cambridge Analytica that mined personal data of Kenyans on Facebook for use in election campaigns. While Cambridge Analytica is facing parliamentary hearings and court cases in other jurisdictions, in Kenya we seem to have swept the whole scandal under a rag since there are no laws to deal with such situations.
Some local businesses argue in terms of soft law or basically self-regulation. That in fact businesses should be trusted to protect the privacy of individuals while being granted the opportunity to use data as they wish. One or two telecommunication companies operating in Kenya indicate that they have complied with consumer protection laws by simplifying their terms and conditions. Thus, if Kenyans wish away their data by accepting these terms of use, then the telcos cannot be taken to task for something they have no control over. Further, they indicate that having strict data consent guidelines will increase the cost of doing business. An example of a data terms and conditions, Safaricom Ltd, in their Conditions of Use for the Safaricom Prepaid Services state –
“You accept that we may disclose and/or receive and/or record any details of your use of the Services including but not limited to your calls, emails, SMS’s, data, your personal information or documents obtained from you for the purposes below:
1. For reasonable commercial purposes connected to your use of the mobile service, such as marketing and research related activities;”
The above statement is vague, to whom will the data be disclosed to for ‘reasonable commercial purposes’? And, what amounts to reasonable purpose? While mobile subscribers may opt out of some commercial marketing services, the terms and conditions set by Safaricom are also blanket in nature. What about in situations where the customer has no idea that their data is being used for commercial purposes? Why the blanket consent instead of having a customer decide whether they wish their data used for commercial purposes at all? Further, the terms and conditions set arbitration as the mode of dispute resolution, they state –
“12. a. Save as may otherwise be provided herein, all questions in dispute arising between the Parties and all claims or matters in such dispute not otherwise mutually settled between the Parties shall be referred to arbitration.”
Now, a dispute relating to data use and in essence privacy of an individual cannot be litigated in arbitration. Privacy is a fundamental right, hence, any dispute arising from data use ought to be handled by a statutory institution that does not oust the jurisdiction of the constitutional courts to handle the matter.
There is nothing peculiar about Safaricom in how it handles data. Its terms and conditions are an illustration of how businesses operating in Kenya do not meaningfully respond to the protection of privacy rights. What is commendable for Safaricom is that it has simplified its terms and conditions. When we analyse insurance or banking contracts and how they handle personal data, we realise that their terms and conditions are not couched in simple language and do not address the issue of data protection and privacy of the individual.
As I have stated before, Kenya needs strong data protection laws like yesterday. What is key is the protection of the privacy of the individual and empowering them in deciding why, how, what and when the data should be used. Self-regulation by business is not an option and neither is the double standards approach implemented by international corporations. We must treat the uncontrolled ‘data dependency’ by businesses and provide clear rules on how they may use data in the future.