Gen Z, right to privacy, and a revolution

June 2024 shall be remembered as the month Kenyans tested the limits of digital rights and the Kenya Kwanza government responded by restricting the rights. What I have witnessed in the last month has been a dream for democracy and governance professionals since promulgation of the Kenyan Constitution on August 27^th, 2010.

The digital space, specifically on Tiktok and X (Twitter) has been effectively used to carryout extensive public education, expand public participation, and mobilise for popular action. Political rights, right to freedom of expression, right to privacy, right to access to information, and freedom of the media have come to play under sharp scrutiny.

The events of June 2024 were a culmination of over a decade long of efforts by Kenyans to expand the digital space for themselves. Over the last decade, courts have rendered decisions that did away with colonial statutory provisions and new provisions promoted by the Jubilee government that limited fundamental rights and freedoms. The court decisions were regularly criticised by the Jubilee government that was fond of ignoring court orders and from time to time revealed its despotic tendencies.

On the right to privacy the debate has centred about the ‘wacha tumsalimie’ (lets greet them) trend. Contact details of Members of Parliament, Members of the Executive, and other public figures were casually shared on social media. The trend extended to the family members of the public figures. For public figures, the fact is that they themselves, way before June 2024 shared their contact details with Kenyans, going as far as posting their phone numbers on social media, websites, and blogs. Could such public figures then go ahead and claim that their right to privacy was violated when the contact information they shared publicly was used to hold them to account? My simple answer was no.

What was disturbing to me is that some of the politicians sought to weaponize the Data Protection Act against Kenyans who reshared the publicly available contact details on social media. It was also hilarious watching police officers comb through the Data Protection Act seeking to identify provisions that they would use to charge Kenyans who had used the publicly available contact details. Fortunately, no charge could stick and most of the arrested persons were released unconditionally. On this, I am proud of volunteer lawyers from the Data Privacy and Governance Society of Kenya for defending Kenyans against ‘non-existent’ crimes.

During that period, the Office of the Data Protection Commissioner (ODPC) issued a cautionary statement on sharing of personal data. The ODPC advised against ‘sharing of personal information which infringes on individuals’ right to privacy’ especially for a ‘certain category of citizens through social media platforms’. In my view, the cautionary statement was spot on especially on the sharing of contact information of persons who are not public figures and have not acted to make their contact details public. Unfortunately for the ODPC the statement was issued during a highly charged atmosphere of #RejectFinanceBill2024.

Kenyans on social media perceived the cautionary statement as the ODPC seeking to limit the process of seeking accountability from MPs. Kenyans on X (Twitter) went as far as doxing the Data Commissioner in retaliation. If complaints have been made to the ODPC on the June 2024 trend of ‘wacha tumsalimie’ it will be interesting to watch how the ODPC and eventually the courts balance between privacy rights of public officials and the need to take them to account for actions or omissions while they are in public office.

Still on the right to privacy and the Data Protection Act, I watched in awe and horror as Kenyans easily extracted personal data from digital records held by statutory and constitutional institutions. In strict interpretation of the Data Protection Act, a long list of public institutions suffered data breaches in June 2024. Have the breaches been reported to the ODPC? How will the ODPC deal with these breaches if not reported? Are the breaches and indication of systemic noncompliance with data protection regulations and cybersecurity standards? If so, will public institutions shape up after June 2024? My take is that there must be cybersecurity and data protection audits of public institutions in the wake of June 2024 developments.

June 2024 also witnessed a wave of abductions last seen during the President Moi ‘error’. What was curious for me is how the abductors could easily trace their abductees. The rumour mill on social media has it that utility and mobile service companies freely shared data with the abductors or the abductors had unfettered access to data held by these companies. Of course, the companies have come out to openly refute such claims. How the ODPC and the courts handle such allegations might potentially set precedent for how personal data of Kenyans should be shared between private and public actors.

On another issue, Kenyans used the power of social media to unmask police officers and ‘goons’ who acted to unleash violence on peaceful protestors. While State agencies sought to protect the identity of the police officers, Kenyans using CCTV footage, social media photos and video footage, and footage from media houses were able to reveal the identity of perpetrators of violence. Social media content was also used to deconstruct narratives especially those pushed by State actors. The ball in now on the Independent Policing Oversight Authority (IPOA) court to objectively use the social media content to bring rogue officers to account.

Another action by the State that perhaps shocked most was the internet shutdown of 25^th June 2024. Never in my wildest dream did I imagine that Kenya would experience and internet shutdown under such circumstances. The claims made by mobile service providers was that the internet shutdown was occasioned by damaged undersea cables. The claims were easily refuted by data from diverse independent sources pointing to the fact that the State shutdown the internet despite assurance by the Communication Authority that it would never happen in Kenya.

The internet shutdown set a dangerous precedent. What State actors often fail to realise is that internet shutdowns not only affect those in opposition of their policies, but also all sectors of the economy. Public and private sector services were negatively impacted. The damage to the social, economic, and political environment is immense. A public inquiry is critical to uncover how exactly the internet shutdown was executed.

On the positive side, Kenyans are now more aware of their digital rights. We are all presented an opportunity to refine and redefine our rights as we exercise them online.