Reflecting on Recently Published Regulations under the Data Protection Act, 2019
Three Regulations under the Data Protection Act, 2019 have been published. These are, the Data Protection (General) Regulations, 2021, the Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. The National Assembly is to consider the Regulations and if there is no objection by the relevant National Assembly Committee, the Regulations will come into effect; the Committee has 28 days from the date the Regulations are referred to it.
It has been more than two years since the enactment of the Data Protection Act; thus, the publication of the Regulations is somewhat a move in the right direction. Between March and May 2021, the ICT Ministry, and the Office of the Data Protection Commissioner (ODPC) subjected the initial drafts of the Regulations to public participation. The published Regulations are an improvement of the initial drafts. What is curious in relation to the process is that no revised drafts were ever presented to the public for scrutiny. Questions will arise before the National Assembly Committee whether the ICT Ministry and ODPC carried out sufficient public engagement on the documents.
With these Regulations, Kenya has the opportunity to have data protection laws that capture the essence of the right to privacy and adequately deal with contemporary challenges relating to data protection. While the focus is on a data subject’s right to privacy, the regulations should not be onerous on actors in the private and public sectors; they must make operational sense. We must not let the opportunity to have the most contemporary data protection regulations in the continent slip away. Below I share my reflections on each of the Regulations
The Data Protection (General) Regulations, 2021
These provide for enabling the rights of a data subject, restriction on the commercial use of data, obligations of data controllers and data processors, elements to implement data protection by design and by default, notification of personal data breaches, transfer of personal data outside Kenya, data protection impact assessment, and exemptions under the Data Protection Act.
On enabling the rights of a data subject, one challenge that sticks out is that a data subject will be required to fill in forms to exercise their data subject rights. A data subject will need to fill in forms for restricting processing of their personal data, objecting to processing of personal data, requesting to access personal data, requesting to have personal data rectified, requesting for data portability, and seeking erasure of data. In my view this creates an excessive bureaucratic process for a data subject and a data controller/processor. A data subject ought just to make a simple request to a controller or processor; this may be done through a letter, email, or even an oral request.
On restriction on the commercial use of data, Regulation 15 (4) states that “a data controller or data processor who uses personal data for commercial purposes without the consent of the data subject commits an offence and is liable, on conviction, to a fine not exceeding twenty thousand shillings or to a term of imprisonment not exceeding six months, or to both fine and imprisonment”.
As the Act does not grant the ODPC powers to issue prison terms, it means that this Regulation will be considered through the criminal court process. This brings about the question as to why the Regulations would bring in the criminal court process on matters such as commercial use of personal data. The consideration of complaints relating to commercial use of personal data ought to be exclusively within the powers and functions of the ODPC. Another question is whether the fine and prison term relates to a single breach against an individual data subject or a group of data subjects. Whichever way you look at it, the penalty is excessively low, and the process doesn’t make sense.
Regulations on obligations of data controllers and data processors ought to have dealt with challenges such as emerging technology and data protection. The Regulations are quite basic and would not adequately deal with current and future developments in the digital economy, artificial intelligence, and the metaverse to mention but a few.
The Regulations are silent on situations where there are joint data controllers and joint data processors. Further they provide for data protection policy. Here the challenge is that they do not distinguish between data protection policies and privacy notices. The Regulations however provide for how a data subject may exercise their data subject rights. Hopefully, this will allow for representative complaints and lawsuits arising out of the Act.
I find it odd that the Regulations have listed the categories of data that are to be considered where there is a data breach. The list is problematic as categories of data evolve with advancement in technology. For example, there is technology collecting emotional/psychological profiles of individual and these are not captured on the list.
While the Regulations somewhat clarify how transfer of data outside Kenya may be done, they do not define the process and what is to be considered when the ODPC is contemplating making an adequacy decision. Since adequacy decisions have political overtones, it is key that the Regulations be concise on the adequacy decision making process.
Binding corporate rules are provided for under the Regulations. However, I would have expected the Regulations to also provide for other alternatives such as standard contractual clauses and data protection certification standards.
Requirement for specified processing to be done in Kenya is still within the powers and functions of the Cabinet Secretary; an indication that there are too many centres of power dealing with data protection regulation in Kenya. On the bright side the list of personal data that must be processed in Kenya or a copy retained in Kenya has grown shorter. I also find it problematic that it is the Cabinet Secretary to consider exemptions for national security.
I expected that the Regulations would provide for clear process within which the ODPC may issue guidelines or codes of practice or develop sector specific guidelines. I also expected that the Regulations would provide for personal data inventories, record of processing operations, and data protection officers.
The Data Protection (Complaints Handling and Enforcement Procedures) Regulations, 2021
These provide for procedure for lodging, admission, and response to complaints and enforcement provisions. They are also heavy on the filling in of forms by data subjects. The process ought to be as simplified as possible. The major gap in these Regulations is that they do not provide for how data controllers and processors would establish and execute inhouse complaints handling mechanisms. However, the Regulations would in my view adequately guide complaints handling and enforcement procedures.
The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021
On registration, the Regulations have simplified the process. Registration certificates will be valid for two years. They also provide that “a data controller or data processor is exempt from mandatory registration under these Regulations where the data controller or data processor— has an annual turnover of below five million shillings or annual revenue of below five million shillings; and has less than ten employees”.
If you are carrying out any of the following businesses, then registration is compulsory – canvassing political support among the electorate; crime prevention and prosecution of offenders (including operating security CCTV systems); gambling; operating an educational institution; health administration and provision of patient care; hospitality industry firms but excludes tour guides; property management including the selling of land; provision of financial services; telecommunications network or service providers; businesses that are wholly or mainly in direct marketing; transport services firms (including online passenger hailing applications); businesses that process genetic data.
The registration fees set out under the Regulations seem reasonable on the face of it but may be a challenge to micro small and medium enterprises.