What awaits the Data Protection Commissioner
In the next few weeks (hopefully), Kenya will have its first Data Protection Commissioner. Operationalisation of the Data Protection Act, 2019 has been pending for over seven months. With the appointment of a Data Commissioner, Kenyans will have the institutional framework required for enforcement of data subject rights provided for under the Data Protection Act and in effect guarantee the right to privacy as protected by Article 31 of the Constitution.
Appointment of a Data Protection Commissioner will be the start to a long and complicated journey in enforcing data protection principles in Kenya. Section 8 of the Data Protection Act, 2019 sets out the functions of the Data Protection Commissioner which include –
‘overseeing the implementation of and be responsible for the enforcement of the Act; establishing and maintaining a register of data controllers and data processors; exercising oversight on data processing operations, either of own motion or at the request of a data subject, and verifying whether the processing of data is done in accordance with the Act; promoting self-regulation among data controllers and data processors; conducting an assessment, on its own initiative of a public or private body, or at the request of a private or public body for the purpose of ascertaining whether information is processed according to the provisions of the Act or any other relevant law; receiving and investigating any complaint by any person on infringements of the rights under the Act; taking such measures as may be necessary to bring the provisions of the Act to the knowledge of the general public; carrying out inspections of public and private entities with a view to evaluating the processing of personal data; promoting international cooperation in matters relating to data protection and ensure country’s compliance on data protection obligations under international conventions and agreements; and undertaking research on developments in data processing of personal data and ensure that there is no significant risk or adverse effect of any developments on the privacy of individuals.’
In my view the following are key sticky issues that will make or break the office of the Data Commissioner –
One, the independence of the Data Commissioner. The Office of the Data Protection Commissioner is not a Chapter 15 Constitutional Commission or Independent Office and it is for this reason that the Data Protection Commissioner does not have protection of Article 249(2)(b) of the Constitution which states:
‘the commissions and the holders of independent office… are independent and not subject to direction or control by any person or authority.’
Further, Section 5(5) of the Data Protection Act states that the Data Commissioner shall in consultation with the Cabinet Secretary, establish such directorates as may be necessary for the better carrying of the functions of the Office. I find this problematic. The Commissioner is not in strict sense a statutory independent body and the Cabinet Secretary has a role in the operations of the Office of the Data Commissioner. Hence, I foresee a situation where the Data Commissioner will seek to establish operational and functional autonomy and the Cabinet Secretary will refer to Section 5(5) of the Act indicating that they have a role in how the Office functions. Ideally, the Act should have had a provision that states –
‘The Data Commissioner is independent and not subject to direction or control by any person or authority’.
Perhaps, this was an oversight or intentional in the drafting of the Act.
Second, funding will pose a challenge. Just like any other new statutory body in Kenya, funding is hardly provided for in advance. So, the Office of the Data Commissioner may take months to get funding for operations from the ex-chequer. It becomes a greater challenge where the funding is pegged on approval by the State Department the Data Commissioner falls under.
Even with funding, an analysis of data protection authorities across the world indicates that data protection authorities are generally underfunded and are not able to effectively carry out their mandates. With limited funding, data protection authorities are constrained in attracting good personnel. Such personnel include legal experts, forensic investigators, ICT experts, data analysts, among others. For our Data Commissioner, this will probably be solved by having the Cabinet Secretary second staff to Office; further complicating the independence challenge I have highlighted above.
Three, formulation of regulations under the Act; it is key to note that Section 71 of the Act mandates the Cabinet Secretary to make regulations generally for giving effect to the Act. No statutory role is contemplated for the Data Commissioner in the formulation of Section 71 regulations. Again, another potential conflict zone between the Data Commissioner and the Cabinet Secretary. Ideally the provision ought to have been formulated as follows –
‘The Cabinet Secretary may after advice by/in consultation with the Data Commissioner make regulations generally for giving effect to this Act, and for prescribing anything required or necessary to be prescribed by or under this Act.’
It is a wait and see situation on how this situation will pan out. Perhaps, the Cabinet Secretary already has regulations to operationalise the Act in draft form in anticipation of appointment of the Data Commissioner. In Kenya though, we have experienced situations where operationalisation of a Statute is hampered for long periods of time for lack of rules or regulations.
The Act, has provisions where the Data Commissioner is to prescribe certain matters including, thresholds required for mandatory registration of data controllers and data processors; further details for application of registration by data controllers or data processors; further categories of personal data which may be classified as sensitive personal data; instances where compliance with certain provisions of the Act may be exempted; and dealing with complaints. The Data Commissioner should hit the ground running and ensure matters they are to prescribe under the Act are in place as soon as possible.
Four, the volumes of complaints made may overwhelm the Data Commissioner especially if the issues I have highlighted above are not remedied. On this, it will be crucial how the Commissioner handles complaints. Section 9 of the Act gives powers to the Commissioner to facilitate conciliation, mediation and negotiation on disputes arising from the Act. This is however not a guarantee that parties will be satisfied with decisions of the Commissioner. The Commissioner may find themselves overwhelmed by appeals made to the High Court. Without sufficient funds to hire/appoint competent legal practitioners, operations at the Officer of the Data Commissioner may grind to a halt.
Five, in relation to the complaints’ mechanism, is the enforcement mechanism of sanctions meted out by the Commissioner. EU data protection authorities have been under fire for not issuing sanctions that are punitive enough or commensurate to data protection breaches occasioned by data controllers and data processors. How the Kenyan Data Commissioner will perform especially in the initial days in providing strong deterrent or punitive sanctions will determine the future of data protection regulation in Kenya.
Six, regulating international data controllers and data processors especially those that are not registered in Kenya will be problematic, this coupled with regulation of cross border data transfers. How will the Data Commissioner deal with companies such as Twitter, Facebook, Instagram and Google? To illustrate this dilemma, the Irish Data Protection Authority has been under constant fire for not acting against Facebook for alleged violations of the EU GDPR.
Lastly, how will the Data Commissioner deal with Section 51 of the Act that provides exemptions to regulation under the Act for processing of data for national security or public interest purposes? As we have seen above, the Cabinet Secretary will make most of the regulations under the Act. However, notwithstanding the fact that exemptions in processing of data for public interest purposes is widely accepted, a data protection authority ought to provide guidance to public bodies. Will the Data Commissioner provide guidance on processing of data for national security or public interest purposes? Will public bodies undertaking such processing comply with guidance from the Data Commissioner?
It is not all gloom for what awaits the Data Commissioner. But, an analysis of how data protection authorities around the world have fared brings into focus the issues highlighted above. My hope is that the Data Commissioner will prosper where other data protection authorities have faced immense challenges.