In two months, Kenya’s data protection law turns five. Indefatigable advocate and Busia Senator Okiya Omtatah’s 2019 petition challenging the constitutionality of the Data Protection Act (DPA) comes for mention next Wednesday. Given the intense competition to grab Kenya’s lucrative data landscape and repeated personal data breaches, is this petition in the national public interest?
The passing of the Data Protection Act (2019) was preceded by one of the most intense legal and political battles to protect Kenyans from state bullying and privacy rights violations. A Registration of Persons Act miscellaneous amendment kicked off the Huduma Namba and National Integrated Identity Management System (NIIMS) programme in December 2018. By the time the DPA had passed, citizens had been threatened with the withdrawal of immigration, health and telephone services. Our personal data had been unlawfully exposed during the national population census, and the State had toyed with making CCTV cameras mandatory in all public spaces.
The Data Protection Act re-injected life into Article 31 and our constitutional right to privacy. The spirit of the Act is that our personal information must not be secretively and arbitrarily collected, stored, and shared without our express consent. Five years on, Kenya is a trailblazer among 137 out of 195 countries now implementing privacy and data protection laws. While the Act is fundamentally aligned to African and European best practices, the challenges of cyber hacking, machine learning, artificial intelligence and blockchain technology, multinational data mining and transfer to host countries remain.
Public interest litigation suits have invoked the Act to ensure the Government’s national digital ID Huduma Namba and Maisha Namba programmes can protect our personal information. When WorldCoin went on an iris biometric buying spree in 2023, it was the Act that was applied to protect Kenyans. The Act states our personal data cannot be stored, used, sold or transferred abroad without our permission. It gives citizens the power of choice to correct, delete or add data. All organisations must do data protection assessments for all the information they hold and appoint staff to manage data.
Over the last five years, the Office of the Data Protection Commissioner (ODPC) has registered 5,739 data controllers and processors nationwide. They have issued 150 advisories, reviewed 200 impact assessments, addressed 161 data breaches, and resolved 86 percent of the 5,215 complaints referred to them.
Within this context, Omtatah’s petition is not in the public interest. Filed two weeks after the Act was assented to on 8 November 2019, he argues the DPA was not subjected to effective public participation in affected counties and, therefore, should have been adopted as a joint resolution of both the Senate and the National Assembly. While the court will determine the validity of these arguments, it is worth noting that the bill received no less than 700 submissions from the public, businesses and human rights organisations, Amnesty International included.
The DPA and the OPDC also featured in the Communications and Digital Economy Sectoral Working Group report to the ICT Cabinet Secretary two weeks ago. While generally a thoughtful and well-written report that proposes the registration and vetting of Data Controllers and Processors, it seeks to expand the ODPC to a Board of three Commissioners answerable to Parliament.
It is unclear what problem is being solved by this recommendation. Given the importance of the DPA for Article 31, the ODPC should be modelled as a constitutional commission and remain appointed by the President following an open, competitive recruitment process by a selection panel. Does the Kenyan taxpayer need more expensive jobs and overheads? Will a politically accountable ODPC increase or erode business and public confidence in a regulator? If the Act is declared constitutional, what implications would this have for all penalties that have been paid by violators and the massive public investment in the ODPC to date?
While Omtatah’s petition has been overtaken by events and is best withdrawn, Parliament must resist new attempts to undermine the Office of the Data Protection Commissioner’s independence.
Irũngũ Houghton is Amnesty International Kenya Executive Director and writes in his personal capacity. Email: [email protected]