ARTICLE 19 Eastern Africa is concerned by provisions in the draft Data Protection (General) Regulations 2021 (draft (General) Regulations), as well as the existence of significant gaps in the draft (General) regulations, which risk impacting media freedom and the right to access information in Kenya. Bearing this in mind, we urged the Ministry of Information, Communication, Technology, Innovation and Youth Affairs (ICT Ministry) and the Office of the Data Commissioner (ODPC) to amend these provisions.
The draft General Regulations were proposed in April 2021 and ARTICLE 19 Eastern Africa responded in May 2021. Once adopted, these regulations will enable the practical implementation of Kenya’s Data Protection Act, adopted in 2019 to give further effect to the right to privacy under Article 31 of the Constitution. Among ARTICLE 19’s concerns are the failure to include time limits for data controllers/processors to process information, as well as the inclusion of broad national security exemptions. Under international law, any restrictions on the right to know must be legal, legitimate, necessary, and proportionate.
Commenting on the draft (General) Regulations, Mugambi Kiai, Regional Director at ARTICLE 19 Eastern Africa, said:
“Data protection does not operate in a lacuna, and the ICT Ministry and the ODPC must balance informational privacy with other human rights under the Constitution. For example, failing to include time limits for data controllers/processors to respond to data access requests runs counter to Article 35 of the Constitution promoting the right to access information. We hope that the draft (General) Regulations will be amended to reflect stakeholders’ concerns, before they take effect.”
ARTICLE 19 Eastern Africa is further concerned that the draft (General) Regulations expand the national security exemption, but fail to accord the same treatment to the journalistic, literary, research and artistic exemptions under Part VII of the Data Protection Act, 2019. To ensure a proper balance is struck between the co-equal rights to freedom of expression and informational privacy (data protection), we call on the ICT Ministry and the Office of the Data Commissioner to expand the draft (General) Regulations to cater for these exemptions.
ARTICLE 19 Eastern Africa recommends that the draft Data Protection (General) Regulations 2021 and the Data Protection Act, 2019 be amended to ensure:
- responses to data access requests by data controllers/processors are accompanied by a time limit to promote the right to access information within a reasonable time under Article 35 of the Constitution;
- the wide grounds permitting a data controller/processor to refuse to comply with a data access request are amended and aligned with the permissible limitations of the right to know under national, regional and international law;
- the deletion of the provision attempting to expand the national security exemption by focusing on national security organs, rather than properly-defined national security purposes;
- amendments to the draft Regulations and the DPA 2019 to ensure that the journalistic exemption provision is expanded beyond data protection principles to canvass other crucial substantive and administrative provisions; and
- the conditions for consent under Section 32 of the Data Protection Act 2019 (DPA 2019) clearly spell out the requirement for data controllers/processors to identify themselves to data subjects and clearly identify the purpose or purposes of their proposed processing of personal data prior to such data being processed.
Read ARTICLE 19’s detailed concerns: ARTICLE 19 Eastern Africa – Memorandum – Draft Data Protection Regulations (11.05.2021)