On 5 November 2021, ARTICLE 19 sent a memorandum to the Office of the Data Protection Commissioner in Kenya expressing concern that the Draft Strategic Plan Financial Year 2021-2023 failed to address the complementary nature of data protection with other information rights. It further failed to provide a framework to ensure the Act is implemented in harmony with existing legislation.
The Draft Strategic Plan Financial Year 2021-2023 of the Office of the Data Protection Commissioner Kenya was released in late October 2021 and the Office of the Data Protection Commission held a public multi-stakeholder consultation forum on 27 October 2021 to facilitate discussion between development partners, government, civil society and academia.
ARTICLE 19’s analysis acknowledges and welcomes the positive recommendations of the strategy, in particular the office’s decision to focus on building institutional capacity, providing regulatory services and creating awareness on data protection over the next three years. The strategy also aims to streamline data protection with Kenya’s Big 4 Development Agenda and those set out in the Third Medium Term Plan (2018-2022).
We are, however, concerned that the strategy fails to address key areas such as the complementary nature of data protection with other information rights such as freedom of expression and access to information, and it does not provide a framework to ensure the Act is implemented in harmony with existing legislation. For example, despite there being a need to provide for a definite time for compliance with data access requests, regulation 8 of The Draft Data Protection (General) Regulations released by the ODPC fails to provide such a definite period for which data controllers and processors need to comply with data access requests from a data subject. The Access to Information Act provides that public officers must comply with access requests within 21 days.
Secondly, the strategy fails to prioritise and address the needs of marginalised and vulnerable communities when it comes to creating awareness on data protection. The strategy further fails to address how to implement the provisions on exemption from compliance with the data protection principles as provided under section 51 of the Data Protection Act, which are necessary for development of journalism, literature art, history and research purposes. Presently, the Act provides that processing of data for journalistic purposes, literature and art are only exempt from compliance with the data protection principles and not the substantive provisions of the Act itself. This means that journalists must comply with restrictions on cross border flows or disclosures that may potentially expose confidential information such as journalistic sources or limit the free flow of information.
We therefore recommend the Office of the Data Protection Commission to:
- Issue a guidance note harmonising the Data Protection Act 2019 with the Access to information Act 2016 to ensure the rights of the data subject under Section 26 of the Data Protection Act are realised.
- Expand the scope of self-regulation beyond organisational level to an industrial sector to foster a culture of compliance with the Data Protection Act 2019.
- Include adoption of regional and international frameworks, namely the African Union Convention on Cyber Security and Personal Data Protection and Convention 108+ , as a strategy to achieve this focus area and be used as an indicator in the monitoring and evaluation framework.
- Endorse the African Declaration on Internet Rights and Freedoms that is built on existing African Frameworks. Principle 8 of the Declaration states that everyone has a right to privacy online, including to use available technology to communicate anonymously, and protection of their personal data.
- Prioritise and develop codes of practice on general exemptions, journalistic exemption and exemptions based on Research, History and Statistics, providing practical guidelines on the exemption from compliance with the Data Protection Act and principles respectively.
- Promote interagency cooperation by developing the data-sharing code to guide lawful exchange of personal data between government departments or public sector agencies subject to the Santa Clara Principles on Transparency and Accountability in Content Moderation, as well as the 13 Necessary and Proportionate principles on the application of human rights to communications surveillance.
- Develop an inclusivity strategy that promotes awareness of data protection among vulnerable groups such as persons with disabilities as required under Article 10, 21(3), 27, 31, 54,56 and 57 of the Constitution of Kenya 2010.
For more information please Contact Mugambi Kiai at [email protected], Regional Director for ARTICLE 19 Eastern Africa