Engagement in the Use of Meta Platforms

A KICTANet Thought Leadership Series.
Date: 28 June 2022.
Venue: Sarova Panafric Hotel.


KICTANet and Meta will host an interactive thought leadership roundtable for stakeholders in Kenya to highlight emerging concerns arising from the use of Meta’s Platforms in Kenya. This event is a follow-up meeting to a successful event held on 29th March 2022 with civil society at Sankara Hotel.


Meta manages data of more than 3 billion users worldwide spanning different age gaps, races, political inclinations, nationalities, genders and religious persuasions. It also processes approximately 1 million gigabytes of data every single day through its platforms such as Facebook, Instagram and WhatsApp, making the company one of the largest data collectors and processors globally.

There has been widespread concern over how Meta collects and processes personal data and whether the company has sufficient safeguards to guard against data breaches and violations of the right to privacy. Indeed, the colossal fines against the company over privacy violations in Europe, have led to unease, especially in Africa where data protection is either non-existent or new. In Kenya, concerns over the data breaches such as the Cambridge Analytica Scandal and the increased cases of psychological profiling, surveillance, and targeted advertising remain.

Similarly, there is limited understanding of the company’s community standards or guidelines applied across its products and services. Civil society actors have raised concerns about the increasing cases of harmful content such as hate speech, online violence, misinformation, and disinformation on the platforms; the inaction of the platforms to address harmful content; the gaps in the application of community standards; enforcement of community standards; ineffectiveness of content moderation practices; and the limited transparency and accountability on content moderation. Indeed, the increase of harmful content presents risks to Kenya’s upcoming general election scheduled for August 2022. Collectively viewed, these challenges affect the realisation of fundamental rights and freedoms such as freedom of expression, assembly, association, and the right to privacy.

One of the key recommendations from the convening held in March was for regular engagement of key stakeholders with Meta and other social media platforms. Such engagements could provide a useful platform for dialogue and feedback and better coordination between Meta and local digital rights activists, civil society, and opinion shapers. It also provides a unique opportunity to have a shared understanding of the challenges faced on Meta platforms and to develop strategic recommendations for action.

Objectives of the Roundtable Series

The objective of the roundtable series is to provide platforms for dialogue and engagement on the concerns and challenges arising from the use of Meta’s platforms in Kenya and to identify priority actions, potential solutions, and best practices moving forward.

Expected Outcomes

  • Enhanced understanding and engagement on the concerns and challenges arising from the use of
  • Meta’s platforms in Kenya; and, Identified priority actions, potential solutions, and best practices.

Format of the Events

The events shall be three workshops in three thematic half-day sessions with stakeholders. It is proposed that the first event takes place during the KIGF Week scheduled for June 27-30, 2022. KICTANet and Meta shall agree on the time frames for the other two events.


Each meeting will aim to bring together at least 40 multistakeholders, including business, academia, technical community, digital rights activists, representatives of CSOs working on digital rights, human rights defenders, and other opinion-shapers who influence conversations both online and offline, to enhance partnerships, sharing of knowledge and emerging best practice.

About KICTANet

KICTANet is a multistakeholder platform for people and institutions interested in ICT policy. The network acts as a think tank that catalyses policy reforms in the ICT sector, and it is guided by four pillars: policy advocacy, stakeholder engagement, capacity building, and research. KICTAnet’s guiding philosophy encourages synergies for ICT policy-related activities and initiatives. As such, the network provides mechanisms and a framework for continuing cooperation and collaboration in ICT matters among industry, technical community, academia, media, development partners, and Government.

Draft Agenda

08:00 – 08:30Arrival and RegistrationKICTANet Team
08:30 – 08:45Opening and Welcome Remarks
Grace Githaiga, KICTANet
Mercy Ndegwa, Meta Platforms Inc
08:45 – 9:00Agenda Setting and ObjectivesKICTANet / Meta Team
09:00 – 10:00Meta Privacy 101
An overview of how we approach privacy at Meta

 – Ololade Shyllon, Meta Platforms Inc

Moderator: Victor Kapiyo
10:00 – 11:00Privacy and Elections
Examining  tools and policies to protect privacy in elections
              Q & A
Moderator: Victor Kapiyo
11:00 – 11:20Tea Break
11:20 – 12:30Panel Discussion: Concerns and Challenges to Online Privacy in Kenya –  

Berhan Taye, Internews
Catherine Muya, ARTICLE 19 Eastern Africa 
Francis Monyango, Strathmore CIPIT
Mugambi Laibuta, Advocate of the High Court
Moderator: Bridget Andere, Access Now
12:30 – 12:45Recommendations and Next Steps KICTANet / Meta Team
12:45 – 13:00Wrap Up and Closing Session
13:15 – 14:00Lunch Break

Privacy and Data Protection for Women roundtable

Date: Monday, 27th June 2022
Place: Four Points by Sheraton


KICTANet in partnership with GIZ will host three interactive discussions as part of the Strengthening Women’s Safety Online: Digital Security and Data Protection Training and Awareness Raising for Women in Kenya. 

Launch of Policy Brief

Kenya’s Data Protection Act 2019 and Article 31 of the Constitution of Kenya, 2010 form the pillars of the country’s data protection and privacy regime. KICTANet has noted the vital role of social media in our daily lives. However, for women, being online can make them prone to data breaches which go on to form a basis for vicious cycles of cyberbullying and attacks. In fulfilling KICTANet’s pillar of research and advocacy, KICTANet has conducted research on data protection and privacy from a gender perspective. The Policy Brief will be launched and its findings and recommendations will be shared with stakeholders.

Community of Practice Event: Digital Enquirer Kit

Finally, KICTANet has been extensively involved in the development of Module 5 of the Digital Enquirer Kit on Online Gender-Based Violence. This discussion will center on the link between the concept of gender and power dynamics, the various forms of OGBV, their harm, and tips to keep yourself safe online. We will also discuss Kenya’s experience of Online Gender-Based Violence, necessary policy and legal interventions, and digital safety skills to keep yourself safe online.

Event Program

        TIME                            DESCRIPTION
8:00 am – 8:30 amArrival and RegistrationKICTANet
8:30 am – 8:45 am  Welcome and Introductions Grace Githaiga KICTANetTevin Mwendwa, GIZ
8:45 am – 9:00 amAgenda Setting and Objectives  Liz Orembo/Angela Minayo, KICTANet
9:00 am – 10:30 amLaunch of Policy Brief of Data Protection and Privacy in Kenya form a Gender PerspectivePresentation of the Policy Brief and the concerns on data protection and privacy for women – Tevin Mwendwa, GIZProf. Sylvia Kang’ara – Key Findings and Recommendations from the Policy Brief, KICTANet Launch of the Policy Brief – Immaculate Kassait, MBS,Office of the Data Protection Commissioner
10:30 am – 11:00 amHealth break
11:00 am – 12:00 pmRoundtable Discussion- Impact of Elections on Women’s Privacy and Data Protection
Data Protection and Privacy Challenges for Women politicians; Meta’s Approach  –  Dr. Ololade Shyllon MetaExperiences in Kenya on data protection for women during elections – Elog/Amnesty/Siasa PlaceDigital Security and Data protection for women political actors during election – Liz Orembo, KICTANet
12:00 pm – 1:00 pmPlenary Session 
1:00 pm – 2:00 pmLunch Break
2:00 pm – 2:45 pmAn Introduction to the GIZ Digital Enquirer Kit (DEK)Angela Minayo and Liz Orembo, KICTANet
2:45 pm – 4:15 pmPresentation of the Module Riva Jalipa, KICTANet
4:15 pm – 4:30 pmKenya’s Experience with Online Gender Based ViolenceNerima Wako – Executive Director, Siasa Place
4:30 pm – 4:45 pmFeedback session on the Module, QnA
4:45 pm – 5:00 pmClosing SessionLiz Orembo, Angela Minayo
5:00 pm –Tea/CoffeeGuests leave at their own pleasure

Dissemination of Country Reports: Data Governance and Disinformation Pathways

Date: Wednesday 29th June 2022, 8.30 am to 1.00 pm.
Place: Panafric Hotel.

KICTANet in Partnership with CIPESA conducted two research projects on Data Governance and Disinformation Pathways. This event will form part of our dissemination efforts as well as policy advocacy for the effective implementation of digital rights policies in Kenya. Through this exercise, KICTANet also aims to map out areas for further research and collaboration.

Disinformation Pathways Study
This study was part of 5 African country reports on disinformation(Cameroon, Ethiopia, Kenya, Nigeria, and Uganda). The Kenya country study was conducted in the period of June-December 2021. It highlights the main factors around periods of political contestation such as elections and anti-government protests, as well as those that are related to hate speech. The aim was to understand the nature, perpetrators, strategies, and pathways of disinformation, and its effects on democracy actors including civil society, bloggers, government critics, and activists. Further, the study documented the adequacy and effectiveness of remedial measures by platforms, as well as government responses to disinformation.

Data Governance
KICTANet and CIPESA conducted a survey on the governance of personal data during the Covid-19 pandemic. The research focused on data collection and processing by the government geared towards tackling the pandemic, documenting citizen experiences during these exercises. The study makes recommendations on a framework for data governance during public health crises. The findings of the research will form part of KICTANet’s engagement programs with the newly appointed Data Protection Commissioner and her office.

Event Program

8:30 am – 9:00 amArrival and RegistrationKICTANet
9:00 am – 9:20 amWelcome and Introductions ParticipantsParticipants
9:20 am – 10:00 amDisinformation Pathways, presentation of findings by researchersJune Okal, Wambui Wamuyu
10:00 am – 10:30 amDiscussions, Q&AsParticipants
10:30 am – 11:00 amHealth Break
11:00 am – 11:20 pmIntroduction to Data Governance ReportGrace Githaiga, Liz Orembo
11:20 pm – 12:00 pmPresentation by ResearchersMutindi Muema
12:00 – 12:30Discussions, Q&AsParticipants
12:30 pm – 2:00 pmLunch

Data Privacy Day 2020: 4 Good Things in Kenya’s Data Protection Act, 2019

Photo by Lukas Blazek on Unsplash

By Francis Monyango.

Today is the 28th of January. Data Protection Day or Privacy Day. The day when we all commemorate the 1981 signing of the Council of Europe’s Convention 108 for the Protection of Individuals with regard to automatic processing of personal data, quite a mouthful.

While it is was initially a European celebration, data privacy is now a global issue and we now have a reason to celebrate Data Protection Day in Kenya. The Kenyan Data Protection Bill assented to the law on the 8th of November, 2019 and its date of commencement was on the 25th of November, 2019. This is Kenya’s first data protection law, promulgated 9 years later after the Constitution which enshrines the right to privacy in Article 31. The Data Protection Act law gives effect to article 31(c) and (d) which recognize the people’s right to informational privacy. 

In recent times, privacy concerns among Kenyans have included the arbitrary misuse of personal information, unsolicited marketing messages by entities and the need for identification at entrances of buildings. Therefore, on this auspicious Data Protection Day, we want to highlight 4 good things in the Data Protection Act.

Gives people control

The Data Protection law came with new names and rights for people. The Act defines Data subject as a natural person whose personal information is processed. The rights in the Act include the right to be informed on the use of their data and the right to access their data which is in custody of the data controller or processor. Other data subject rights include the right to object to the processing of their data, the right to correction and the deletion of false or misleading data about them. 

Data subjects are supposed to give informed consent to data processing. For them to give informed consent, they need to understand all privacy-related agreements which means these agreements have to be written in plain language. With informed consent, a data subject can know which types of data processing they can opt-in and out of.

Independent Data Commissioner

Another goodie in the Data Protection Act is the office of the Data Protection Commissioner. (It is yet to be set up but it is a huge leap to accountability). This commissioner will oversee the implementation of the Data Protection Act and its enforcement. The Data Commissioner will have to establish and maintain a register of data controllers and processors and exercise oversight on their data processing operations. Sometimes the Data Commissioner may have to conduct an assessment on a public or private body on its own initiative or at the request of a private or public body. Because of the nature of the role, we hope the Data Commissioner will be independent. The Commissioner will also be required to investigate complaints from any person on infringements of the Act and action taken.

Obligations to Data Controllers and Processors

The Data Protection Act christens entities that collect and use personal information data controllers and processors. These two entities now have new obligations. They are required to ensure that personal data is processed in accordance with the right to privacy of the data subject. The data processing has to be lawful, transparent and limited to what is necessary. Data processors and controllers are supposed to collect data for explicit, specified and legitimate purposes. The processing should not be incompatible with the agreed purposes. 

The Act prohibits data transfer outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject. Other duties are to keep the data anonymous and to exercise privacy by design in their data processing systems. The Act requires entities to be transparent and accountable in their privacy practices and in the unfortunate event of a breach. In the event of a breach, data handlers must do their best to contain the harm, give appropriate support to help those affected, and ensure timely notification of any violations to the Data Commissioner. 

Works Globally

The world is now a global village that is connected and the Act is not rigid in its requirements for cross border data transfer. A data controller or processor is allowed to transfer personal data to another country only where they have proved to the Data Commissioner the other country has appropriate security and data protection safeguards. For the processing of sensitive personal data outside Kenya, this was to be after obtaining the consent of the data subject and confirmation of appropriate safeguards in the destined nation.

This section initially required data controllers and processors to get consent from every data subject but Members of Parliament during legislation felt it would be ambiguous for an entity like the electoral body with servers outside Kenya to get consent from every voter, hence delegating the role to the Data Commissioner. This section enables interoperability between different jurisdictions while protecting the privacy of personal information without undermining the Internet’s global nature.

There are many other good things in the Act that I have not mentioned. However, I have to acknowledge that the law was drafted collaboratively, in the spirit of public participation. Stakeholders such as KICTANet, CIPIT, Article 19, KEPSA gave their views and the National Assembly ICT Committee considered all their points in the report that they tabled in parliament during the legislation.

The next big challenge is the implementation of the law. Will 2020 be a decade of privacy compliance by Kenyan entities? Will we celebrate Data Protection Day 2021 with a Kenyan Data Commissioner? Only time will tell.