Data Privacy Day 2020: 4 Good Things in Kenya’s Data Protection Act, 2019

Photo by Lukas Blazek on Unsplash

By Francis Monyango.

Today is the 28th of January. Data Protection Day or Privacy Day. The day when we all commemorate the 1981 signing of the Council of Europe’s Convention 108 for the Protection of Individuals with regard to automatic processing of personal data, quite a mouthful.

While it is was initially a European celebration, data privacy is now a global issue and we now have a reason to celebrate Data Protection Day in Kenya. The Kenyan Data Protection Bill assented to the law on the 8th of November, 2019 and its date of commencement was on the 25th of November, 2019. This is Kenya’s first data protection law, promulgated 9 years later after the Constitution which enshrines the right to privacy in Article 31. The Data Protection Act law gives effect to article 31(c) and (d) which recognize the people’s right to informational privacy. 

In recent times, privacy concerns among Kenyans have included the arbitrary misuse of personal information, unsolicited marketing messages by entities and the need for identification at entrances of buildings. Therefore, on this auspicious Data Protection Day, we want to highlight 4 good things in the Data Protection Act.

Gives people control

The Data Protection law came with new names and rights for people. The Act defines Data subject as a natural person whose personal information is processed. The rights in the Act include the right to be informed on the use of their data and the right to access their data which is in custody of the data controller or processor. Other data subject rights include the right to object to the processing of their data, the right to correction and the deletion of false or misleading data about them. 

Data subjects are supposed to give informed consent to data processing. For them to give informed consent, they need to understand all privacy-related agreements which means these agreements have to be written in plain language. With informed consent, a data subject can know which types of data processing they can opt-in and out of.

Independent Data Commissioner

Another goodie in the Data Protection Act is the office of the Data Protection Commissioner. (It is yet to be set up but it is a huge leap to accountability). This commissioner will oversee the implementation of the Data Protection Act and its enforcement. The Data Commissioner will have to establish and maintain a register of data controllers and processors and exercise oversight on their data processing operations. Sometimes the Data Commissioner may have to conduct an assessment on a public or private body on its own initiative or at the request of a private or public body. Because of the nature of the role, we hope the Data Commissioner will be independent. The Commissioner will also be required to investigate complaints from any person on infringements of the Act and action taken.

Obligations to Data Controllers and Processors

The Data Protection Act christens entities that collect and use personal information data controllers and processors. These two entities now have new obligations. They are required to ensure that personal data is processed in accordance with the right to privacy of the data subject. The data processing has to be lawful, transparent and limited to what is necessary. Data processors and controllers are supposed to collect data for explicit, specified and legitimate purposes. The processing should not be incompatible with the agreed purposes. 

The Act prohibits data transfer outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject. Other duties are to keep the data anonymous and to exercise privacy by design in their data processing systems. The Act requires entities to be transparent and accountable in their privacy practices and in the unfortunate event of a breach. In the event of a breach, data handlers must do their best to contain the harm, give appropriate support to help those affected, and ensure timely notification of any violations to the Data Commissioner. 

Works Globally

The world is now a global village that is connected and the Act is not rigid in its requirements for cross border data transfer. A data controller or processor is allowed to transfer personal data to another country only where they have proved to the Data Commissioner the other country has appropriate security and data protection safeguards. For the processing of sensitive personal data outside Kenya, this was to be after obtaining the consent of the data subject and confirmation of appropriate safeguards in the destined nation.

This section initially required data controllers and processors to get consent from every data subject but Members of Parliament during legislation felt it would be ambiguous for an entity like the electoral body with servers outside Kenya to get consent from every voter, hence delegating the role to the Data Commissioner. This section enables interoperability between different jurisdictions while protecting the privacy of personal information without undermining the Internet’s global nature.

There are many other good things in the Act that I have not mentioned. However, I have to acknowledge that the law was drafted collaboratively, in the spirit of public participation. Stakeholders such as KICTANet, CIPIT, Article 19, KEPSA gave their views and the National Assembly ICT Committee considered all their points in the report that they tabled in parliament during the legislation.

The next big challenge is the implementation of the law. Will 2020 be a decade of privacy compliance by Kenyan entities? Will we celebrate Data Protection Day 2021 with a Kenyan Data Commissioner? Only time will tell.

Trump’s new travel rules. To check-in, or not to check-in the laptop?

Written by Mwendwa Kivuva 

Humans have been traveling across the globe even before borders were drawn for reasons ranging from business, exploration, social, medical, education, and migration. After 9/11, traveling became more complex with tight Visa rules, military grade screening of passengers, and increased surveillance. The latest casualties of these tight measures are ICT savvy travelers.

In March 2017, The US and Britain introduced new regulations for flights[1] from Middle East, and Africa. The regulations ban passengers from carrying large electronic devices citing security concerns. The countries affected[2] were Jordan, Egypt, Turkey, Saudi Arabia, Qatar, Kuwait, Morocco and the United Arab Emirates. The circular from the US homeland security read:

These enhancements apply to 10 specific airports. The affected overseas airports are: Queen Alia International Airport (AMM), Cairo International Airport (CAI), Ataturk International Airport (IST), King Abdul-Aziz International Airport (JED), King Khalid International Airport (RUH), Kuwait International Airport (KWI), Mohammed V Airport (CMN), Hamad International Airport (DOH), Dubai International Airport (DXB), and Abu Dhabi International Airport (AUH).

With the new regulations, any device bigger than a hand help phone should be put in the checked-in luggage, and not carried onboard by the passenger. The listed devices are laptops, tablets, e-Readers cameras, Portable DVD players, and electronic game units larger than a smartphone, travel printers, and scanners.

In the age of Snowden and Wikileaks, these regulations pose a cyber security risk. It gives a window of opportunity for anybody targeting data in the devices to get access to the checked-in devices, usually a laptop. The checked-in laptops of persons of interests will either be cloned, or disappear altogether. A federal agent will mark the luggage of the person of interest, and along the several luggage transfer chain, locate it and remove the laptop and clone the hard disk getting away with a wealth of data. This process can be done by either physically removing the hard disk, using a live CD like Tails[3] to copy the contents of the laptop, or just crack the user account and gaining access to the laptop. This may sound far fetched, but federal agents have been known to go to great lengths to access information they deem necessary in their work.

Airlines have started being creative to help their clients experience the same convenience they are used to. For example, Emirates Airlines has introduced two services to it’s clients[4], a laptop handling service that lets clients use their devices until before boarding, and complimentary laptops for business and first class customers, where the customers are given Microsoft Surface 3 tablets to work onboard. Although this does not remove the security concerns mentioned above, it gives those who can afford a window to be productive while flying.

How do you secure your data while traveling?
The Electronic Frontier Foundation[5], an international non-profit digital rights group based in San Francisco, California, gives some suggestions on traveling with data, especially after the U.S. government reported an increase in the number of electronic media searches at the US border.

  • Store all sensitive data on a secure cloud offering like Dropbox or SpiderOak, or better still on a private hosted server.
  • Use a Chromebook as your travel laptop, which by default store all data on the cloud
  • If you must travel with your data, have two hard drives which you swap on convenience. One with a clean operating system install without any data, and another with the operating system and data, but only swapped when the laptop is in use.
  • Always use full strong disk encryption for all your data.

The next debate on information confidentiality is usually centered around the question, “Why should I care if I have nothing to hide?” The next article will try to answer that question. Do you have anything to hide?


[1] Mideast Airlines Face Laptop Bans on Flights to U.S., Britain

[2] Fact Sheet: Aviation Security Enhancements for Select Last Point of Departure Airports with Commercial Flights to the United States

[3] Privacy for anyone anywhere

[4] Emirates introduces tablet loan service to US-bound First and Business Class customers

[5] Strong Full-Disk Storage Encryption