Your data may not be safe, even with two data protection bills still floating in parliament, one sponsored by Baringo Senator Gideon Moi and the other by the Ministry of ICT.
Instead of proposing amendment to the bill sponsored by Senator Moi, the ministry went ahead to sponsor a new bill that is flawed in the eyes of experts.
According to lawyer Mugambi Laibuta, the ICT Ministry Bill is most worrying in terms of form and content with glaring loopholes and clauses that can hardly be operationalised.
“Any data protection regulation should cater for three aspects – individuals right to privacy, the public need for data and commercial use of data. The ICT Ministry draft falls short in these aspects,” argues Mugambi.
According to the barrister who has proposed amendments to the bill, the draft in clause 4 is not clear about data processors and data controllers and their operations. The law ideally should apply to anyone who processes data from Kenya. This is notwithstanding whether they are based in Kenya or not.
“It is important to note that a data controller or data processor may process data in Kenya while having no equipment in Kenya. The clause as is only deals with data controllers or data processors using equipment in Kenya. This means, for example social media companies that process data from Kenya and have no equipment in Kenya are not covered,” argues Mugambi.
Mugambi also faults the creation of the Office of the Data Protection Commissioner with powers to investigate, regulate and undertake some judicial functions.
Instead, he proposes that the office should have at least three commissioners, that is, a chairperson and two commissioners or be run by a board with wide representation from diverse stakeholders including security, ICT and legal affairs.
In clause 7, the bill proposes promotion of self-regulation among data controllers and processors. Mugambi argues that this will kil the whole essence of having a law on the same issue.
“The law is being proposed because self -regulation has failed,” he says.
He also proposes deletion of clauses 15 to 20, which propose registration of all data controllers and processors.
He says, “A natural or legal person operating within Kenya is a potential data controller or processor. This includes persons or entities in the academic world. This will stifle protection and enjoyment of other rights including freedom of the press, freedom of expression and the right to information.”
Instead, he proposes that the law provides general principles of data protection that would cover all persons whether natural or legal persons operating within Kenya or getting data from data subjects residents in Kenya.
The proposed bill also proposes a fine not exceeding Ksh5 million or a five-year imprisonment upon conviction of contravening of the data protection laws. However, this is unfair application of the law according to Mugambi, who argues that the fines should be a percentage of the offenders’ revenue.
“There are data controllers and processors who will be government entities, non-governmental organisations, academic institutions, religious institutions, hence a blanket fine is too punitive. Need for an aggregated way to deal with fines,” he says.
Mugambi also in his memorandum proposes that the time to give notice of data breach should be set at 48 hours. He also suggests that data for health emergencies and natural disasters should not be exempted from restriction by the law.
Also, he proposes that any agency should not use personal data for political purposes unless it has obtained express consent from the data subject.
Do you have a story you want told? Do you know of a sensitive story you would like us to get our hands on? Email your news TIPS to firstname.lastname@example.org Also WhatsApp 0708677607 with your news tips