Kenya’s Nominee for the position of Data Commissioner, Immaculate Kassait, has said that tech giants that have Kenyans’ data will soon be scrutinized on how they handle personal information.
Ms. Kassait appeared before the National Assembly’s ICT committee for vetting for the position. She said that global tech giants such as Facebook, Google and Twitter will be held liable for using data belonging to Kenyans.
The data protection law was approved in November 2019 and contains restrictions on how entities should handle, store and share personal data.
The Data Protection Act 2019 gives the commissioner powers to investigate data breaches and issue administrative fines where applicable.
“Even if they are internationally based companies and as long as they have data about Kenya, they have responsibility to adhere to laws of Kenya,” Ms Kassait, who is the current director of voter education at the Independent Electoral and Boundaries Commission (IEBC), said.
Facebook has been on record saying that personal information belonging to about 87 million users may have been compromised and shared with political consultancy firm, Cambridge Analytica. The firm has helped many politicians carry out campaigns including Kenyan President Uhuru Kenyatta in the 2013 and 2017 elections.
The data protection laws now require that the tech giants notify the commissioner in cases where personal data is breached.
Offences under this act will attract a fine of up to Sh5 million and/or imprisonment for for a term not exceeding 10 years.
Speaking to the committee, she said Twitter, Facebook and Google would have to follow the law.
The commissioner will also be required to put together and store records of data controllers for oversight.
“We will investigate and give penalties where necessary. The Data Commissioner is supposed to enforce the law and it will be my role to do that,” she told the vetting panel.
Ms Kassait also said Kenyans have freedom to transfer their data from one IT environment to another, and that they could also compel entities such as mobile money lenders to disclose how they use or store their data.
“You can ask Google how much information they hold about you, where they store and whether it is it accurate,” she said.
“If convicted of an offence and you are cleared, you have a right to ask Google to correct that information, that the information be forgotten, erased or updated. The multinational technology firms must give you data in a manner that is readable. This is what the new law says.”
If appointed the first Data Commissioner, Ms Kassait promised to develop a framework that would see all data, including the data collected for Huduma number, secured.
“The government and the private sector will have to adopt a risk analysis approach. They must know the process of data collection, retrieval and destructions. Under the new law, a Kenyan can request that their data be updated, object its use or be deleted,” Ms Kassait told the committee.