Kenya: Draft Data Protection Bill critically limited
|Publication Date||7 November 2011|
|Cite as||Article 19, Kenya: Draft Data Protection Bill critically limited, 7 November 2011, available at: http://www.refworld.org/docid/4eba8ff22.html [accessed 28 August 2015]|
|Disclaimer||This is not a UNHCR publication. UNHCR is not responsible for, nor does it necessarily endorse, its content. Any views expressed are solely those of the author or publisher and do not necessarily reflect those of UNHCR, the United Nations or its Member States.|
ARTICLE 19 finds the Draft Kenya Data Protection Bill 2009 currently undergoing internal review and stakeholder consultation to be critically limited and calls on the Constitution Implementation Commission to revise it to be in line with acceptable international standards on the right to freedom of expression and freedom of information.
ARTICLE 19 submitted its comments on the Draft Kenya Data Protection Bill 2009 (draft bill) to the Constitution Implementation Commission of Kenya (CIC) in October 2011.
Data Protection and Freedom of Information
ARTICLE 19 believes that data protection and freedom of information are complimentary rights designed to empower the citizen to protect their rights and to improve the transparency of both public and private bodies. ARTICLE 19 supports the adoption of well-crafted data protection laws that protect individuals' rights while ensuring government transparency and freedom of expression.
Over 70 countries have now adopted data protection laws covering the collection and use of personal information. Over 50 of those countries also have freedom of information laws.
The right of data protection has been growing in Africa over the last few years. So far, eight countries in Africa (Angola, Benin, Burkina Faso, Cape Verde, Mauritius, Morocco, Senegal, and Tunisia) have adopted comprehensive laws. Earlier this year, ECOWAS adopted a Supplementary Act A.SA.1/01/10 on Personal Data Protection which requires all member states to adopt data protection laws.
Scope of the Draft Bill Overly Limited
The draft bill appears to only apply to personal information held by public authorities (described in Article 3 as both a "controller" and "agency", which is undefined). This is significantly weaker than the similar laws in the eight African countries, as well as the 70 other national data protection laws across the world, which apply to both public bodies and private bodies such as corporations and non-profit bodies. The draft bill is more akin to the Privacy Acts found in many countries which only apply to government bodies.
While the draft bill will bring greater accountability to the processing of information about Kenyan citizens held by government bodies, the restriction to public bodies substantially limits the usefulness of the act as a means to enhance international trade to Kenya. European (and many other countries') law limits the transfer of personal information for outsourcing and other reasons to only countries with adequate data protection laws, which is why many countries in Africa, Asia and Latin America have adopted laws recently. This bill as drafted will not allow European data controllers to transfer personal information to Kenya because it does not apply to the private sector. Thus a major reason for adopting the bill will not be achieved.
A positive effect of this limitation is that 'invasion of personal privacy' may not be used as a justification to prosecute journalists who have published personal information in the public interest, such as corruption by public officials. This may remain a problem in other legislation such as the criminal code. Most data protection laws remedy this problem by putting in specific exemptions for information collected for journalistic or artistic purposes.
- The draft bill should be extended to apply to the private sector. If it is, there should be an exemption specifically for media and academic, artistic, and journalistic activities.
Definition of Personal Information
The draft bill and the Freedom of Information Bill (that ARTICLE 19 analyses separately) use the same definition of "personal information". However, neither bill explicitly limits the application of the law in cases where pubic servants are conducting public business.
This oversight will likely lead to limitation on access to government records which identify public employees or officials who are doing official business, such as attending meetings, sending emails or signing contracts, decisions, or agreements.
Both bills also consider that criminal record information including that relating to investigations and convictions is personal information. This could have a profound effect on public access to information of important public interest. While there may be some release of these records under the public interest exemption, it is likely to more limited than is acceptable.
- Both bills should be amended to explicitly exempt such records from the privacy exemption as has been in the South African Promotion of Access to Information Act.
- The draft bill should be clarified to make clearer that criminal records are public in nature.
Funding and the Information Commission
The draft bill links to the Freedom of Information Bill by extending the jurisdiction of the Commission created under the Freedom of Information Bill to include jurisdiction over privacy for public bodies. Thus, it will be required that the Freedom of Information Bill is passed either before or together with the draft bill This is a growing trend around the world and a similar dual commission model has been adopted in the UK, Germany, Mexico and Thailand amongst others.
An important issue is to ensure that adequate resources are availed for the additional functions that the draft bill imposes on the Commission. This could have a profound effect on the ability of the body to effectively enforce both rights. Currently, the draft bill is silent on this issue.
- The draft bill should provide that additional funding is awarded to the Commission protecting these rights so as not to undermine its other activities.
Access to Records Held by Private Bodes
As stated above, the draft bill only applies to public bodies. This limitation has a profound effect on the ability of citizens to both obtain and control the use of their personal information held by private bodies including private employers, banks, telecommunications companies, water, electricity companies and other private institutions.
Thus, the draft bill fails to meet the requirements under Section IV(3) of the Declaration of Principles on Freedom of Expression in Africa which states "Everyone has the right to access and update or otherwise correct their personal information, whether it is held by public or by private bodies."
This requirement is only partially addressed in the Freedom of Information Bill which provides for access to information held by private bodies "where information necessary for the enforcement or protection of any right." This means that persons concerned must demonstrate that requested information relates to enforcement of specific personal rights. Such a condition goes beyond the requirements of the freedom of information for other information and in data protection laws around the world.
In addition, the right of individuals to obtain their own records is limited by the exemptions under the Freedom of Information Bill. This includes broad exemptions for national security, commercial and economic reasons. Typically, data protection laws have fewer exemptions when individuals demand access to their own information since it is a right designed to protect the persons' own rights. Thus the threshold for limitations is higher.
- Ensure that individuals have a full right of access to records held by private bodies.
- Include a more limited set of exemptions on subject access in the Data Protection Bill.
Limits on unlawful collection of information
Privacy also supports other rights including freedom of expression by placing limits on the unlawful collection of personal information for political purposes, such as bodies creating dossiers to put pressure on journalists and others.
Article 5 of the draft bill prohibits the collection of personal information "by unlawful means". However, under Article 3, public bodies can ignore requirements that the collection and processing of personal information if "on reasonable grounds" for the purposes of enforcing any law by any public sector agency. This loophole sets a very low threshold for bypassing of laws.
- The draft bill should explicitly ban the collection of personal information that would limit the right of freedom of expression of the individual.
Definitions and Unlinked Concepts
Most of the definitions in the two bills are almost exactly the same. However, there are several ideas defined in the draft data protection bill which are included in the definitions but are then not mentioned again. This includes "public servants", "Whistleblowing" and "public record". It may not be necessary to have two identical sets of definitions but rather have one set and refer to the other.