15 Minutes /

Voter Data and the Ballot: The Impact of the Data Protection Act on Kenya’s 2022 General Election

Meshack Masibo

Meshack Masibo

The election period in Kenya has always been a high stakes and tense atmosphere. Equally, the uptake of technology and the arising issues of data storage, accessibility and transparency have also grown increasingly controversial in recent years. When the two concepts react together it often leads to an explosive mixture of high-octane politics, immersive litigation and even invalidation of the presidential election results.      

Such was the case in 2017, in one of the most competitive elections in Kenyan history, when a petition against the results of the election was successfully launched at the Supreme Court of Kenya. One of the main issues that was in contention was how voter data was being stored, relayed and processed. In invalidating the results, the Supreme Court held that the use of voter data was not transparent and the unwillingness of the IEBC to give access to the servers hosting the information was reason enough to have the elections invalidated.        

The use of technology in elections in Kenya can be traced back to the findings of the  Kriegler Commission made after the violent 2007/8 general elections.  The commission recommended that the national electoral body should develop an integrated and secure tallying and data transmission system which would allow computerized data entry and tallying at constituencies, secure simultaneous transmission (of individual polling station level data) to the national tallying center and the integration of this results handling system through a progressive election result announcement system.   

Based on the findings, Kenya began the process of integrating technology into the conduct of elections through the use of Biometric Voter Registration (BVR) equipment to register voters on a pilot basis for the 2010 national referendum. In the 2013 elections the use of technology was extended beyond voter registration to voter identification and results transmission. Despite an initial positive reaction to this development, it was not properly implemented in the 2013 elections and was one of the key issues raised during the 2017 presidential election petition.

Three years after the 2013 elections, the  Joint Parliamentary Select Committee on matters relating to the Independent Electoral and Boundaries Commission (IEBC) was formed to discuss the use of technology in elections. The Committee made recommendations for wide -reaching amendments to the Elections Act to provide for the use of technology. The committee  conducted a lengthy process involving expert consultations and public participation leading to the adoption of the Elections (Technology) Regulations of 2017.     

Later on in 2017, Parliament  amended the Elections Act by  establishing an integrated electronic system that enables biometric voter registration, electronic voter identification and electronic transmission of results backed up by a complementary manual system of voter identification. These changes were later struck down by the High Court which ruled that the changes were a threat to the transparency, impartiality, neutrality, efficiency, accuracy, and accountability of elections. 

Data Localization

Between 2017 and now a lot has happened in the data protection space that is likely to have an impact on how this year’s elections will be held. In 2019, the Data Protection Act was enacted. Section 50 of the Act which is expounded on under section 26  of the Data Protection Regulations  introduced a requirement for data localization for data processing towards executing a public good such as an election. The provision states that a data controller or data processor who processes personal data for the purpose of actualizing a public good is required to ensure that the processing is effected through a server and data center located in Kenya and at least one copy of the concerned personal data is stored in a data center located in Kenya. 

Data Processing

Fast forward to 2022 and a fresh political clash looms in the National Assembly after the introduction of a Bill aimed at bringing back the  manual transmission of election results. This would mean that the data is not transmitted electronically but submitted manually and only processed at the centralized IEBC office. This is likely to raise questions on the transparency and accuracy of the data that is relayed to the main tallying center.

In November 2020, Ms. Immaculate Kassait was appointed as the first Data Protection Commissioner. Her office has the mandate to, among others, enforce the Data Protection Act, oversee operations relating to the processing of data, and to receive and investigate complaints relating to infringement of the right to privacy which can occur during processing of data. There is a need for the Commissioner to engage in collaborative efforts with the Independent Electoral and Boundaries Commission to maintain the integrity of voter data use and to ensure the use is in line with the data protection principles discussed above.

Meshack Masibo

Meshack Masibo

I am a creative, a tech enthusiast and a futurist. I love seeing imagination come to life through tech and passionate about using my skills to ensure that imagination does not triumph over human decency. This is why I enjoy advocating for data privacy and data ethics. I am an Advocate of the High Court of Kenya called to the Bar in 2021. I received my Law Degree from Kenyatta University in 2018 and my Post Graduate Diploma from the Kenya School of Law in 2020. I find joy in learning, engaging in intellectually stimulating conversations and playing chess. I am driven by the desire to use my voice to leave society better than I found it.