In 2019, the Data Protection Act was enacted into law after over a decade of efforts to bring it to life. It is the operative legislation that governs how personal data is protected in Kenya. It is also backed up by three sets of regulations passed into law in 2021. The Act also established the Office of the Data Protection Commissioner (ODPC) which is mandated with regulating the processing of personal data, protecting the privacy of individuals, and providing data subjects with rights and remedies to protect their data from processing that is not per the Act and establishing the legal and institutional mechanisms for the protection of personal data in Kenya.
Since the inception of the Act, the right to data privacy has faced significant challenges. The most significant challenge has been the pervasive growth of the digital lending industry in Kenya. It is estimated that 4 out of 10 Kenyans have used their mobile money accounts to get a mobile loan. A report by the international association for mobile network operators GSMA shows that a whopping 36 per cent of Kenyans acquired loans through their mobile phones in 2021 alone.
Largely unregulated, the industry has seen massive privacy violations, with lending companies resorting to extracting personal data belonging to borrowers and using it for scare-mongering and debt shaming contrary to the Data Protection Act. Responding to the complaints, the National Assembly enacted legislation that empowered the Central Bank of Kenya to withdraw licenses from digital lenders who breach customer confidentiality. Whereas some digital lenders have been applauded for seeking to comply with the Data Protection Act by registering as data processors, a good number are still violating the right to privacy and traumatizing Kenyans with gruesome invasions of privacy.
On the 5th of October, the Office of the Data Protection Commissioner stated that it was planning to audit 40 digital lenders to ascertain whether they comply with the Data Protection Act. Through a press release, the office notified the public that it is conducting a preliminary documentary assessment and audit on the Credit Providers (DCPs) whose practices are in question. Accordingly, their investigations will target how the companies process personal data in light of the complaints of invasion of privacy and debt shaming by various members of the public.
During the audit process, the cited companies will be required to provide the ODPC with requisite documents failure to which they will be deemed to have failed to cooperate with the Office which amounts to an offence under Section 61 of the Data Protection Act. The whole country is waiting to see whether the ODPC will issue fines against any of the mobile lenders for the violations. It will be prudent for the ODPC to fine the agencies as a deterrent to other companies for privacy violations.
Simultaneously, the past three years have seen the increased use of surveillance technologies by government agencies like the Kenya Revenue Authority. In a tender notice, the Kenya Revenue Authority (KRA) made a call for the supply of an application that can scan through loads of data in all digital devices, email correspondences and even across social media accounts like WhatsApp, Facebook and Instagram sifting for valuable information in a bid to aimed at enforcing tax compliance.
Firstly, It is not clear the extent of the data that KRA intends to gather and which safeguards KRA will deploy to ensure that the exercise is in line with the principle of data minimization. This raises the concern that individuals will be profiled based on the data that KRA collects as a result of the blanket nature of the exercise. Under the principle of data minimization, a data controller, like KRA, needs to limit their data collection to only what is relevant to the specified purpose of enforcing tax compliance. KRA has not specified which exact type of data it intends to collect and the data it does not intend to collect.
Secondly, it is also a grave concern whether the exercise by the KRA will adhere to the principles of storage limitation and purpose limitation. Storage limitation means that KRA has a responsibility to store the data they collect only for the period they require and dispose of it once they are done with it. This is an important issue to address as the information that it intends to collect is of a sensitive and extremely personal nature.
Another key question is whether the directive complies with article 31 of the Constitution and the relevant provisions of the Data Protection Act. The actions by KRA are data sensitive and it is not clear whether the Kenya Revenue Authority has conducted a data protection impact assessment. The assessment would categorize the risks that the exercise will bring to the right to privacy and introduce safeguards to protect the right to data privacy.
Based on the above, KRA must strike a balance between the need to ensure tax compliance and the protection of the right to data privacy and due process. The European Parliament has done this through a requirement for the presence of safeguards in the legislation that provides for the use of these technologies. KRA should adopt a similar approach and conduct a data protection impact assessment which will inform the safeguards that it will introduce to ensure that it only collects data relevant to the purpose of tax compliance and protects all other sensitive data it acquires in the process.