TASKFORCE TO FINALISE DATA PROTECTION BILL AFTER REVIEWING ALL PUBLIC COMMENTS
The Taskforce appointed by Government to develop Kenya’s policy and regulatory framework for privacy and data protection has made significant progress. The finalised draft of the Data Protection Policy and Bill (both published in August 2018 by the Ministry of ICT) is expected to address many of the concerns raised during the public participation phase, consisting of written submissions and public discussions.
The Taskforce hosted public discussions on 3 October and is working towards the deadline of 31 October 2018 to have a final version of the Policy and Bill ready for debate by the Senate and the National Assembly. Despite its tight schedule, the Taskforce has indicated that it will still accept comments from any interested groups and that they can make a formal request for an audience via email.
At the conclusion of the public hearings on 3 October, the Taskforce stated that its intention is to review all written and other comments submitted to it and to incorporate these, to the extent possible, into the final version of the Policy and Bill. Once key stakeholders have had the opportunity to validate the updated drafts the Taskforce will submit the final version to Parliament by 31 October 2018. The taskforce’s work will then have been completed and its members will participate as members of the public.
Concerns and responses
The public discussions on 3 October were approached as a dialogue. The overriding message from the Taskforce was that the intention is to enhance the effective application of the Data Protection Policy and Bill and to ensure that the legislative regime in Kenya complies with international best practice and does not hinder participation in trade and investment.
A major concern for some was the requirement for the local storage of personal information, either on a Kenyan-based server or at a Kenyan data centre. The sentiment was that this would be onerous given that new technologies such as cloud computing make the location of servers irrelevant to the access of data, and quality of the existing network infrastructure. As you may know the existence of this infrastructure to enable storage is key and the costs of setting up such infrastructure are enormous. Kenya does not have adequate local data storage centres. In addition, some global data collectors and processors require high grade data centres running on massive technology and power back-up systems in place to store their data with it. This type of data centre is unlikely to be established in Kenya in the short-term. The Taskforce has therefore undertaken to re-examine the value that could be derived from local storage. It made the point that a balance is needed between encouraging the growth of the local data centre industry and causing undue barriers to entry by investors.
Many of the other concerns raised related to the restrictions on the cross-border transfer of sensitive personal information and to the role and powers of the planned information regulator, the Data Commissioner.
The current lack of criteria for determining when a foreign country has sufficient data protection standards and laws was raised as a key concern in respect of cross-border data transfer and processing. In response, the Taskforce replied that it is finalising a pre-approved list of countries whose data laws are deemed adequate for the transfer of information from Kenya. It also said Regulations are likely to be developed on the criteria for determining which countries had sufficient data protection and that it will make a recommendation to this effect in the Policy and Bill.
Similarly, a concern was raised over the prohibition on cross-border processing of sensitive personal information given that this would prevent companies from using cloud-based storage. The public view expressed was that cross-border transfer of sensitive information should be permitted if the data subject had given explicit consent. The Taskforce’s reply was that it intends to review the entire section on cross-border transfer of information, with the aim of ensuring the legislation is technology-agnostic.
Need for a new regulator questioned
When it came to the role and powers of the proposed Data Commissioner, some participants questioned whether it was necessary to establish a new body to register and licence data controllers. In response, the Taskforce said it was vital to have an independent information regulator that is not linked in any way to the exchequer. That said, it expressed the willingness to receive comments on whether there should be different registration processes or fees for small versus large data controllers.
Concerns were also raised around enforcement – particularly the steep penalties for non-compliance if the Bill were to be implemented in its current form. The response from the Taskforce was that the intention is to implement the Policy and Bill in phases, after public sensitisation and a grace period.
There was general consensus that, in the event of information breaches, there should be clear and unambiguous timelines for reporting breaches to the Data Commissioner and for informing data subjects. The Taskforce said it has received a number of recommendations around notification timeframes, ranging from six hours to 21days after a breach had occurred. All recommendations will be considered and benchmarked with other jurisdictions. The Taskforce added that it is considering introducing various thresholds for notification, based on the materiality and severity of the breach.
Two other concerns dealt with during the hearings were the status of the prior published Senate Bill on data protection, which was published in May 2018, and the impact of data protection laws on small businesses.
On the issue of the previously published Senate Bill, the Taskforce said it will take into account the comments made during its public participation process, and will likely incorporate its contents in the final version of the Policy and Bill. The taskforce acknowledged the confusion that had arisen from the publication of a Data Protection Bill from both the Senate and the ICT Ministry, and clarified that the ultimate intention of the current process is to develop one singular legislation for further debate in parliament.
As for the effect of data protection compliance on small businesses, the Taskforce emphasised that the intention is not to create a cumbersome framework that will be a barrier to entry and that it will therefore look at what thresholds had been implemented in other jurisdictions.
Finally, the Taskforce undertook to keep in mind that many data controllers in Kenya still do manual data processing, necessitating equal treatment of manual and digital data under the Bill and Policy.