Less than two weeks after a January terror attack left 21 people dead at a Kenyan hotel complex, the government announced that it would implement a law related to citizens’ personal data.
The recent amendments to the Registration of Persons Act would allow the government to collect people’s personal information – including DNA samples, biometric data like fingerprints and retinal scans and GPS information to pinpoint their locations. The aim, authorities say, is to enhance security.
But the plan violates Kenyans’ privacy rights. These rights are enshrined in the country’s Constitution and certain sectoral laws that deal with electronic and medical data. Unfortunately, there is no specific legal framework beyond this to guarantee that personal sensitive data is protected and people’s privacy is not violated without cause.
A Data Protection Bill is under discussion by the country’s lawmakers, but I believe it must be expedited or the Registration of Persons Amendments stalled until it’s passed.
There are examples all over the world of data being manipulated or misrepresented by authorities.
This means it’s imperative to ensure that data is properly protected and that Kenyans’ data is carefully guarded. Proper legislation would provide a useful framework for this, and would bring the country in line with others on the continent that have such laws, among them South Africa, Angola, Morocco and Rwanda.
Balancing privacy and safety
In many ways, Kenya’s Data Protection Bill mirrors the European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018.
These are the GDPR’s key principles:
- in any instance where data is collected, a clear reason must be given;
- any information an individual collects cannot be disclosed to other organisation or individuals, unless authorised by the law or given well informed consent by the person (known as the data subject) who provided their data to the original organisation;
- data should be deleted when it is no longer needed for the stated purpose;
- the data subject can request access to their data, erase it or rectify the information at any point;
- personal information can’t be sent to a jurisdiction which doesn’t have similar data protection laws.
The GDPR Key principles accord the data subject the right to control who accesses his personal data; to control how and where the data is used.
Kenya’s bill contains similar provisions. But these will be effectively blown out of the water if the proposed amendments to the Registration of Persons Act go ahead.
The amendments would allow the government to collect a great deal of data from anyone who registers as a Kenyan citizen. That includes a digital picture, detailed information about parents or guardians, biometric data and GPS data so that any individual can be traced.
The government argues that collecting biometric and DNA data will ensure people can be positively identified in instances of crime. By coupling this with GPS data, they argue, they’ll be able to retrace a suspect’s whereabouts and movements. This will help the government to keep tabs on and monitor terror suspects.
All of this information, and particularly unique markers like DNA and biometrics, must be properly safeguarded. If they’re not, there’s a risk this data can be used against its subject. This could happen through data being mishandled, or through investigators engaging in targeted profiling.
There are currently no regulatory measures or legislation in place to make sure personal data is kept safe and not misused. Kenya needs to tread carefully. It must avoid placing the country’s security ahead of people’s privacy rights.
Legislation is key
This is not to suggest that Kenya’s government doesn’t have the right or obligation to find ways to keep citizens safe and to use data to understand whether certain people pose a threat. After all, the Constitution provides for the right to national security.
But the government must behave in a way that is reasonable, justified, and proportionate to the threat. It cannot allow security rights to trump privacy rights unless there is clear, proven cause to do so.
There is legal precedent for this. In 2018, a High Court Judge ruled in favour of the right to privacy. The case stemmed from the government’s move to collect and intercept mobile subscribers’ data to enhance cyber security. In this case, Judge Mativo held that the right to privacy can be limited, but only if it meets the analysis test in the Constitution. Any limitation must be reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom.
Given these limitations, and the fact that privacy is a fundamental part of Kenya’s Constitution, it’s crucial that proper data protection legislation be enacted to offset the potentially negative effects of the government’s data collection plan.
In this way, Kenya will be able to hold data collectors of any sort accountable for misuse or detrimental use of personal information – even if it’s by the government.