By Amit R. Gadhia
Advocate and Solicitor
Last week saw Google as the first casualty of the General Data Protection Regulation (GDPR) which was introduced in European Union (EU) in May 2018. For those who have not heard of the GDPR, they are data protection regulations in EU for protection and privacy for all individual’s data within the EU. It also addresses the export of personal data outside the EU areas. The GDPR, which is one of the most robust and strictest data protection regimes in the world, gives greater control to individuals over their personal data.
Kenya has currently no data protection legislation in place. The current Kenya Data Protection Bill 2018 (the Bill), which is very similar in substance to GDPR, is currently under review by various stakeholders and is likely to be legislated into law soon. This will make Kenya will be one of the first sub-Saharan countries in Africa enact the data protection legislation into law.
Once the Bill becomes an Act, what does this mean for organisations and individuals? What are the repercussions for individuals and organisations of breach mandatory provisions of the Bill?
For a start the penalty for breach of the Bill is eye-watering for organisations of any shape or size. Section 59(1) of the Bill states “a person who commits an offence under the Bill for which no specific penalty is provided or who otherwise contravenes this Act shall, on conviction, is liable to a fine not exceeding five million or to an imprisonment term not exceeding five years or both”.
The first casualty of the GDPR is Google. It has been fined K.Shs. 5.8 billion (US$57 million) by France’s top data-privacy agency, known as the CNIL. CNIL said it had levied the record fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
The provisions of GDPR which CNIL used to find Google in breach of the rules are:
– Transparency – An organisation must be transparent as to how it will use an individual’s data. Users are not able to fully understand the extent of the processing operations carried out by Google.
– Consent – Explicit consent must be sought from an individual for use of its data. The consent must a voluntary, specific and informed expression of will of a data subject to process personal data. CNIL stated in its ruling “The information on processing operations for the (Google) ads personalisation is diluted in several documents and does not enable the user to be aware of their extent”.
There are many organisations in Kenya who, once the Bill is enacted into law, will squarely fall foul of the mandatory provisions and expose themselves to crippling fines. Data protection is a foreign and an unheard concept to many of the largest organisations in Kenya.
It is a very common sight when one visits a hospital that patients medical records are spewed across the desk of the receptionist, doctor or the officer concerned for everyone to see. Many times the records are not kept under lock and key. These medical records contain an individual’s utmost personal data and record which must always be protected.
At many office block entrances and shopping malls the security guard asks for the visitor’s ID card or number, mobile number, signature and records car registration number. The details are then recorded on a large ledger book which is kept overnight in the watchman’s shed, again without lock and key. In this age of digitisation, the ID card and mobile number are crucial access keys to many digital services globally.
Professionals such as accountants, tax advisors, lawyers and estate agents commonly ask clients for their KRA iTax username and password. Commonly these log-in details are passed to staff within the offices of these professionals, often written on a piece of paper, for the junior professional to act on it. Who knows from there where then the piece of paper lands!
The above are prime examples of basic breaches of data protection legislation which many Kenyan citizens notice on daily basis but do not seem to think of it as an intrusion on their constitutional right to privacy.
If organisations and professionals are to avoid the Google scenario of data breach and its ensuing penalties, best practices must be learned and adopted on how to handle individuals’ data more carefully in line with international practices. Planning data handling and compliance is a long, complicated process and cannot be done overnight. Therefore compliance with data protection legislation must start before the Bill is passed into law.