The Nairobi Hub of the Global Shapers Community recently hosted its inaugural twitter chat for the 2018 calendar year on General Data Protection Regulation (GDPR) and the newly enacted COMPUTER MISUSE CYBERCRIMES ACT, 2018 of Kenya. The chat was hosted by Daniel Mainye, the former Vice-Curator for Nairobi Hub. The invited hosts were Tony Muiyuro, a cyber security expert and Loice Erambo, a commercial lawyer and an Advocate of the High Court of Kenya.
The discussion deliberated on the implication of the European Union GDPR laws to Kenyan-based service providers that controlled or processed personal data of consumers within the European Union borders. It was noted that the EU GDPR laws had extra-territorial reach that extended to foreign-based entities that dealt with personal data of EU residents.
The GDPR laws call for protection of the privacy of personal data. The ensuing responsibilities include the duty to collect data only for legitimate purposes and that the collected data only be used for the legitimate purpose for which the data was collected. It is prohibited for personal data to be kept for a period longer than necessary and in any case, data subjects have the right to demand for deletion of their data by data collecting or processing entities. EU GDPR laws also provide for security of personal data which entails protection against unauthorized access or processing of data and accidental loss, destruction or damage of personal data.
The twitter chat was timely for Kenyans for various reasons. Firstly, Kenya is emerging from a hotly contested general election in 2017 which was marred by allegations of #FakeNews and unethical data mining by United Kingdom’s recently liquidated firm, Cambridge Analytica. The experience made a strong case for adoption of a comprehensive data protection framework which was non-existent at the time. Secondly, the discussion came on the date when the Computer Misuse Cybercrimes Act, 2018 was set to come into effect. This Act is the first comprehensive data protection law in Kenya.
Whilst the step to finally entrench data protection regulation in Kenya is laudable, the Nairobi Hub noted the vagueness in the language of the law which left significant room for violation of key constitutional rights including the freedom of expression, the right to privacy (ironically) and the freedom of association. The expansive description of data-related offences leaves little to be desired. The Act seems to reintroduce criminal defamation months after the High Court of Kenya declared the same to be unconstitutional. Further, the Act has introduced the offence of “publication of false information” which has been the basis for witch-hunting of political activists and journalist in delicate democracies like the Republic of Uganda.
Considering the foregoing, the Bloggers Association of Kenya (BAKE) filed a petition at the High Court of Kenya to challenge the constitutionality of 25 sections of the Act. The Court issued interim orders suspending the coming into force of 25 sections of the Act pending the final determination of the suit. The Nairobi Hub will continue to track the progress of this case and will deliberate the consequences of its outcome.