10/24/2023

Privacy
◻ The right and ability of individuals to control
their personal information and decide how and
when it is collected, used, and shared within the
framework of legal and cultural norms.
◻ Privacy is a significant topic within the realm of

legal and ethical issues.

◻ It involves the protection of an individual's

PRIVACY personal information and their right to keep

certain aspects of their life and identity private.

Personal Data vs Sensitive Personal Data Personal Data vs Sensitive Personal Data

◻ Personal data: any piece of information that ◻ Sensitive personal data aka as special category
someone can use to identify, with some degree data: a specific set of “special categories” that must
of accuracy, a living person. be treated with extra security.
◻ It is a subset of personal data that requires higher
 e.g., name, address, phone number, email
levels of protection due to the potential harm if
address, date of birth, financial details, and exposed.
information related to work, education and ◻ Includes highly confidential information that, if
hobbies. mishandled, could cause significant damage e.g.:
◻ Personal data is also classed as anything that racial or ethnic origin; data related to a person’s
can affirm your physical presence somewhere. sex life or sexual orientation; and biometric data
(where processed to uniquely identify someone).

1
 10/24/2023

Privacy Data Protection vs Freedom of Information

◻ We want to keep some (if not all) areas of When data was stored in paper form it
our lives private. was that much harder to work with.
◻ It is our right to do so.
Today, massive amounts of data can be
◻ Though…
stored, accessed or moved/transferred at
There seems to be a difference in how much
we value our privacy, depending on which the click of a button.
generation we belong to. Two areas of law become of interest:
■Social media generation Data protection
■However, too, loyalty cards
Freedom of information ...

Data Protection vs Freedom of Information Privacy: Key Concepts

◻ Data protection ◻ Data Privacy

there should be controlled access to data the protection of personal data and
about me information from unauthorised access or
■For privacy misuse.
◻ Freedom of information Laws that address this include the Kenya
I’dlike to see/know what information the Data Protection Act (2019), Europe’s General
government/public authorities have Data Protection Regulation (GDPR) and the
California Consumer Privacy Act (CCPA) in
■subject to certain exemptions
the United States.

2
 10/24/2023

Privacy: Key Concepts Privacy: Key Concepts

◻ Privacy Laws ◻ Ethical Considerations
 Various countries and regions have enacted privacy laws to Privacy is not just a legal issue but also an ethical
protect individuals' rights.
one.
 These laws define what constitutes personal data, how it can
be used, and the penalties for violations. It involves respecting individuals' autonomy and
■ E.g. they empower individuals with rights over their
their right to control their personal information.
personal data: Essential ethical principles in this context include
■ Kenya’s Data Protection Act, 2019, empowers Kenyan consent
citizens to request access to their personal data held
by a company.
transparency
■ The EU’s GDPR empowers European citizens to request data minimisation ...
that a company deletes their stored data.

Privacy: Key Concepts Privacy: Key Concepts

◻ Informed Consent ◻ Technological Advances/New Technologies
 Individuals should be informed about what data is  Big Data, AI, the Internet of Things (IoT), 5G etc
collected and how it will be used. increase data accessibility and pose challenges to
privacy.
■ E.g., an app asks for permission to access your
 They can collect and analyse vast amounts of
location and explains why it's needed.
personal data.
◻ Data Minimisation
■ E.g., predictive algorithms analysing your online
 Collect only the data necessary for a specific behaviour to make recommendations.
purpose.  Ensuring privacy in these contexts is an ongoing
■ E.g., an online shopping site only asks for your concern.
name and address during checkout.

3
 10/24/2023

Privacy: Key Concepts Privacy: Key Concepts

◻ Other major concerns due to the ◻ Other major concerns due to the proliferation of the
internet:
proliferation of the internet: ◻ Social Media Privacy

◻ Online Privacy  Posting personal information on social media

platforms can expose individuals to privacy risks.
Includes issues like tracking, data  Users often reveal personal information without
col lect io n b y w eb sit es and o nl ine considering the consequences.
■ Sharing geolocation data on social media while
services, cookies, and the use of on vacation.
personal information for targeted ■ Posting vacation plans on social media can
make you a target for burglars.
advertising.

Privacy: Key Concepts Privacy: Key Concepts

◻ Social Media Privacy (cont...) ◻ Healthcare Privacy
 Platforms' data collection practices and their Laws such as the US’ Health Insurance
use of personal information are subjects of Portability and Accountability Act
debate.
(HIPAA) govern the privacy of medical
 Third-Party Apps connected to social media
records and personal health information.
can access user data, sometimes without users
realising. ■E.g., a healthcare provider cannot

■A quiz app collecting users’ Facebook data

disclose a patient's medical history
and selling it to advertisers. without their consent.

4
 10/24/2023

Privacy: Key Concepts Privacy: Key Concepts

◻ Workplace Privacy ◻ Consumer Privacy

Companies often collect and use customer data
Employees have certain for marketing and analysis.
expectations of pri vacy i n the ■ E.g., concerns about the security of personal
information when using mobile banking apps.
workplace, but employers may ▪ Safaricom collecting and using customer data
monitor activities to varying degrees. for targeted marketing.
There are legal and ethical considerations around
Balancing these interests is essential. how they handle this data and whether individuals
have consented to its use.

Privacy: Key Concepts Privacy: Key Concepts

◻ Cultural Considerations ◻ Surveillance
 Government surveillance programs and the use of
Community and Family surveillance technologies (e.g., CCTV cameras,
Kenyan culture has traditionally placed facial recognition) raise privacy concerns.
 Balancing national security needs with individual
importance on communal living and family privacy rights is a complex ethical and legal
ties. challenge.
This affects the boundaries of personal ■ Examples:

privacy. ■The debate over the use of facial

recognition technology by law enforcement.
E.g., family members may expect access to each ■ Unauthorised interception of text messages.
other's personal information more readily than in
some Western cultures.

5
 10/24/2023

Mass surveillance
Scope creep mass surveillance

Mass/state/goverment surveillance: they can surveil certain

persons for certain purposes...
Scope creep – now it seems to be ALL information about
ALL people ALL the time.

The Panopticon

Mass Surveillance
◻ The Panopticon
◻ La te 1 8th Cen tury idea by Jer emy B ent ha m (En gli sh
philosopher and social theorist).
 One invisible warden in a central tower watches many
individuals separated from each other.
 To help manage correctional facilities by inducing good
behaviour
■ the more people are watched, the better they behave.
■ the prisoners do not know who is being watched, thus
they modify their behaviour accordingly.
◻ Inspired George Orwell’s big brother’s all seeing eye in
Prison San Vittore – Milan (built in 1880)
“1984”. 115
Source: thefunambulist.net

6
 10/24/2023

Mass Surveillance Mass Surveillance

◻ Bentham’s Panopticon, and novels by HG Wells ◻ Organisations monitoring your communication
and Orwell, were futuristic fiction. ◻ What determines the content of what you
◻ Today it is a reality. share o n y ou r fav ou rite soc ial me dia
◻ Today both the state and individuals can use network?
technology for mass surveillance: ... Probably influenced by the assumption
 easy due to the prevalence of smart phones, that people are watching and judging you.
CCTV in the malls and streets, speed cameras Others also assume you are watching and
on the highways, Digital TV sets, ipads ... judging them.
So you all self-censor.

Mass Surveillance Mass Surveillance

◻State surveillance ◻ The surveillance:

◻ Acts as a deterrent
◻Justification? Insidious
(like the panopticon)
■If we feel we are probably being
To curb terrorism watched we modify our behaviour
To tackle crime … accordingly.
◻ Provides information for investigation
◻ How? … purposes.

7
 10/24/2023

Mass Surveillance Examples Mass Surveillance Examples

◻ 2013: The NSA's mass surveillance programs, revealed by ◻ China’s Social Credit System
whistleblower Edward Snowden. ◻ A nationwide system that assigns scores to individuals
◻ The programs, such as PRISM and XKeyscore, involved the and businesses based on their behaviour.
collection of massive amounts of electronic communications
◻ Collects data from various sources, including financial
data, including emails and phone records (plus the ability to
record and replay phone calls), from both U.S. citizens and transactions, social media activity, and public records,
non-citizens. to assess citizens' trustworthiness.
◻ Without judicial warrants; ◻ Individuals with high scores receive benefits, while

◻ Using phones + the internet to carry out mass surveillance and those with low scores face restrictions.
data mining. ◻ Basically mass surveillance and social control
 E.g. based on your internet searches and social networking data.
 it involves extensive data collection and monitoring
of citizens' activities.

Mass Surveillance Mass Surveillance

Kenya Kenya

◻In strategic areas in Nairobi; ◻ To help the police force tackle

◻cameras that can recognise motor crime, cameras installed in
vehicle number plates Nairobi city
capture number plates of vehicles ■The Nairobi Integrated Urban
involved in traffic offences or crime Surveillance System project.
(stolen/carjacked) Mombasa

8
 10/24/2023

Mass Surveillance Mass Surveillance

Kenya Kenya

◻ Data is being collected, centralised and ◻December, 2012

shared.
◻T h e I n t e g r a t e d P o p u l a t i o n
◻ March, 2012: CCK (today’s CA):

Announced an increase in cyber security threats.

Registration System (IPRS)
Declared the need for authorities to monitor ◻D e v e l o p e d f o r t h e K e n y a n
digital communications.
government by EDAPS, a
◻ Service providers required to install NEWS
(Network Early Warning System) Ukrainian firm.
i.e. equipment used to monitor internet traffic.

Mass Surveillance Surveillance Activities

Kenya Other Examples

◻ IPRS function: to collect and combine data from ◻ March, 2013

databases owned by various government agencies: ◻ The Ministry of Information PS announces that mobile
◻ All the following registers: service providers were blocking at least 300K “hate”
 Birth & death, citizenship, ID card, aliens, passport,
SMSs daily.
◻ Ostensibly to prevent violence in the 4th of March
marriage & divorce, elections, tax, drivers, NSSF,
NHIF, the Kenya National Bureau of Statistics. elections;
◻ service providers had installed software to
(Privacy International, 2019)
 detect messages containing particular words (e.g. kill)
◻ The running of this system was allegedly subcontracted
 automatically flag them off for further scrutiny and
to a foreign country. potential blocking.
◻ PS: It was hacked...

9
 10/24/2023

Surveillance Activities Surveillance Activities

Other Examples Other Examples

◻ April 2014 ◻ Aims:

◻ The Kenyan government proposes the Umoja Kenya
◻ To identify people with fake identification
Initiative, a universal single registration system
documents.
 Activated when a child is born
 Stored in a national digital database. ◻ To provide one digital ID

◻ Collect: to streamline registrations

 Individuals’
biometric details ■E .g .
vo ter , na ti on al I D , NH IF , NS SF, K R A ,
 other personal information collected
commercial/business related.
■E.g.name, age, relatives’ identities, location and assets rather than have different cards for each.
owned.

Surveillance Activities Surveillance Activities

Other Examples Other Examples

◻ July 2015: Wikileaks allegations: ◻ A presidential directive that names of people

◻ The Kenyan government wanted to procure a
living with HIV, including school age children be
collected.
Remote Control System tool;
◻ The Kenya Legal & Ethical Issues Network and
 to remote hack and control target devices.
others sued the government in December
◻ R e q ue s t e d a f o r e i gn in t r u si o n ma l wa r e 2016…
company (HackingTeam) to shut down a blog. ◻ December, 2016

◻ This would serve as a Proof of Concept. ◻ The High Court in Nairo bi declared this

◻ If successful they would win the contract to directive unconstitutional.

supply surveillance tools.

10
 10/24/2023

Surveillance Activities Surveillance Activities

Other Examples Other Examples

◻ Argued such a list violated the January 2017, CA announced their plan to
Constitution’s: implement a device management system:
◻ Article 31 Ostensibly to identify fake and stolen devices.
the right to privacy In reality: a spy system to monitor digital
◻ Article 53(2) communications:
the "child’s best interests are of paramount a third party (a foreign firm) connects to mobile
importance in every matter concerning the service providers’ routers
child." To snoop on private communication data
SMS, call and mobile money transfer data.

Surveillance Activities Surveillance Activities

Other Examples Other Examples: Huduma Number
The Consumer Federation January 2019
The president signed into law amendments
denounced it as:
to the Registrations of Persons Act.
against the Constitution Basically about introducing the National
Integrated Identity Management System
exposing service providers to (NIIMS)
lawsuits for breach of i.e., a biometric ID card with a unique ID
confidentiality. number
aka the “Huduma Namba”.
For all Kenyans and all foreign residents.

11
 10/24/2023

Surveillance Activities Surveillance Activities

Other Examples: Huduma Number Other Examples: Huduma Number

◻ Previously all that was needed as a ◻ March 2019

unique identifier was finger/thumb prints. ◻ The National Integrated Identity Management

◻ This amendment added DNA information; System (NIIMS) launched.

E.g. hand and ear lobe geometry, retina, ◻ Aim: one card merging information from
iris and voice patterns in digital form. multiple documents.
◻ Also more location info ◻ These numerous implementations of modern
e.g.land reference number, plot and house technology are a good thing.
number and GPS coordinates. ◻ Right?

Surveillance Activities
Data Processing vs Privacy
Other Examples: Huduma Number
Once more, massive amounts of personal ◻ The constitution enshrines our right to
data was being collected, centralised and privacy.
shared. ◻ But pre-November, 2019 there was
YET!... no law to specifically give it effect.
Kenya had yet to adopt data protection ◻ No dat a pro te ct i on l aw an
legislation around these activities. individual’s personal information can
The project lacked adequate data be abused by those that obtain it.
protection measures and oversight.

12
 10/24/2023

Data Processing vs Privacy Surveillance Activities

◻ A Data Protection Bill has existed in ◻ Previously :

various forms since… No data protection law
◻ 2012…!! No data protection agency/authority.

◻ The Kenyan Data Protection Bill ◻ Yet all this data about an individual
(2019) was the latest version. stored in one database.
◻ At long last (November 8, 2019) the ◻ The problem being there was no law

president signed it into law. to protect it.

Surveillance Activities
Other Examples: Huduma Number (cont) … India
◻ Also: ◻The Aadhaar number was initially
◻ Is the practice and spirit of it such
initiatives as the Huduma No. from a
publicised as a voluntary service.
genuine place? ◻However citizens without this
◻ If we are not to find this system number were denied certain
suspect, we must be assured that the crucial services
government has our interests at heart. E.g.collection of payments for those
◻ cf the Aadhar Number…
on welfare.

13
 10/24/2023

Privacy vs Secrecy/Surveillance Privacy vs Secrecy/Surveillance

◻ Data privacy is a right. ◻ Do we need data protection laws?

◻ Data protection laws are not normally seen as ◻ If a man in the middle attack happens
important then your data is open to everyone.
 isdata privacy as important as violation of your Turkey – 2016. Super sensitive information
human rights or freedom of expression?
about its citizens (names, their locations etc)
◻ In many countries, privacy and surveillance found on a torrent file.
rarely seen as important in the larger context.
 We are inured by the oft repeated message:
◻ So what? You have nothing to hide, right?
■Surveilling us is beneficial to us due to increasing security
threats.

Privacy vs Secrecy/Surveillance Privacy vs Secrecy/Surveillance

◻ National IDs registration requires information ◻ E.g. 2016:
on our location of origin. personalised text messages sent to citizens in
◻ Enables whoever is interested to figure out your some counties asking them why they had not
tribe/ethnicity. registered as voters.
chiefs had people’s numbers and their
◻ Your data can be weaponised (used against
locations and would visit them to enquire and
you) e.g. it can be used to track you down. encourage them to vote.
 E.g. voter registration
■toverify that you are on the voter roll, type in your ID no.
◻ Implication: personal data is not secure
■You get your name and voting locale.
and mass surveillance is carried out.
■Nice but then so does anyone else with your ID number

14
 10/24/2023

Privacy vs Secrecy/Surveillance Privacy vs Secrecy/Surveillance

◻ Should someone working at one ◻ Wanting privacy is NOT akin to you

parastatal have access to your data at having something to hide.
another parastatal? Privacy is NOT Secrecy.
◻ How about KRA having across the board
◻ It is the ability to control the collection,
information about you?
use, sharing etc of your personal
E.g. KRA attempts to access M-Pesa
data …
transaction records “to catch tax cheats”.

Privacy vs Secrecy/Surveillance Privacy vs Secrecy/Surveillance

◻ You probably have nothing to hide. ◻ In most countries, governments are
◻ However, you desire the ability to have your
allowed to
own space, free thoughts, free speech etc. …
tap private conversations and
◻ … without surveillance.
access personal data
◻ Governments may not want this, as they wish to

prevent dissidence. ◻ As long as

◻ S elf censo rship also kills cre ativit y and thereis a valid reason and
innovation. permission from the courts.

15
 10/24/2023

Privacy vs Secrecy/Surveillance Data Protection Issues

◻ However some seem to require ◻ Having nothing to hide shouldn’t justify

citizens to give up their rights in the lack of data protection legislation.
name of national security. ◻ As a human, you have autonomy...
◻ Judicial oversight discourages the ◻ This is a fundamental right.
government from abusing this Basically,do what you want, when you
privilege wa nt, without hind rance / feel ing
even if fighting terrorism. watched.

Why should we care? Why should we care?

◻ The information / digital age is powered by ◻ We have little/no ability to control what is
information done to our data if there are no legal
◻ Technological advances have led to massive mechanisms in place.
amounts of our data being out there. ◻ Your digital persona can easily affect your

◻ Corporations and governments worldwide physical persona negatively

hunger for this information  Persuasion through ads
 This data is sorted and you are profiled based on  Harassment e.g. cyberbulling/stalking

the data.  Blackmail eg ransomware

 Worse: automated decisions could be made based  Discrimination

on this data. ■Information in the wrong hands can be dangerous

16
 10/24/2023

Why should we care? Why should we care?

◻ Information is a priceless commodity that ◻ Big data firms seem to have more power than
we give out for free. governments.
◻ Governments want to regain their power
◻ Why not sell it?
◻ A country may have exponential growth in e-
Watch Stuart Lacey’s TEDxBermuda talk commerce (as Kenya does).
titled: “The Future of Your Personal Data -  Manycitizens run their businesses on FB, Instagram,
Privacy vs Monetization” e-commerce platforms like Jumia and Amazon.
https://www.youtube.com/watch?v=JIo- ◻ No legislation to protect data means people’s
V0beaBw sensitive data is online but unprotected.

Why should we care? Why should we care?

◻ Data breaches ◻ EU countries have the power to hold

E.g.instances of millions of FB accounts being corporations to account
hacked.
e.g. telling FB that it’s standards are not
FB has a lot of data about a lot of people…
up to par with their legal requirements
◻ GDPR: To transact with businesses based
◻ This protects their citizens’
in EU countries/trade we must have data
protection laws. data/privacy.
W i t h o u tthem we miss out on trade ◻ Governments without such legislation
opportunities. may have no standing to do the same.

17
 10/24/2023

Data Protection Issues

Data Protection ◻Having massive amounts of

Legal, Ethical and Human Rights Issues
personal information
profiling denial of services.
◻Concerns:

Legal
Ethical
Human rights

Data Protection
Legal Issues

◻ For a long time the re has been no data

Data Protection protection law/legal framework to support the
go v e rn me n t c o ll e c t in g hu ge a m o un t s o f
Legal Issues personal data.
 Fortunately the constitution did protect citizens
(Article 31).
◻ E.g. as of 2019, a popular Kenyan service
provider + a local bank teamed up to provide
overdrafts to subscribers …

18
 10/24/2023

Data Protection Data Protection

Legal Issues Legal Issues

◻ When you opt in, one of the T&Cs is: ◻ How and why did private entities have access
You allow them access to the information the to such potent data?
Integrated Population Registration System ◻ B e c au se t he r e wa s no l e ga l f r am e w o r k

(IPRS) system holds about you. governing the IPRS.

◻ The Registration of Persons Act allows
■IPRS was developed for the Kenyan
collection of data but doesn’t discuss it’s
government (NOT private corporates!!).
protection.
◻ Ditto other businesses with apps that offer
◻ The government should not serve private
credit services … business interests; it should serve the citizens.

Data Protection Data Protection

Legal Issues Legal Issues

◻Can malicious entities get access ◻ Danger of private communication data

held by CA being exposed;
to this information then? ◻ January, 2017: The CA website hacked by
◻With access even to DNA info? AnonPlus who placed their manifesto on the
homepage
◻C a n I b e t r a c k e d u s i n g m y
Th ey promi sed to “de f en d f re e dom of
eye/facial recognition data from information, freedom of the people and
emancipation of the latter from the oppression
all the CCTV cameras? of media”.

19
 10/24/2023

Data Protection Data Protection

Legal Issues Legal Issues

◻ Errors in personal data Privacy violations

 From e.g. data storage/transfer glitches or hacks A lender app accesses your phone book and sends
◻ If my data (e.g. DNA data) is corrupted: messages shaming you to your contacts
 wrongful arrest (mistaken id)? Today Apple notifies you when an app wants to access
your contacts, location, photos etc.
 denial of services?
It wasn’t always so.
■both by government or private entities
Without your consent apps would:
■E.g. your credit history is ruined due to automated
access your address book (almost 1/5 of all its apps),
decisions
track your location (2/5 of the apps) and
■living in a certain neighbourhood …
have this data stored unencrypted (> 2/5 of the apps).
identity theft aka identity fraud

Data Protection
Ethical Issues

Data Protection ◻ How ethical are the following:

◻ Compulsory collection of sensitive personal

Ethical Issues data (DNA, GPS coordinates etc) for the

sake of collection?
◻ State “honesty” in explaining its data

collection?
Is the passing of amendments to certain laws
done with transparency / accountability /
integrity in mind?

20
 10/24/2023

Data Protection Data Protection

Ethical Issues Ethical Issues

◻How ethical are the following: How ethical are the following:
Treating humans as their data (am I my data)?
◻The state having considerable
“ok” and profitable for businesses but…
insight into our lives? … governments actions should not be driven by
commercial interests/profit margins
◻ The state enabling others (private
Cambridge Analytica – data used to breach
corporations/individuals) to have the democracy of at least two developed
insight into our lives nations.
e.g. through security breaches)? How sovereign are we?

Data Protection
Human Rights Issues

Right to privacy
Data Protection
The state/its official organs having massive
Human Rights Issues amounts of data can be dangerous
Your information can be weaponised
E.g. genocide is made easy…
Marginalisation (resource allocation)
Wrong profiling – you are of religion X
therefore you are a terrorist
(automated decision making)

21
 10/24/2023

Data Protection Data Protection

Human Rights Issues Human Rights Issues

Right to privacy
◻

◻ The data collector may not be a government

◻Right to privacy
officer ◻Once more:
 they may simply be hired contractors trained
with no notion of privacy ◻Privacy is a fundamental
◻ cf
human right.
 Huduma namba;

p o l i t i c a l S M S s s e n t t o y o u r “ p r i v a t e ”
cellphone number

Data Protection Data Protection

Human Rights Issues Human Rights Issues

◻ Right to Dignity Right to Equality

◻ Violation of dignity:
Article 27 of the constitution.
The state + private corporations too
aware of your activities/life No discrimination …
◻ Your have a right to your freedom R e g a r d l e s s o f
and security gender/ethnicity …
■Beingtreated as a human.
■Automated decision making violates that.

22
 10/24/2023

Data Protection Data Protection

Human Rights Issues Human Rights Issues

Right to Equality ◻ Right to Equality

No discrimination … Regardless of gender/ethnicity …
Location information: ■W h y fill these details in
We are told information is collected to government forms then?
provide services.
■Provision of DNA information can
What about the homeless? Refugees?
People living in domestic violence shelters? be used to trace your ancestors’
No services for them? origins.

Data Protection Data Protection

Human Rights Issues Human Rights Issues

◻ Right to Equality ◻Right to Equality

◻ Not being treated equally = torture ◻Not being treated equally =
A database for People Living with HIV. torture
■To serve what purpose?
Say you are not in the database …
A u t o m a t e d decision making ■No government services?
■Infringes on your right to welfare payments,
profiling discrimination right to health care, right to vote …
■cf Aadhaar number

23
 10/24/2023

Is Data Protection Legislation Necessary? Is Data Protection Legislation Necessary?

Mass surveillance implies data on individuals When individuals are under constant surveillance, there
is generated, collected and processe d may be a presumption of guilt or suspicion, shifting the
burden of proof from the prosecution to the defense.
r egar dle ss o f thei r be ing invo lve d (o r
Mass surveillance can create an environment where
suspected to be involved) in criminal activities. individuals are treated as potential suspects until they
This “distorts the burden of proof principles, can prove their innocence.
leads to an unaccountable increase in power, This chilling effect on freedom of expression
and has a chilling effect on individual action Knowing that they are being monitored, individuals
and the exercise of free speech.” may self-censor their online activities and
communications out of fear of being targeted or
(Kiprono, 2018) ... labeled as a potential threat.

Is Data Protection Legislation Necessary?

◻ Good governance requires the state to respect its

citizens right to express their opinions freely.
187 Data Protection Legislation
 E.g.in exposing corruption, injustice and malpractices against
consumers
■Buyer Beware.
 Fighting terrorism should not be an excuse for bad
governance.
■ Not the right way to fight terrorism.
■ Identify the root problem.
■ What makes someone become a terrorist/radicalised?
■ Could it be marginalisation/discrimination?

24
 10/24/2023

The Data Subject What should a DPL look like?

◻ Most probably you. ◻ Scope
◻ The EU’s General Data Protection Regulation (GDPR) defines  Individual right to privacy - protect the data subject (the
a ‘data subject’ as an “identified or identifiable natural Kenyan citizen)
person” from whom or about whom information is collected.  The protections offered should be at par with/better
 Natural person: a company or organisation cannot be a than those offered internationally
data subject ■e .g .th e o b lig at io n s o f co m me r c ia l e n ti ti e s w h e n
◻ A person who can be identified, directly or indirectly, in generating/collecting, processing, storing the data.
particular by reference to an identifier such as a name, an ■What the state does with your data
identification number, location data, an online identifier or to
■Data sovereignty – data is subject to the laws and
one or more factors specific to the physical, physiological,
governance structures within the nation it is collected. Data
genetic, mental, economic, cultural or social identity of that
natural person.
sovereignty comes into play when the data is stored
outside the country and is subject to that country’s laws.

What should a DPL look like? What should a DPL look like?

◻ Specific limitations on the rights ◻ Data categories

as per the constitution e.g. how to collect/store/process
◻ Clear definition of consent e.g.: sensitive personal data …
Does silence assume consent? i.e. information that can be used to

Should I be opted in without my

discriminate against you e.g.:
■information about minors, race, tribe,
knowledge?
trade union membership, gender,
marital status.

25
 10/24/2023

What should a DPL look like? Players

◻ Remedies/modes of ◻ Two entities/persons:

redress Data controller
◻T h e d a t a p r o t e c t i o n
Data processor
oversight authority and its
independence

Players Players

◻ Data controller ◻ Data processor

The person or entity that determines ◻ A person/entity that, on behalf of the data

controller,
■the purpose for which personal data is
 collects
personal data
collected and processed
 processes this data
■the means and method of processing it ◻ Does not own or control the data they process
◻ i.e., dictates how and why data is going to  They can’t change the purpose and the means in
be used by the organisation. which the data is used.
 They are bound by the instructions given by the
data controller.

26
 10/24/2023

Players Players
◻ Basically, a data controller determines why and ◻ Example (cont...):
how personal data should be processed while
◻ a data processor carries out these tasks on behalf of
◻ The uni is the data controller and
the controller. ◻ The security firm is the data processor.
◻ Example: ◻ The uni could also act as both when
◻ Say the university has hired a security firm.
collecting other data
◻ The uni determines what information is to be
e.g. student registration data.
gathered at the gate about the students/staff/other
visitors.

Data Privacy Laws

◻ Many countries/regions have laws 199 Data Privacy Laws

protecting individual’s privacy.
◻ What varies is the comprehensiveness and The EU Context
enforcement of these laws.
◻ The EU’s GDPR is often seen as the gold

standard in privacy laws due to its wide

scope and stringent enforcement
mechanisms.

27
 10/24/2023

The EU’s GDPR The EU’s GDPR - Penalties for Violation

◻ The EU has a comprehensive data privacy law known ◻ Severe and designed to be effective, proportionate
as the General Data Protection Regulation (GDPR). and dissuasive for each individual case.
◻ A data subject has rights under the GDPR that aim to ◻ For especially severe violations, listed in Article 83 (5)
protect their privacy and right to self-determination. GDPR, the fine framework can be up to 20 million
◻ The GDPR euros, or up to 4% of the organisation’s total global
enhances individuals’ control and rights over their turnover of the preceding fiscal year, whichever is
personal information higher.
simplifies regulations for international business.
◻ Less severe violations in Article 83 (4) GDPR sets forth
fines of up to 10 million euros, or up to 2% of the
governs the transfer of personal data outside the organisation’s entire global turnover of the preceding
EU and the European Economic Area (EEA). fiscal year, whichever is higher.

The EU’s GDPR - Penalties for Violation

◻ Severe Penalties Examples 203 Data Privacy

◻ Facebook’s parent company Meta was fined a

record-breaking €1.2 billion for transferring The Kenyan Context

data collected from Facebook users in the
EU/EEA to the US, violating GDPR international
transfer guidelines.
◻ Amazon was fined €746 million for tracking

user data without acquiring appropriate

consent from users or providing the means to
opt out from this tracking.

28
 10/24/2023

Web & Mobile Presence

Data Availability
Kenya
Both mobile and internet penetration is very high.
◻

 According to the Communications Authority (CA,

Technological advances
the Kenyan telecommunications industry regulator),
in March 2017:
■ 39.1 million mobile subscriptions (86.2% mobile
penetration) Massive amounts of data
■ 40.59 million internet users (89.4% internet
penetration)
 Millions active on social media daily.

Data Availability Kenya’s Privacy Laws

◻ Enshrined in
Massive amounts of data  Kenya’s constitution and
 the Data Protection Act
◻ The constitution protects the right to privacy,
including protection against unnecessary revelation
Need for data privacy of information or infringement of communication
◻ The Data Protection Act regulates the processing of
personal data, provides for the rights of data
subjects, and outlines the obligations of data
controllers and processors

29
 10/24/2023

1. Constitutional Privacy Protections Further…

◻ The right to privacy is enshrined in Article ◻ Article 2: should Kenya sign/ratify international
31 of the Kenyan constitution: treaties/ conventions they become part of the
Kenyan domestic law.
Every person has the right to privacy. ◻ Kenya is a signatory to
This includes the right not to have  the Universal Declaration of Human Rights (UDHR)
■their person, home or property searched; ◻ and has ratified
■their possessions seized;
 the International Covenant on Civil and Political
■information relating to their family or private Rights (ICCPR)
affairs unnecessarily required or revealed; or ◻ They include privacy rights.
■the privacy of their communications infringed.
(Kenyan Constitution: Chapter Four, Part 2, Article 31)

Limitations to Privacy Rights Limitations to Privacy Rights

(Kenya) (Kenya)
E.g. don’t just say you are fighting terrorism
◻A rt i cl e 2 4 (3 ) r eq u i r e s ◻

Terrorism should be no excuse for poor governance

anyone wishing to limit any ◻ P r o v i d e a s p e c i f i c r e a s o n f o r t h e d at a
collection:
fundamental right to justify Avoid data collection for the sake of data collection
themselves. ■ E.g. only take my DNA information only after I
commit a crime
◻T h e y m u s t i d e n t i f y t h e ◻ Reason usually given is “to provide government
services”
need… To business entities?

30
 10/24/2023

Limitations to Privacy Rights Limitations to Privacy Rights

(Kenya) (Kenya)

◻ Remember: ◻ Our personal information may be collected/

processed/shared etc …
◻ A Kenyan’s right to privacy includes the ◻ …only if article 24 of the Constitution is

right NOT to have “information adhered to.

 Justify/id the need.
relating to their family or private ◻ Our rights and fundamental freedoms may be
affairs unnecessarily required or limited "for the purposes, in the manner and
revealed; …” to the extent" set out in Article 24 of the
Constitution…

Limitations to Privacy Rights

(Kenya) Data Privacy Laws
Limited for the purposes...
◻

 E.g. such restrictions may only be imposed for purposes of

A data protection law serves to
respecting others’ rights/reputations, or national security, public act as a framework that provides
order, public health or morals.
◻ ...in the manner... guidelines on personal data:
 Restrictions/limitations to our right to privacy must be legal and Who the data controller is
follow due process
■ e.g. acquisition of warrants. Who processes the data.
◻ ...to the extent... How/why/where the data is
 s uch r estr ict ions m ust n ot on ly be n ece ssa ry bu t a ls o
proportionate. processed.
■ NOT some people shot up a mall, let’s gather ALL
information about ALL people

31
 10/24/2023

2. The Kenya Data Protection Act,

Data Privacy Laws
2019
◻ Data is a right; a human right … ◻ Governs how personal data is
◻ i.e. it is a right attached to a human; collected, processed, and transferred,
◻ not property/a business asset both within Kenya and internationally.
Youare a person, you are not your data. ◻ Expedited following concerns raised
■Sure, I can extract patterns from your
over the Huduma Namba registration
data and make decisions based on them
but you’re human, not a game of chess. exercise.
■Decisions should not be automatically the safety of citizens’ personal data
made based on your data. collected by the Government.

2.1 Purpose of the Act 2.1 Purpose of the Act

◻ gives effect to Article 31(c)and (d) of the ◻ provides for the
Constitution rights of data subjects (individuals whose
 (the right every person has not to have (c) data is being processed)
information relating to their family or private obligations of data controllers (those who
affairs unnecessarily required or revealed; or determine the purpose and means of
(d) the privacy of their communications processing of personal data) and
infringed.) the obligations of data processors (those that
◻ establishes the Office of the Data Commissioner process personal data on behalf of the data
◻ regulates the processing of personal data controller)

32
 10/24/2023

2.2 Data Protection Principles The Data Protection Act of 2019

◻ Data Controllers and Processors must: Law to safeguard citizens’ personal data.
Sets out comprehensive provisions for the collection,
process data lawfully;
use, storage, and handling of personal data.
minimise collection of data; seeks to promote and protect the privacy of
restrict further processing of data; personal data and ensure that data controllers,
data processors, and data subjects adhere to the
ensure data quality; highest standards of data protection.
e s t a b l i s h a n d m a i n t a i n s e c u r i t y sets out stringent requirements for data controllers
safeguards to protect personal data. on what to do with the personal data they collect...

The Data Protection Act of 2019 The Data Protection Act of 2019
They must provide data subjects with a notice explaining ◻ The Data Protection Act also gives data
how their data will be collected, processed, and stored. subjects the right to access their personal data
They must include details on the purpose of the data held by data controllers.
processing, the legal basis for the data processing, and
◻ Data subjects can request data controllers to
the party to whom the data will be disclosed.
Data controllers must also obtain explicit consent from provide them with a copy of their personal
data subjects before they can process their personal data, and data controllers must respond to
data. these requests within thirty days.
They must ensure that they only collect and process data ◻ Data subjects can also request data controllers
that is necessary for the purpose they seek to achieve. to rectify, delete, or restrict the processing of
their personal data.

33
 10/24/2023

The Data Protection Act of 2019 The Data Protection Act of 2019
◻ Data controllers must comply with these requests, except
under specific circumstances set out in the Act. ◻ The act establishes the office of the Data
◻ The Act also provides for the protection of data subjects’ Protection Commissioner, who is
rights against unauthorised processing, loss of data, or
destruction of data. responsible for overseeing and enforcing
◻ Data controllers must take appropriate measures to data protection regulations in Kenya.
safeguard personal data, including measures to prevent
unauthorised access, modification, disclosure, or destruction ◻ The Commissioner has the powe r to
of personal data.
◻ Data controllers must also put in place adequate technical investigate data controllers and
and organisational measures to ensure the security of processors suspected of violating data
personal data.
protection laws and to impose sanctions on
violators of the law.

The Data Protection Act of 2019 The Data Protection Act of 2019

Regulates the processing of personal data You have the right to know how your information
is handled.
and information. You have the right to request your personal data
GDPR principles informed the bill on the be deleted/edited if it is inaccurate.
governance of this information The right to data portability is enforced.
A data subjects can obtain d ata that a da ta
How it is handled, stored and shared. controller holds on them and reuse it for their own
purposes.
Illegal processing of personal data is You now have the right to refuse an organisation to
punishable by law. transfer your personal data to another organisation.
Upto 3,000,000/= fine or a maximum of 2 Should be a relief to cellphone users.
years in jail.

34
 10/24/2023

2.3 Registration of Data Controllers

The Data Protection Act of 2019
and Processors
◻ To paraphrase an ICT CS: ◻All data controllers and data
◻ KQ, tourist hotels etc must comply processors must be registered with
when handling personal data from the Data Commissioner.
clients. ◻They must register themselves and
◻ Also phone-based lenders such as
renew their registration every 3
Safaricom, who gather tons of
years.
personal data through services
offered jointly with local banks.

2.4 Transfer of Personal Data Outside Kenya 2.4 Transfer of Personal Data Outside Kenya

◻ All data controllers/data processors must ◻ The following conditions ensure that cross-border data
ensure at least one copy of personal data to processing is carried out with proper safeguards and
which the Act applies is stored on a server or consideration for data subjects' rights and privacy.
data centre located in Kenya 1. Adequate Protection
2. Consent
◻ Cross-border processing of sensitive personal

data is prohibited 3. Legal Obligations

4. Vital Interests
the transfer of personal data to foreign countries or
international organisations is only allowed when 5. Public Interest
certa in cond itions ar e met or under certain 6. Legal Claims
circumstances specified in the Act...

35
 10/24/2023

2.4 Transfer of Personal Data Outside Kenya 2.4 Transfer of Personal Data Outside Kenya

◻ Adequate Protection: if the foreign ◻ Consent: if the data subjects have

country or organisation ensures an provided explicit and informed
adequate level of protection for the consent for their data to be
data. transferred abroad.
the receiving entity must have data
This consent must be obtained
protection laws or mechanisms in
place that are equivalent or similar
before the data transfer takes
to those in Kenya. place.

2.4 Transfer of Personal Data Outside Kenya 2.4 Transfer of Personal Data Outside Kenya

Example:
◻ Legal Obligations: if such transfers ◻

◻ A cloud service provider, hosting sensitive data for various

are necessary for the performance of clients, is legally obligated to implement strict security measures
to protect the confidentiality and integrity of the data.
a contract between the data subject ◻ To comply with these legal obligations, the provider regularly
and the data controller or for the conducts security audits, encryption of stored data, and access
control measures.
implementation of pre-contractual ◻ They must also report any data breaches promptly to both their
measures taken at the data subject's clients and relevant authorities, as required by data protection
regulations.
request ... ◻ These legal obligations ensure the safety and privacy of client
data stored on their servers.

36
 10/24/2023

2.4 Transfer of Personal Data Outside

2.4 Transfer of Personal Data Outside Kenya
Kenya
◻ Vital Interests: if the data transfers are necessary ◻Vital Interests Example:
to protect the vital interests of the data subject,
particularly in life-threatening situations. ◻I f y o u a r e u n c o n s c i o u s a n d
◻ The processing of personal data may be necessary
admitted to a hospital, medical
to protect the person's life or physical health in e.g.
 medical emergencies,
professionals may process your
 natural disasters, or personal data without consent if it
 situa tions wh ere an individ ual's life is in is necessary to provide life-saving
immediate danger.
treatment.

2.4 Transfer of Personal Data Outside Kenya 2.4 Transfer of Personal Data Outside Kenya

◻ Public Interest: if the data transfers are ◻ Legal Claims: Transfers of data may be
necessary for the performance of a task allowed if they are necessary for the
carried out in the public interest or in the establishment, exercise, or defense of legal
claims.
exercise of official authority.
E.g. a law firm processes personal data
e.g., to conduct a public health survey
without consent to pursue a legal claim on
during a disease outbreak. behalf of a client in a court case.
This is done in the public interest to This processing is necessary for the
protect the health of the population. establishment, exercise, or defense of legal
claims ...

37
 10/24/2023

2.4 Transfer of Personal Data Outside Kenya 2.5 Exemptions

◻ Legal Claims Example: The processing of personal data is exempt
◻ A software company is facing a legal dispute with a former
employee who claims they were wrongfully terminated. from the provisions of the Data Protection
◻ To defend themselves, the company needs to gather evidence Act;
related to the employee's performance, attendance records,
and communication logs during their employment. for national security or public order
◻ This involves collecting personal data, such as the employee's reasons;
work-related emails, attendance records, and performance
evaluations. when disclosure is required by or under
◻ The company processes this personal data without the explicit any written law or by an order of the
consent of the former employee, as it's necessary for the court.
defense of their legal claim against the wrongful termination
allegation.

How DPL Is Enforced in Kenya How DPL Is Enforced in Kenya

Through the Data Protection Act and various A Data Protection Commissioner
regulations that operationalise the provisions of
the Act. serves as the Data Protection
T he Da t a P r o t e c t i o n ( C o m p l i a n c e a nd Authority that:
Enforcement) Regulations, 2021 outline the registers organisations /
compliance and enforcement provisions for the
Data Commissioner,
businesses that own, manage, or
Data Controllers, and control data.
Data Processors. investigates data infringements

38
 10/24/2023

The Kenyan Data Commissioner’s Roles

The Kenyan Data Commissioner’s ◻The ODPC (Office of the Data

Roles Protection Commissioner) ensures
that personal data is handled
responsibly and that individuals’
privacy rights are upheld.
◻They do this via the following 11

roles ...

The Kenyan Data Commissioner’s Roles The Kenyan Data Commissioner’s Roles

1. Oversee the implementation of 3. Exercise oversight on data

and be responsible for the processing operations, either of own
enforcement of the Data Protection motion or at the request of a data
Act. subject, and verify whether the
processing of data is done in
2. Establish and maintain a register
accordance with the Act.
of da ta c ontrol lers and d ata
4. Promote self-regulation among data
processors. controllers and data processors.

39
 10/24/2023

The Kenyan Data Commissioner’s Roles The Kenyan Data Commissioner’s Roles

5. Conduct an assessment, on its own initiative 7. Take such measures as may be

or at the request of a private or public body, necessary to bring the provisions of this
for the purpose of ascertaining whether Act to the knowledge of the general
information is processed according to the
public.
provisions of this Act or any other relevant
8. Carry out inspections of public and
law.
6. Receive and investigate any complaint by
private entities with a view to evaluating
any person on infringements of the rights the processing of personal data.
under this Act.

The Kenyan Data Commissioner’s Roles The Kenyan Data Commissioner’s Roles

Promote international cooperation in matters

9.
relatin g to data prote c tion a nd e nsu re
11. Perform such other functions
country’s compliance on data protection as may be prescribed by
obligations under international conventions and
agreements. any other law or as
10.Undertake research on developments in data necessary for the promotion
processing of personal data and ensure that
there is no significant risk or adverse effect of of the object of this Act.
any developments on the privacy of individuals.

40
 10/24/2023

How DPL Is Enforced in Kenya... (cont) How DPL Is Enforced in Kenya

◻ The Act requires that any person who acts as a ◻ Cross-border processing of sensitive
data controller or data processor must be
personal data is prohibited and only
registered with the Data Commissioner.
... and renew their registration every 3 years.
allowed when certain conditions are
◻ Every data controller or data processor is
met or under certain circumstances
required to ensure the storage, on a server or specified in the Act.
data centre located in Kenya, of at least one ◻ In case of non-compliance with these
serving copy of personal data to which the Act
applies.
regulations, penalties may be
imposed.

Case Studies
Data Protection Enforcement Actions in Kenya -
September 2023

41
 10/24/2023

Case 1: Digital Credit Provider's

Introduction
Penalty
◻ In September 2023, Kenya witnessed a series of ◻ Background
significant data protection enforcement actions aimed
at upholding the Kenya Data Protection Act, 2019
◻ A Digital Credit Provider (DCP) operating
(KDPA) and its associated regulations. two mobile lending apps faced
◻ These actions serve as a clear message to data
unprecedented consequences for its handling
controllers and processors regarding the importance of personal data.
of safeguarding personal data and adhering to ◻ They gained the dubious distinction of being
privacy regulations. the first Data Controller to incur a substantial
◻ Let’s delves into the notable cases and the regulatory penalty, totaling almost 3 million Kenyan
provisions involved. shillings.

Case 1: Digital Credit Provider's Case 1: Digital Credit Provider's

Penalty Penalty
◻ Violation ◻ Enforcement Measures
◻ The DCP was penalised for acquiring the names
◻ To ensure compliance with the KDPA
and contact information of complainants
through third parties, and subsequently utilising and the Data Protection (Complaints
this data to send threatening messages and Handling Procedure and
make intimidating phone calls. Enforcement) Regulations, 2021
◻ This action directly contravened the provisions
(regulations 20 and 21), the following
of the Kenya Data Protection Act (KDPA),
2019, specifically Sections 62 and 63.
measures were enforced ...

42
 10/24/2023

Case 1: Digital Credit Provider's Case 2: Restaurant's Privacy

Penalty Infringement
◻ Data Subject Notification: ◻ Background
Digital lenders and financial institutions must notify data
subjects when collecting and processing their data. ◻ A Nairobi-based restaurant found
Transparency in data handling is essential for protecting itself in legal trouble, facing a fine of
individuals' privacy.
◻ Consent Requirement:
nearly 2 million Kenyan shillings.
Data controllers are obligated to process personal ◻T h e r e s t a u r a n t h a d p o s t e d a
data only after obtaining explicit consent from data customer's image on its social media
subjects.
This consent-based approach enhances data protection and platform without obtaining the
ensures individuals' rights are respected. necessary consent.

Case 2: Restaurant's Privacy Case 2: Restaurant's Privacy

Infringement Infringement
◻ Violation ◻ Enforcement Measures
◻ The restaurant's actions constituted a ◻ The penalty imposed on the restaurant

breach of the data subject's privacy highlights the importance of respecting

data subjects' privacy rights.
rights.
◻ It is hoped that going forward, such
◻ Posting personal images without
establishments (restaurants, lounges, clubs,
consent contradicts the principles of etc) will strive to seek consent from
data protection outlined in the KDPA. customers before posting their images
online.

43
 10/24/2023

Case 3: School's Data Protection Case 3: School's Data Protection

Violation Violation
◻ Background ◻ Violation
◻ A school faced severe consequences ◻ The school's actions violated the

when it was fined over 4.5 million privacy of minors.

Kenyan shillings for posting pictures of ◻ Before processing personal data
minors without their parents' consent. related to minors, schools and similar
◻ This case underscored the significance institutions handling such data must
of protecting minors’ personal data. obtain explicit consent from parents
or legal guardians.

On A Separate But Related Note:

Snapchat's AI Chatbot Feature: “My AI” On A Separate But Related Note
◻ Powered by OpenAI's ChatGPT technology. ◻ Find ing s s ugg e st a po t e nt ia l fai lur e by
◻ The UK's data prote ctio n re gulato r, the Snapchat to properly identify and evaluate
Information Commissioner's Office (ICO) raised privacy risks to children before releasing My AI
concerns about the privacy risks My AI poses to in April, 2023.
children. ◻ These findings do not necessarily mean that

◻ Investigating how My AI processes the personal Snapchat has violated British data protection
data of Snapchat's 21 million UK users, laws.
including children aged 13-17. ◻ The ICO is considering the company's response

before making any final enforcement decision ...

44
 10/24/2023

On A Separate But Related Note On A Separate But Related Note

◻ Snapchat’s response: ◻ The investigation highlights growing
My AI went through robust legal and privacy regulatory scrutiny over the use of AI (e.g.
reviews before launch
chatbots) and privacy risks, especially for
it is reviewing the ICO's notice
children's data.
it is committed to user privacy
■ it is committed to working with the ICO to ensure ◻ It also emphasises the role of regulatory

that their risk assessment procedures align with bodies like the ICO (and our very own
privacy standards. ODPC) in assessing and addressing
◻ If Snapchat does not adequately address its concerns,
potential privacy risks associated with new
My AI could be banned in the UK.
technologies.

Data Commissioner's Office Initiatives

In addition to the enforcement

◻

actions, the Data Commissioner's

Back to our case study ... office revealed several ongoing
initiatives aimed at ensuring data
Data Protection Enforcement Actions in Kenya - September protection compliance ...
2023

45
 10/24/2023

Data Commissioner's Office Initiatives Data Commissioner's Office Initiatives

◻ Compliance Audits: ◻ Inspection on a Supermarket

The Data Commissioner's office was The office was also conducting an
conducting a compliance audit on a inspection on a popular supermarket
second Digital Credit Provider (DCP). regarding recent data breaches.
■This emphasises the importance of The findings would be shared with
adhering to data protection the Data Controllers for prompt
regulations within the financial corrective action.
sector.

Data Commissioner's Office Initiatives Lessons That Ought to Be Obvious

◻ Upcoming Compliance Audits: ◻ The Kenya Data Protection Act, 2019 is not a
joke.
◻T h e O D P C p l a n s t o c o n d u c t 4 0
◻ These cases highlight the consequences of non-
compliance audits across various compliance with the KDPA and its associated
sectors during the current financial regulations.
year. ◻ Organisations and institutions that handle

◻ This proactive approach underscores

personal data MUST prioritise transparency,
consent, and compliance with data protection
a commitment to enforcing data laws to protect the privacy of data subjects
protection regulations in Kenya. effectively.

46
 10/24/2023

Turns Out “Obvious” Is Relative Copycat behaviour sprouted all over the place.
Data controllers almost immediately struck back with Tribe Onyx Club, Texas Barbeque, and
warnings of implied consent to revellers entering their
premises. Quiver Lounge Kilimani

Can Data Controllers Do This? Can Data Controllers Do This?

◻ We appreciate this company’s “proactive” ◻ In other words, it’s nice of them to inform
approach to addressing data protection individuals about the possibility of being
and privacy concerns. photographed, filmed, or recorded.
◻ However. ◻ Such notices MUST however align with the

◻ We can also provide some insights based K DP A to p ro t e ct i n d i v i d ua l s ' r i g ht s

on the KDPA, 2019, and the Data effectively.
Protection (Complaints Handling ◻ We can suggest a few considerations to

Procedure and Enforcement) Regulations, enhance the notice's compliance with data
2021 ... protection regulations ...

47
 10/24/2023

Relevant Data Protection Regulations: Relevant Data Protection Regulations:

Explicit Consent Purpose Limitation
◻ The notice mentions that individuals entering the ◻ The notice mentions the use of recorded
event premises "consent" to be photographed, media for "any purpose whatsoever."
filmed, and recorded.
◻ KDPA requires that personal data be
◻ Under KDPA, explicit consent should be obtained
collected for specific, legitimate purposes
individuals must provide a clear and
and not used in a manner incompatible
unambiguous agreement.
◻ It's advisable to rephrase the notice to explicitly
with those purposes.
state that individuals entering the premises have ◻ The company should specify the intended
the option to provide or withhold consent. purposes for which the recorded media
will be used, such as promoting its events.

Relevant Data Protection Regulations: Relevant Data Protection Regulations:

Duration of Consent Opt-Out Option
◻ The notice states that individuals waive ◻ The notice mentions that individuals
and release any claims "in perpetuity." should not enter the area if they do
◻ KDPA requires that the duration of consent not agree to the terms.
be limited to what is necessary for the ◻ While this is a valid approach, it's
specified purposes.
also advisable to provide an opt-out
◻They should consider specifying a
mechanism for individuals who initially
reasonable timeframe for which consent is
va lid to al ig n w it h d at a pro te ct io n consented but later wish to withdraw
principles. their consent.

48
 10/24/2023

Relevant Data Protection Regulations

◻ Data protection compliance is essential in

today's digital age
◻ The company should review and refine this ◻ For more examples and analyses, cf
notice to ensure that: Document titled:
it complies with data protection regulations
while still serving the intended purpose of informing Data Protection Guidelines on Event
individuals about potential recording activities. Photography - Regulatory Alert
This approach will help create a more
transparent and privacy-conscious environment
for event attendees.

Kenyans On Social Media also responded to the ODPC’s

Kenyans On Social Media
press release.
also responded to the
ODPC’s press release.

49
 10/24/2023

Sidenote: Points To Consider Points To Consider

You can play your part in spreading ◻ Privacy Awareness

the gospel of data privacy (esp on ◻ Conceal individuals' faces with emojis
social media) without being boring suggests an increased awareness of
about it. privacy concerns.
Humour can be a powerful way to ◻W e a r e a c k n o w l e d g i n g t h a t
address complex issues. individuals may not want their images
Let’s consider the underlying message to be shared publicly without their
and implications of akina the Emojis ... consent.

Points To Consider Points To Consider

◻Social Commentary ◻ Encouraging Consent

◻O n t h e f i n e s a n d p e n a l t i e s ◻ The act of covering faces with emojis

imposed on businesses for privacy indirectly emphasises the importance

violations. of obtaining consent before capturing
and sharing images of individuals.
◻H i g hl i g ht s t he i mp o rt a nc e of
◻ It serves as a reminder that consent
respecting individuals' privacy should be sought in various social and
rights, even in casual settings. business contexts.

50
 10/24/2023

Points To Consider Points To Consider

◻Engagement and Discussion ◻ Balancing Privacy and Expression

◻ While humor can be a useful tool, it's
◻Such a pic can spark discussions
essential to strike a balance between
about privacy and data protection. priva cy p ro te ct io n and fre ed om of
◻It encourages people to think expression.
about their rights and the ◻ While individuals have the right to privacy,

responsibilities of data controllers. they also have the right to express

themselves and share experiences.

Enforcement of DPL: Kenya vs EU

DPL Comparisons ◻The Data Commissioner in

Kenya plays a crucial role in
enforcing data protection laws.
◻In comparison, EU’s GDPR is

enf or ce d by eac h m em ber

state’s national data protection
authority ...

51
 10/24/2023

Enforcement of DPL: Kenya vs EU Enforcement of DPL: Kenya vs EU

These authorities are independent public ◻ Like Kenya’s Data Commissioner,
authorities that supervise, through investigative
and corrective powers, the application of the these authorities have powers to
data protection law. carry out investigations in the form
They provide expert advice on data protection of data audits,
issues and handle complaints lodged against
violations of the GDPR and the relevant issue warnings for non-compliance,
national laws. issue corrective measures such as
There is one such authority in each EU Member bans on processing and fines.
State.

Enforcement of DPL: Kenya vs EU

◻Unlike Kenya where there is 299 Data Privacy

a single Data Commissioner, The American Context

GDPR enforcement can vary

by member state as each
state has its own national
data protection authority.

52
 10/24/2023

The United States The United States

◻ No comprehensive data privacy law ◻ ECPA (Electronic Communications Privacy

(unlike us and the EU). Act)
◻ Instead, various federal and state laws
◻ Governs the privacy of electronic communications,
including email, telephone conversations, and data
that cover different aspects of data stored electronically.
privacy, li ke he alth da ta, financial ◻ FERPA (Family Educational Rights and
information, or data collected from Privacy Act)
children. ◻ Protects the privacy of student education records.
■Federal laws include: ECPA, FERPA, GLBA, It gives parents and eligible students certain rights
FCRA, HIPAA, COPPA, and VPPA ... regarding the release of student records.

The United States The United States

◻GLBA - Gramm-Leach-Bliley Act: requires ◻ HIPAA (Health Insurance Portability and

financial institutions to explain their Accountability Act)
◻ Establishes standards for the privacy and security
information-sharing practices to customers
of protected health information (PHI) to protect
and safeguard sensitive financial patients' medical records and other health-related
information. data.
◻FCRA - Fair Credit Reporting Act: ◻ COPPA (Children's Online Privacy Protection Act)

regulates the collection, dissemination, and ◻ Imposes requirements on websites and online

use of consumer credit informatio n, services that collect personal information from
including credit reports and credit scores. children under the age of 13.

53
 10/24/2023

The United States The United States

◻ VPPA (Video Privacy Protection Act) Thus the U.S. lacks a comprehensive federal privacy regulation.
States like California have started implementing their own
◻ Restricts the disclosure of an individual's video
privacy laws, creating a patchwork of regulations.
rental or sales records without their consent. Complying with multiple state privacy laws and evolving
◻ May have been established in 1988 when regulations is complex.
video stores were a thing but still very relevant E.g., organisations must adapt to frequent changes in
breach notice laws
and effective today in the age of video
aka data breach notification law that require
streaming. organisations to notify individuals and relevant
◻ Protects Americans’ video consumption data. authorities when a data breach occurs.
typically specify the timeframe, content, and method
of notification.

China

306 Data Privacy ◻ Personal Information Protection Law (PIPL)

and the Data Security Law.
The Chinese Context ◻ The PIPL

China’s first comprehensive law

designed to regulate online data aand
protect personal information.
Draws from the EU's GDPR
Heavy penalties if broken.

54
 10/24/2023

Challenging Data Privacy Issues

Embedding Data Privacy: It must be integrated into
Challenging Data Privacy Issues the core of an organisation's data strategy.
E.g. failure to prioritise data privacy led to the Facebook-
Cambridge Analytica scandal.
Device Proliferation: The rise of IoT devices and BYOD
policies complicates data management and may pose
security risks.
E.g. employees bringing personal IoT devices (Fitbits, Alexa
etc )to work may inadvertently expose sensitive data.
Unauthorised IoT devices may collect and share sensitive
workplace data.

Challenging Data Privacy Issues Challenging Data Privacy Issues

Increasing Maintenance Costs: Securing ◻ Data Visibility: Organisations must know
systems is expensive, but data breaches where sensitive data is located.
are costlier.  E.g.data classification tools help identify and
E.g. investing in automation reduces the cost of protect sensitive information.
managing data privacy. ◻ Building a Good Data Culture: Prioritising
Access Control Challenges: Poor access data value over data volume reduces
management often leads to data breaches. security risks.
E.g. inadequate user access control can result in  E.g.
companies with excessive data storage
unauthorised data access. may face higher security risks.

55
 10/24/2023

Challenging Data Privacy Issues Challenging Data Privacy Issues

Managing the Scale of Data: As data volume grows, Third Parties: Many organisations use third-
organisations need scalable solutions. party vendors, increasing data security risks.
E.g. cloud storage solutions are scalable and can handle vast
amounts of data. Data breaches often occur due to third-party
Regulatory Complexity: Compliance with various vulnerabilities.
privacy laws requires efficient processes. Untested Security Plans: Organisations must
E.g. GDPR introduced new challenges for regularly test security and incident response
or g a ni s a tio ns , in cl ud i ng th e n eed f or d a t a plans.
protection officers. Failing to test incident response plans can
Finding qualified individuals who possess legal, technical,
and organisational skills for the role is a challenge.
lead to chaos during a security breach.

Challenging Data Privacy Issues Challenging Data Privacy Issues

Component Manufacturers: The origin of Unclear or Impractical Policies: Policies must be both
components used in devices raises national clear and feasible for effective implementation.
security concerns. Policies written in technical jargon may lead to
misunderstandings.
It's essential to know the source and security
E.g.:
of components used in critical systems.
"Unauthorised individuals attempting to access the system
Ever-Changing Risks: The dynamic nature of will be met with robust countermeasures, including but not
hacking threats necessitates continuous learning. limited to rigorous intrusion detection protocols, real-time
Security professionals must stay updated to threat analysis, and immediate implementation of stringent
counter evolving cybersecurity threats. security measures."

56
 10/24/2023

Challenging Data Privacy Issues Challenging Data Privacy Issues

Technically accurate policy. "Unauthorised individuals attempting to access the system
However, it has complex jargon and vague terms will be met with robust countermeasures, including but not
("robust countermeasures", "stringent security measures"). limited to rigorous intrusion detection protocols, real-time
This may lead to misunderstandings among non- threat analysis, and immediate implementation of stringent
technical staff. security measures."
Quick Exercise:
Make this particular policy clearer a nd more "Anyone who tries to access the system without permission
accessible will face strong security measures. These include things like
our system checking for unauthorised access, constantly
specify the exact security measures and procedures monitoring for threats, and taking quick action to make
to be followed in plain language ... sure our security stays tight."

Best Practices in Privacy and Security: Best Practices in Privacy and Security:

Education: Promote a culture of security within Basic Cybersecurity: Prioritise fundamental

organisations.
cybersecurity measures.
E.g. teach employees to validate emails, perform
backups, and use two-factor authentication. E.g., effective password management and
network security are basic but critical.
Continuous Learning: Security professionals should
stay updated through associations, podcasts, and Third-Party Oversight: Establish strong
webinars. oversight of third-party vendors.
E.g. membership in organisations like the Information Due diligence as 3rd party vulnerabilities can
Systems Audit and Control Association (ISACA) or the lead to data breaches
Information Systems Security Association (ISSA)
provides valuable resources.

57
 10/24/2023

Best Practices in Privacy and Security: Outro

Holistic Security: Embrace a comprehensive security
mindset.
◻No one wants to live in places of
E.g. acknowledge that complete security is unattainable but uncontrolled terror and/or
aim for resilience:
e.g., regular data backups/recovery, well defined violence.
incident response plans in case of security breaches,
advanced security monitoring tools and systems, staff ◻However…
training etc
◻No one wants to live in a world of
Physical Security: Include physical security measures in
information security strategies. uncontrolled surveillance
E .g . pr iv a cy f il te r s o n sc r e e ns a n d a w a r en e s s o f
conversations in public places.

Outro Outro
◻ Privacy is a fundamental right that encompasses Balancing technological advancements, legal
various aspects of our lives. obligations, and societal concerns is an ongoing
◻ It is a multifaceted issue with legal, ethical, and social challenge.
dimensions. Balancing the need for privacy with other societal
◻ It's protected by interests, such as security and public safety, is an
laws and ongoing challenge.
ethical principles Organisations must prioritise privacy, adopt best
◻ However, technological advancements and evolving
practices, and adapt to the evolving landscape of
privacy challenges require ongoing attention and data privacy and security.
debate.

58
 10/24/2023

Outro Task
325

◻ Laws and ethical guidelines evolve to ◻ Privacy? I’ve nothing to hide!

◻ Glenn Greenwald is a journalist who reported
address these issues. on the Edward Snowden files.
◻H o w e v e r , t h e r a p i d p a c e o f ◻ These exposed the US government‘s massive

technological change often outpaces surveillance of private citizens.

◻ Watch his TED Talks video: Why privacy
regulatory responses. matters
◻ This makes privacy a continually ◻ https://www.youtube.com/watch?v=pcSlowAhv

evolving topic of discussion and Uk

debate.

References
◻ Burgess, M. (2019, February 14). What is GDPR? The summary guide to GDPR
compliance in the UK. Retrieved from https://www.wired.co.uk/article/what-is-gdpr-
uk-eu-legislation-compliance-summary-fines-2018
◻ Kiprono, D.: Right to privacy must be protected. (2018, April 28). Retrieved from
https://www.nation.co.ke/oped/opinion/Why-right-to-privacy-must-be-protected-
in-digital-age/440808-4535004-cd3jnw/
◻ Lex - 31995L0046 - EN. (1995). Retrieved from https://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
◻ M a s o n , R . O
https://www.researchgate.net/publication/242705009_Four_Ethical_Issues_of_the_
Information_Age
◻ Privacy International. (2019, January). State of Privacy Kenya. Retrieved April 29,
2019, from https://privacyinternational.org/state-privacy/1005/state-privacy-
kenya
◻ Venezuela: Guaidó calls on people to take to the streets [Audio blog post]. (2019,
A p r i l 3 0 ) . R e t r i e v e d A p r i l 3 0 , 2 0 1 9 , f r o m
https://www.bbc.co.uk/programmes/p077x4xr

59