10/3/2023
Privacy
PRIVACY
Personal Data vs Sensitive Personal Data
◻ Personal data: any piece of information that
someone can use to identify, with some degree
of accuracy, a living person.
 e.g., name, address, phone number, email
address, date of birth, financial details, and
information related to work, education and
hobbies.
◻ Personal data is also classed as anything that
can affirm your physical presence somewhere.
◻ The right and ability of individuals to control
their personal information and decide how and
when it is collected, used, and shared within the
framework of legal and cultural norms.
◻ Privacy is a significant topic within the realm of
legal and ethical issues.
◻ It involves the protection of an individual's
personal information and their right to keep
certain aspects of their life and identity private.
Personal Data vs Sensitive Personal Data
◻ Sensitive personal data aka as special category
data: a specific set of “special categories” that must
be treated with extra security.
◻ It is a subset of personal data that requires higher
levels of protection due to the potential harm if
exposed.
◻ Includes highly confidential information that, if
mishandled, could cause significant damage e.g.:
 racial or ethnic origin; data related to a person’s
sex life or sexual orientation; and biometric data
(where processed to uniquely identify someone).
1
 10/3/2023

Privacy Data Protection vs Freedom of Information

◻ We want to keep some (if not all) areas of q When data was stored in paper form it
our lives private. was that much harder to work with.
◻ It is our right to do so.
q Today, massive amounts of data can be
◻ Though…
stored, accessed or moved/transferred at
There seems to be a difference in how much
we value our privacy, depending on which the click of a button.
generation we belong to. q Two areas of law become of interest:
■Social media generation q Data protection
■However, too, loyalty cards
q Freedom of information ...

Data Protection vs Freedom of Information Privacy: Key Concepts

◻ Data protection ◻ Data Privacy

there should be controlled access to data qthe protection of personal data and
about me information from unauthorised access or
■For privacy misuse.
◻ Freedom of information q Laws that address this include the Kenya

I’dlike to see/know what information the
government/public authorities have
■subject to certain exemptions
Data Protection Act (2019), Europe’s General
Data Protection Regulation (GDPR) and the
California Consumer Privacy Act (CCPA) in
the United States.

2
 10/3/2023

Privacy: Key Concepts Privacy: Key Concepts

◻ Privacy Laws ◻ Ethical Considerations
 Various countries and regions have enacted privacy laws to q Privacy is not just a legal issue but also an ethical
protect individuals' rights.
one.
 These laws define what constitutes personal data, how it can
q It involves respecting individuals' autonomy and
be used, and the penalties for violations.
■ E.g. they empower individuals with rights over their
their right to control their personal information.
personal data: q Essential ethical principles in this context include
■ Kenya’s Data Protection Act, 2019, empowers Kenyan q consent
citizens to request access to their personal data held
q transparency
by a company.
■ The EU’s GDPR empowers European citizens to request q data minimisation ...
that a company deletes their stored data.

Privacy: Key Concepts Privacy: Key Concepts

◻ Informed Consent
 Individuals should be informed about what data is
collected and how it will be used.
■ E.g., an app asks for permission to access your
location and explains why it's needed.
◻ Data Minimisation
 Collect only the data necessary for a specific
purpose.
■ E.g., an online shopping site only asks for your
name and address during checkout.
◻ Technological Advances/New Technologies
 Big Data, AI, the Internet of Things (IoT), 5G etc
increase data accessibility and pose challenges to
privacy.
 They can collect and analyse vast amounts of
personal data.
■ E.g., predictive algorithms analysing your online
behaviour to make recommendations.
 Ensuring privacy in these contexts is an ongoing
concern.

3

Privacy: Key Concepts
◻ Other major concerns due to the
proliferation of the internet:
◻ Online Privacy
Includes issues lik e tracking, data
col lec tion by w ebs it es an d o n l ine
services, cookies, and the use of
personal information for targeted
advertising.
Privacy: Key Concepts
◻ Social Media Privacy (cont...)
 Platforms' data collection practices and their
use of personal information are subjects of
debate.
 Third-Party Apps connected to social media
can access user data, sometimes without users
realising.
■A quiz app collecting users’ Facebook data
and selling it to advertisers.
10/3/2023
Privacy: Key Concepts
◻ Other major concerns due to the proliferation of the
internet:
◻ Social Media Privacy
 Posting personal information on social media
platforms can expose individuals to privacy risks.
 Users often reveal personal information without
considering the consequences.
■ Sharing geolocation data on social media while
on vacation.
■ Posting vacation plans on social media can
make you a target for burglars.
Privacy: Key Concepts
◻ Healthcare Privacy
 Laws such as the US’ Health Insurance
Portability and Accountability Act
(HIPAA) govern the privacy of medical
records and personal health information.
■E.g., a healthcare provider cannot
disclose a patient's medical history
without their consent.
4
 10/3/2023

Privacy: Key Concepts Privacy: Key Concepts

◻ Workplace Privacy ◻ Consumer Privacy

q Companies often collect and use customer data
E m p l o y e e s h a v e c e r t a i n for marketing and analysis.
expectat ions of pri vacy i n t he ■ E.g., concerns about the security of personal
information when using mobile banking apps.
workplace, but employers may ▪ Safaricom collecting and using customer data
monitor activities to varying degrees. for targeted marketing.
q There are legal and ethical considerations around
 Balancing these interests is essential.
how they handle this data and whether individuals
have consented to its use.

Privacy: Key Concepts Privacy: Key Concepts

◻ Cultural Considerations ◻ Surveillance

 Government surveillance programs and the use of
q Community and Family surveillance technologies (e.g., CCTV cameras,
q Kenyan culture has traditionally placed facial recognition) raise privacy concerns.
 Balancing national security needs with individual
importance on communal living and family privacy rights is a complex ethical and legal
ties. challenge.
q This affects the boundaries of personal ■ Examples:

privacy. ■The debate over the use of facial

recognition technology by law enforcement.
q E.g.,family members may expect access to each ■ Unauthorised interception of text messages.
other's personal information more readily than in
some Western cultures.

5
 10/3/2023

Mass surveillance
Scope creep  mass surveillance

Mass/state/goverment surveillance: they can surveil certain

persons for certain purposes...
Scope creep – now it seems to be ALL information about
ALL people ALL the time.

The Panopticon

Mass Surveillance
◻ The Panopticon
◻ La te 1 8th Cen t ury i de a by J er emy B e nt ha m ( En gl i sh
philosopher and social theorist).
 One invisible warden in a central tower watches many
individuals separated from each other.
 To help manage correctional facilities by inducing good
behaviour
■ the more people are watched, the better they behave.
■ the prisoners do not know who is being watched, thus
they modify their behaviour accordingly.
◻ Inspired George Orwell’s big brother’s all seeing eye in
Prison San Vittore – Milan (built in 1880)
“1984”. 24
Source: thefunambulist.net

6
 10/3/2023

Mass Surveillance Mass Surveillance

◻ Bentham’s Panopticon, and novels by HG Wells ◻ Organisations monitoring your communication

and Orwell, were futuristic fiction. ◻ What determines the content of what you

◻ Today it is a reality. share o n y o u r fav o u rit e soc i al me di a

◻ Today both the state and individuals can use
technology for mass surveillance: ...
 easy due to the prevalence of smart phones,
CCTV in the malls and streets, speed cameras
on the highways, Digital TV sets, ipads ...
network?
Probably influenced by the assumption
that people are watching and judging you.
Others also assume you are watching and
judging them.
So you all self-censor.

Mass Surveillance Mass Surveillance

◻ State surveillance ◻ The surveillance:

◻ Acts as a deterrent

◻ Justification? Insidious
(like the panopticon)
■If we feel we are probably being
To curb terrorism watched we modify our behaviour
To tackle crime … accordingly.
◻ Provides information for investigation
◻ How? … purposes.

7
 10/3/2023

Mass Surveillance Examples Mass Surveillance Examples

◻ 2013: The NSA's mass surveillance programs, revealed by
whistleblower Edward Snowden.
◻ The programs, such as PRISM and XKeyscore, involved the
collection of massive amounts of electronic communications
data, including emails and phone records (plus the ability to
record and replay phone calls), from both U.S. citizens and
non-citizens.
◻ Without judicial warrants;
◻ Using phones + the internet to carry out mass surveillance and
data mining.
 E.g. based on your internet searches and social networking data.
◻ China’s Social Credit System
◻ A nationwide system that assigns scores to individuals
and businesses based on their behaviour.
◻ Collects data from various sources, including financial
transactions, social media activity, and public records,
to assess citizens' trustworthiness.
◻ Individuals with high scores receive benefits, while
those with low scores face restrictions.
◻ Basically mass surveillance and social control
 it involves extensive data collection and monitoring
of citizens' activities.

Mass Surveillance Mass Surveillance

Kenya Kenya

◻ In strategic areas in Nairobi; ◻ To help the police force tackle

◻ cameras that can recognise motor crime, cameras installed in
vehicle number plates Nairobi city
capture number plates of vehicles ■The Nairobi Integrated Urban
involved in traffic offences or crime Surveillance System project.
(stolen/carjacked) Mombasa

8
 10/3/2023

Mass Surveillance Mass Surveillance

Kenya Kenya

◻ Data is being collected, centralised and ◻December, 2012

shared.
◻The Integrated Population
◻ March, 2012: CCK (today’s CA):

Announced an increase in cyber security threats.

Registration System (IPRS)
Declared the need for authorities to monitor ◻Developed for the Kenyan
digital communications.
government by EDAPS, a
◻ Service providers required to install NEWS
(Network Early Warning System) Ukrainian firm.
i.e. equipment used to monitor internet traffic.

Mass Surveillance Surveillance Activities

Kenya Other Examples

◻ IPRS function: to collect and combine data from ◻ March, 2013

databases owned by various government agencies:
◻ All the following registers:
 Birth & death, citizenship, ID card, aliens, passport,
marriage & divorce, elections, tax, drivers, NSSF,
NHIF, the Kenya National Bureau of Statistics.
(Privacy International, 2019)
◻ The running of this system was allegedly subcontracted
to a foreign country.
◻ PS: It was hacked...
◻ The Ministry of Information PS announces that mobile
service providers were blocking at least 300K “hate”
SMSs daily.
◻ Ostensibly to prevent violence in the 4th of March
elections;
◻ service providers had installed software to
 detect messages containing particular words (e.g. kill)
 automatically flag them off for further scrutiny and
potential blocking.

9
 10/3/2023

Surveillance Activities Surveillance Activities

Other Examples Other Examples

◻ April 2014 ◻ Aims:

◻ The Kenyan government proposes the Umoja Kenya ◻ To identify people with fake identification
Initiative, a universal single registration system
documents.
 Activated when a child is born
◻ To provide one digital ID
 Stored in a national digital database.
◻ Collect: to streamline registrations
 Individuals’
biometric details ■E . g.
vo t er , n at i o n al I D, NH IF , NS S F, KR A,
 other personal information collected
commercial/business related.
■E.g.name, age, relatives’ identities, location and assets rather than have different cards for each.
owned.

Surveillance Activities Surveillance Activities

Other Examples Other Examples

◻ July 2015: Wikileaks allegations: ◻ A presidential directive that names of people

◻ The Kenyan government wanted to procure a living with HIV, including school age children be
collected.
Remote Control System tool;
◻ The Kenya Legal & Ethical Issues Network and
 to remote hack and control target devices.
others sued the government in December
◻ R e q ues ted a f or ei gn i n tr u si on ma l w ar e 2016…
company (HackingTeam) to shut down a blog. ◻ December, 2016
◻ This would serve as a Proof of Concept. ◻ Th e High Court in Nairo bi declared th is
◻ If successful they would win the contract to directive unconstitutional.
supply surveillance tools.

10
 10/3/2023

Surveillance Activities Surveillance Activities

Other Examples Other Examples

◻ Argued such a list violated the q January 2017, CA announced their plan to
Constitution’s: implement a device management system:
◻ Article 31 q Ostensibly to identify fake and stolen devices.

the right to privacy q In reality: a spy system to monitor digital

◻ Article 53(2) communications:

the "child’s best interests are of paramount q a third party (a foreign firm) connects to mobile
importance in every matter concerning the service providers’ routers
child." q To snoop on private communication data
q SMS, call and mobile money transfer data.

Surveillance Activities Surveillance Activities

Other Examples Other Examples: Huduma Number
q The Consumer Federation q January 2019
q The president signed into law amendments
denounced it as:
to the Registrations of Persons Act.
qagainst the Constitution q Basically about introducing the National
Integrated Identity Management System
qexposing service providers to
(NIIMS)
lawsuits for breach of q i.e.,a biometric ID card with a unique ID
confidentiality. number
q aka the “Huduma Namba”.
For all Kenyans and all foreign residents.

11

Surveillance Activities
Other Examples: Huduma Number
◻ Previously all that was needed as a
unique identifier was finger/thumb prints.
◻ This amendment added DNA information;
E.g. hand and ear lobe geometry, retina,
iris and voice patterns in digital form.
◻ Also more location info
e.g.land reference number, plot and house
number and GPS coordinates.
Surveillance Activities
Other Examples: Huduma Number
q Once more, massive amounts of personal
data was being collected, centralised and
shared.
q YET!...
q Kenya had yet to adopt data protection
legislation around these activities.
q The project lacked adequate data
protection measures and oversight.
10/3/2023
Surveillance Activities
Other Examples: Huduma Number
◻ March 2019
◻ The National Integrated Identity Management
System (NIIMS) launched.
◻ Aim: one card merging information from
multiple documents.
◻ These numerous implementations of modern
technology are a good thing.
◻ Right?
Data Processing vs Privacy
◻ The constitution enshrines our right to
privacy.
◻ But pre-November, 2019 there was
no law to specifically give it effect.
◻ No data pro t e ct i on l aw  an
individual’s personal information can
be abused by those that obtain it.
12
 10/3/2023

Data Processing vs Privacy Surveillance Activities

◻ A Data Protection Bill has existed in ◻ Previously :

various forms since… No data protection law
◻ 2012…!! No data protection agency/authority.

◻ The Kenyan Dat a Pro tection Bi ll ◻ Yet all this data about an individual
(2019) was the latest version. stored in one database.
◻ At long last (November 8, 2019) the ◻ The problem being there was no law

president signed it into law. to protect it.

Surveillance Activities
Other Examples: Huduma Number (cont) … India
◻ Also: ◻ The Aadhaar number was initially
◻ Is the practice and spirit of it such

initiatives as the Huduma No. from a

publicised as a voluntary service.
genuine place? ◻ Ho wev er citize ns wi tho ut t his

◻ If we are not t o find this system n u m b e r w e r e d e n i e d c e r ta i n

suspect, we must be assured that the crucial services
government has our interests at heart. E.g.collection of payments for those
◻ cf the Aadhar Number…
on welfare.

13
 10/3/2023

Privacy vs Secrecy/Surveillance Privacy vs Secrecy/Surveillance

◻ Data privacy is a right. ◻ Do we need data protection laws?

◻ Data protection laws are not normally seen as ◻ If a man in the middle attack happens

important then your data is open to everyone.

 isdata privacy as important as violation of your Turkey – 2016. Super sensitive information
human rights or freedom of expression?
about its citizens (names, their locations etc)
◻ In many countries, privacy and surveillance found on a torrent file.
rarely seen as important in the larger context.
 We are inured by the oft repeated message:
◻ So what? You have nothing to hide, right?
■Surveilling us is beneficial to us due to increasing security
threats.

Privacy vs Secrecy/Surveillance Privacy vs Secrecy/Surveillance

◻ National IDs registration requires information ◻ E.g. 2016:

on our location of origin. personalised text messages sent to citizens in
◻ Enables whoever is interested to figure out your some counties asking them why they had not
tribe/ethnicity. registered as voters.
chiefs had people’s numbers and their
◻ Your data can be weaponised (used against
locations and would visit them to enquire and
you) e.g. it can be used to track you down. encourage them to vote.
 E.g. voter registration
■toverify that you are on the voter roll, type in your ID no.
◻ Implication: personal data is not secure
■You get your name and voting locale.
and mass surveillance is carried out.
■Nice but then so does anyone else with your ID number

14
 10/3/2023

Privacy vs Secrecy/Surveillance Privacy vs Secrecy/Surveillance

◻ Should someone working at one ◻ Wanting privacy is NOT akin to you

parastatal have access to your data at having something to hide.
another parastatal? Privacy is NOT Secrecy.
◻ How about KRA having across the board
◻ It is the ability to control the collection,
information about you?
use, sharing etc of your personal
E.g. KRA attempts to access M-Pesa
data …
transaction records “to catch tax cheats”.

Privacy vs Secrecy/Surveillance Privacy vs Secrecy/Surveillance

◻ You probably have nothing to hide. ◻ In most countries, governments are

◻ However, you desire the ability to have your allowed to
own space, free thoughts, free speech etc. …
tap private conversations and
◻ … without surveillance.
access personal data
◻ Governments may not want this, as they wish to
prevent dissidence. ◻ As long as
◻ S el f cen so rsh ip also k il ls creativi t y and thereis a valid reason and
innovation. permission from the courts.

15

Privacy vs Secrecy/Surveillance
◻ However some seem to require
citizens to give up their rights in the
name of national security.
◻ Judicial oversight discourages the
government from abusing this
privilege
even if fighting terrorism.
Why should we care?
◻ The information / digital age is powered by
information
◻ Technological advances have led to massive
amounts of our data being out there.
◻ Corporations and governments worldwide
hunger for this information
 This data is sorted and you are profiled based on
the data.
 Worse: automated decisions could be made based
on this data.
10/3/2023
Data Protection Issues
◻ Having nothing to hide shouldn’t justify
lack of data protection legislation.
◻ As a human, you have autonomy...
◻ This is a fundamental right.
Basically, do what you want, when you
wa nt, wi tho ut hin drance / feel i ng
watched.
Why should we care?
◻ We have little/no ability to control what is
d o n e to o u r da ta i f t h e r e ar e n o l e g a l
mechanisms in place.
◻ Your digital persona can easily affect your
physical persona negatively
 Persuasion through ads
 Harassment e.g. cyberbulling/stalking
 Blackmail eg ransomware
 Discrimination
■Information in the wrong hands can be dangerous
16
 10/3/2023

Why should we care? Why should we care?

◻ Information is a priceless commodity that ◻ Big data firms seem to have more power than
we give out for free. governments.
◻ Governments want to regain their power
◻ Why not sell it?
◻ A country may have exponential growth in e-
Watch Stuart Lacey’s TEDxBermuda talk commerce (as Kenya does).
titled: “The Future of Your Personal Data -  Manycitizens run their businesses on FB, Instagram,
Privacy vs Monetization” e-commerce platforms like Jumia and Amazon.
https://www.youtube.com/watch?v=JIo- ◻ No legislation to protect data means people’s
V0beaBw sensitive data is online but unprotected.

Why should we care? Why should we care?

◻ Data breaches ◻ EU countries have the power to hold

E.g.instances of millions of FB accounts being
hacked.
FB has a lot of data about a lot of people…
◻ GDPR: To transact with businesses based
in EU countries/trade we must have data
protection laws.
W i t h o u tthem we miss out on trade
corporations to account
e.g. telling FB that it’s standards are not
up to par with their legal requirements
◻ This protects their citizens’
data/privacy.
◻ Governments without such legislation

opportunities. may have no standing to do the same.

17
 10/3/2023

Data Protection Issues

Data Protection ◻ Having massive amounts of

Legal, Ethical and Human Rights Issues
personal information 
profiling  denial of services.
◻ Concerns:

Legal
Ethical
Human rights

Data Protection
Legal Issues

◻ For a long t ime the re h as been no data

Data Protection protection law/legal framework to support the
go v e rn m e n t c o ll e cti n g hu ge am o u n t s o f
Legal Issues personal data.
 Fortunately the constitution did protect citizens
(Article 31).
◻ E.g. as of 2019, a popular Kenyan service
provider + a local bank teamed up to provide
overdrafts to subscribers …

18

Data Protection
Legal Issues
◻ When you opt in, one of the T&Cs is:
You allow them access to the information the
Integrated Population Registration System
(IPRS) system holds about you.
■IPRS was developed for the Kenyan
government (NOT private corporates!!).
◻ Ditto other businesses with apps that offer
credit services …
Data Protection
Legal Issues
◻ Can malicious entities get access
to this information then?
◻ With access even to DNA info?
◻Can I be tracked using my
eye/facial recognition data from
all the CCTV cameras?
10/3/2023
Data Protection
Legal Issues
◻ How and why did private entities have access
to such potent data?
◻ B e c au se the r e wa s n o l e ga l f r am ew o r k
governing the IPRS.
◻ Th e Reg ist ration of Pers ons Act all ows
collection of data but doesn’t discuss it’s
protection.
◻ The government should not serve private
business interests; it should serve the citizens.
Data Protection
Legal Issues
◻ Danger of private communication data
held by CA being exposed;
◻ January, 2017: The CA website hacked by
AnonPlus who placed their manifesto on the
homepage
Th ey prom i se d to “d ef en d free d om o f
information, freedom of the people and
emancipation of the latter from the oppression
of media”.
19
 10/3/2023

Data Protection Data Protection

Legal Issues Legal Issues

◻ Errors in personal data q Privacy violations

 From e.g. data storage/transfer glitches or hacks
◻ If my data (e.g. DNA data) is corrupted:
 wrongful arrest (mistaken id)?
 denial of services?
■both by government or private entities
■E.g. your credit history is ruined due to automated
decisions
■living in a certain neighbourhood …
q A lender app accesses your phone book and sends
messages shaming you to your contacts
q Today Apple notifies you when an app wants to access
your contacts, location, photos etc.
q It wasn’t always so.
q Without your consent apps would:
q access your address book (almost 1/5 of all its apps),
q track your location (2/5 of the apps) and
q have this data stored unencrypted (> 2/5 of the apps).

q identity theft aka identity fraud

Data Protection
Ethical Issues

Data Protection ◻ How ethical are the following:

◻ Compulsory collection of sensitive personal

Ethical Issues data (DNA, GPS coordinates etc) for the

sake of collection?
◻ State “honesty” in explaining its data

collection?
Is the passing of amendments to certain laws
done with transparency / accountability /
integrity in mind?

20

Data Protection
Ethical Issues
◻ How ethical are the following:
◻ The state having considerable
insight into our lives?
◻ The state enabling others (private
corporations/individuals) to have
insight into our lives
e.g. through security breaches)?
Data Protection
Human Rights Issues
10/3/2023
Data Protection
Ethical Issues
q How ethical are the following:
Treating humans as their data (am I my data)?
q
q “ok” and profitable for businesses but…
q … governments actions should not be driven by
commercial interests/profit margins
q Cambridge Analytica – data used to breach
the democracy of at least two developed
nations.
q How sovereign are we?
Data Protection
Human Rights Issues
Right to privacy
q
q The state/its official organs having massive
amounts of data can be dangerous
q Your information can be weaponised
q E.g. genocide is made easy…
q Marginalisation (resource allocation)
q Wrong profiling – you are of religion X
therefore you are a terrorist
q (automated decision making)
21
 10/3/2023

Data Protection Data Protection

Human Rights Issues Human Rights Issues

Right to privacy
◻

◻ The data collector may not be a government

◻ Right to privacy
officer ◻ Once more:
 they may simply be hired contractors trained
with no notion of privacy ◻ Privacy is a fundamental

◻ cf human right.
 Huduma namba;

 p o l i t i c al SM S s s e n t t o y o u r “ pr i v a te ”
cellphone number

Data Protection Data Protection

Human Rights Issues Human Rights Issues

◻ Right to Dignity q Right to Equality

◻ Violation of dignity:
qArticle27 of the constitution.
The state + private corporations too
aware of your activities/life qNo discrimination …
◻ Your have a right to your freedom qR e g a r d l e s s o f
and security gender/ethnicity …
■Beingtreated as a human.
■Automated decision making violates that.

22
 10/3/2023

Data Protection Data Protection

Human Rights Issues Human Rights Issues

q Right to Equality ◻ Right to Equality

q No discrimination … Regardless of gender/ethnicity …
q Locationinformation: ■W h y fill these details in
q We are told information is collected to
government forms then?
provide services.
■Provision of DNA information can
q What about the homeless? Refugees?
People living in domestic violence shelters? be used to trace your ancestors’
q No services for them? origins.

Data Protection Data Protection

Human Rights Issues Human Rights Issues

◻ Right to Equality ◻ Right to Equality

◻ Not being treated equally = torture ◻ Not being treat ed e qually =

A database for People Living with HIV. torture

■To serve what purpose?
Say you are not in the database …
A u t o m a t e d decision making  ■No government services?
■Infringes on your right to welfare payments,
profiling  discrimination right to health care, right to vote …
■cf Aadhaar number

23
 10/3/2023

Is Data Protection Legislation Necessary? Is Data Protection Legislation Necessary?

q Mass surveillance implies data on individuals
is gen erat e d, col lect ed and pro cesse d
re gar dl ess of t he i r be i ng i nv o l ve d (o r
suspected to be involved) in criminal activities.
q This “distorts the burden of proof principles,
leads to an unaccountable increase in power,
and has a chilling effect on individual action
q When individuals are under constant surveillance, there
may be a presumption of guilt or suspicion, shifting the
burden of proof from the prosecution to the defense.
q Mass surveillance can create an environment where
individuals are treated as potential suspects until they
can prove their innocence.
q This chilling effect on freedom of expression
q Knowing that they are being monitored, individuals

and the exercise of free speech.” may self-censor their online activities and
communications out of fear of being targeted or
(Kiprono, 2018) ... labeled as a potential threat.

Is Data Protection Legislation Necessary?

◻ Good governance requires the state to respect its

citizens right to express their opinions freely.
96 Data Protection Legislation
 E.g.in exposing corruption, injustice and malpractices against
consumers
■Buyer Beware.
 Fighting terrorism shou ld not be an excuse for bad
governance.
■ Not the right way to fight terrorism.
■ Identify the root problem.
■ What makes someone become a terrorist/radicalised?
■ Could it be marginalisation/discrimination?

24
 10/3/2023

The Data Subject What should a DPL look like?

◻ Most probably you.
◻ The EU’s General Data Protection Regulation (GDPR) defines
a ‘data subject’ as an “identified or identifiable natural
person” from whom or about whom information is collected.
 Natural person: a company or organisation cannot be a
data subject
◻ A person who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to
one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that
natural person.
◻ Scope
 Individual right to privacy - protect the data subject (the
Kenyan citizen)
 The protections offered should be at par with/better
than those offered internationally
■e . g .
th e o b l i g at i o n s of co m me r c i a l e n ti ti es w h en
generating/collecting, processing, storing the data.
■What the state does with your data
■Data sovereignty – data is subject to the laws and
governance structures within the nation it is collected. Data
sovereignty comes into play when the data is stored
outside the country and is subject to that country’s laws.

What should a DPL look like? What should a DPL look like?

◻ Specific limitations on the rights ◻ Data categories

as per the constitution e.g. how to collect/store/process
◻ Clear definition of consent e.g.: sensitive personal data …
Does silence assume consent? i.e. information that can be used to

Should I be opted in without my

discriminate against you e.g.:
■information about minors, race, tribe,
knowledge?
trade union membership, gender,
marital status.

25
 10/3/2023

What should a DPL look like? Players

◻ Remedies/modes of ◻ Two entities/persons:

redress Data controller
◻T h e da t a p r o t e c t i o n
Data processor
oversight authority and its
independence

Players Players

◻ Data controller ◻ Data processor

The person or entity that determines ◻ A person/entity that, on behalf of the data
controller,
■the purpose for which personal data is
 collects
personal data
collected and processed
 processes this data
■the means and method of processing it ◻ Does not own or control the data they process
◻ i.e., dictates how and why data is going to  They can’t change the purpose and the means in
be used by the organisation. which the data is used.
 They are bound by the instructions given by the
data controller.

26
 10/3/2023

Players Players
◻ Basically, a data controller determines why and ◻ Example (cont...):
how personal data should be processed while
◻ a data processor carries out these tasks on behalf of
◻ The uni is the data controller and
the controller. ◻ The security firm is the data processor.

◻ Example: ◻ The uni could also act as both when

◻ Say the university has hired a security firm. collecting other data
◻ The uni determines what information is to be e.g. student registration data.
gathered at the gate about the students/staff/other
visitors.

Data Privacy Laws

◻ M a n y c o u n t r i e s / r e g i o n s h av e l a w s 108 Data Privacy Laws

protecting individual’s privacy.
◻ What varies is the comprehensiveness and
The EU Context
enforcement of these laws.
◻ The EU’s GDPR is often seen as the gold

standard in privacy laws due to its wide

scope and stringent enforcement
mechanisms.

27
 10/3/2023

The EU’s GDPR The EU’s GDPR - Penalties for Violation

◻ The EU has a comprehensive data privacy law known
as the General Data Protection Regulation (GDPR).
◻ A data subject has rights under the GDPR that aim to
protect their privacy and right to self-determination.
◻ The GDPR
q enhances individuals’ control and rights over their
personal information
q simplifies regulations for international business.
q governs the transfer of personal data outside the
EU and the European Economic Area (EEA).
◻ Severe and designed to be effective, proportionate
and dissuasive for each individual case.
◻ For especially severe violations, listed in Article 83 (5)
GDPR, the fine framework can be up to 20 million
euros, or up to 4% of the organisation’s total global
turnover of the preceding fiscal year, whichever is
higher.
◻ Less severe violations in Article 83 (4) GDPR sets forth
fines of up to 10 million euros, or up to 2% of the
organisation’s entire global turnover of the preceding
fiscal year, whichever is higher.

The EU’s GDPR - Penalties for Violation

Severe Penalties Examples

◻
112 Data Privacy
◻ Facebook’s parent company Meta was fined a
record-breaking €1.2 billion for transferring The Kenyan Context
data collected from Facebook users in the
EU/EEA to the US, violating GDPR international
transfer guidelines.
◻ Amazon was fined €746 million for tracking
user data without acquiring appropriate
consent from users or providing the means to
opt out from this tracking.

28
 10/3/2023

Web & Mobile Presence

Data Availability
Kenya
Both mobile and internet penetration is very high.
◻

 According to the Communications Authority (CA,

Technological advances
the Kenyan telecommunications industry regulator),
in March 2017: 
■ 39.1 million mobile subscriptions (86.2% mobile
penetration) Massive amounts of data
■ 40.59 million internet users (89.4% internet
penetration)
 Millions active on social media daily.

Data Availability Kenya’s Privacy Laws

Enshrined in
Massive amounts of data
◻

 Kenya’s constitution and

 the Data Protection Act
 ◻ The constitution protects the right to privacy,
including protection against unnecessary revelation
Need for data privacy ◻
of information or infringement of communication
The Data Protection Act regulates the processing of
personal data, provides for the rights of data
subjects, and outlines the obligations of data
controllers and processors

29
 10/3/2023

1. Constitutional Privacy Protections Further…

◻ The right to privacy is enshrined in Article ◻ Article 2: should Kenya sign/ratify international
31 of the Kenyan constitution: treaties/ conventions they become part of the
Kenyan domestic law.
Every person has the right to privacy.
◻ Kenya is a signatory to
This includes the right not to have  the Universal Declaration of Human Rights (UDHR)
■their person, home or property searched; ◻ and has ratified
■their possessions seized;
 the International Covenant on Civil and Political
■information relating to their family or private Rights (ICCPR)
affairs unnecessarily required or revealed; or ◻ They include privacy rights.
■the privacy of their communications infringed.
(Kenyan Constitution: Chapter Four, Part 2, Article 31)

Limitations to Privacy Rights Limitations to Privacy Rights

(Kenya) (Kenya)
E.g. don’t just say you are fighting terrorism
◻ A rt i cl e 2 4 ( 3) r e qu i re s ◻

q Terrorism should be no excuse for poor governance

anyone wishing to limit any ◻ P r o v i de a s p e ci f i c re a s o n f o r t h e dat a
collection:
fundamental right to justify q Avoid data collection for the sake of data collection
themselves. ■ E.g. only take my DNA information only after I
commit a crime
◻ They must identify the ◻ Reason usually given is “to provide government
services”
need… q To business entities?

30
 10/3/2023

Limitations to Privacy Rights Limitations to Privacy Rights

(Kenya) (Kenya)

◻ Remember: ◻ Our personal information may be collected/

processed/shared etc …
◻ A Kenyan’s right to privacy includes the ◻ …only if article 24 of the Constitution is
r i g h t N O T to h av e “ i n f or m a t i o n adhered to.
 Justify/id the need.
relating to their family or private
◻ Our rights and fundamental freedoms may be
affairs unnecessarily required or limited "for the purposes, in the manner and
revealed; …” to the extent" set out in Article 24 of the
Constitution…

Limitations to Privacy Rights

(Kenya) Data Privacy Laws
Limited for the purposes...
◻

 E.g. such restrictions may only be imposed for purposes of

q A data protection law serves to
respecting others’ rights/reputations, or national security, public act as a framework that provides
order, public health or morals.
◻ ...in the manner... guidelines on personal data:
 Restrictions/limitations to our right to privacy must be legal and qWho the data controller is
follow due process
■ e.g. acquisition of warrants. qWho processes the data.
◻ ...to the extent... qH o w / w h y / w h e r e t h e d a t a i s
 s u ch r e st r i ct i ons m ust n ot o n ly be n e ce ssa ry bu t a l s o
proportionate. processed.
■ NOT some people sh ot u p a mall , let’s gat he r ALL
information about ALL people

31

Data Privacy Laws
◻ Data is a right; a human right …
◻ i.e. it is a right attached to a human;
◻ not property/a business asset
You are a person, you are not your data.
■Sure, I can extract patterns from your
data and make decisions based on them
but you’re human, not a game of chess.
■Decisions should not be automatically
made based on your data.
2.1 Purpose of the Act
◻ gives effect to Article 31(c)and (d) of the
Constitution
 (the right every person has not to have (c)
information relating to their family or private
affairs unnecessarily required or revealed; or
(d) the privacy of their communications
infringed.)
◻ establishes the Office of the Data Commissioner
◻ regulates the processing of personal data
10/3/2023
2. The Kenya Data Protection Act,
2019
◻ Governs how personal data is
collected, processed, and transferred,
both within Kenya and internationally.
◻ Expedited following concerns raised
over the Huduma Namba registration
exercise.
the safety of citizens’ personal data
collected by the Government.
2.1 Purpose of the Act
◻ provides for the
 rights of data subjects (individuals whose
data is being processed)
 obligations of data controllers (those who
d e t e r m i n e th e p u r p o s e an d m ea n s o f
processing of personal data) and
 the obligations of data processors (those that
process personal data on behalf of the data
controller)
32

2.2 Data Protection Principles
◻ Data Controllers and Processors must:
process data lawfully;
minimise collection of data;
restrict further processing of data;
ensure data quality;
e s t a b l i s h a n d m a i n t a i n s e c u r i t y
safeguards to protect personal data.
The Data Protection Act of 2019
q They must provide data subjects with a notice explaining
how their data will be collected, processed, and stored.
q They must include details on the purpose of the data
processing, the legal basis for the data processing, and
the party to whom the data will be disclosed.
q Data controllers must also obtain explicit consent from
data subjects before they can process their personal
data.
q They must ensure that they only collect and process data
that is necessary for the purpose they seek to achieve.
10/3/2023
The Data Protection Act of 2019
q Law to safeguard citizens’ personal data.
q Sets out comprehensive provisions for the collection,
use, storage, and handling of personal data.
q seeks to promote and protect the privacy of
personal data and ensure that data controllers,
data processors, and data subjects adhere to the
highest standards of data protection.
q sets out stringent requirements for data controllers
on what to do with the personal data they collect...
The Data Protection Act of 2019
◻ The Data Protection Act also gives data
subjects the right to access their personal data
held by data controllers.
◻ Data subjects can request data controllers to
provide them with a copy of their personal
data, and data controllers must respond to
these requests within thirty days.
◻ Data subjects can also request data controllers
to rectify, delete, or restrict the processing of
their personal data.
33
 10/3/2023

The Data Protection Act of 2019 The Data Protection Act of 2019
Data controllers must comply with these requests, except
◻

under specific circumstances set out in the Act.
◻ The Act also provides for the protection of data subjects’
rights against unauthorized processing, loss of data, or
destruction of data.
◻ Data controllers must take appropriate measures to
safeguard personal data, including measures to prevent
unauthorised access, modification, disclosure, or destruction
of personal data.
◻ Data controllers must also put in place adequate technical
and organisational measures to ensure the security of
personal data.
◻ The act establishes the office of the Data
Protection Commissioner, who is
responsible for overseeing and enforcing
data protection regulations in Kenya.
◻ Th e Commiss ion er has th e powe r t o
investigate data controllers and
processors suspected of violating data
protection laws and to impose sanctions on
violators of the law.

The Data Protection Act of 2019 The Data Protection Act of 2019

q Regulates the processing of personal data q You have the right to know how your information
is handled.
and information. q You have the right to request your personal data
q GDPR principles informed the bill on the be deleted/edited if it is inaccurate.
q The right to data portability is enforced.
governance of this information
q A data subj ects can obt ain dat a th at a data
q How it is handled, stored and shared. controller holds on them and reuse it for their own
purposes.
q Illegal processing of personal data is q You now have the right to refuse an organisation to
punishable by law. transfer your personal data to another organisation.
q Should be a relief to cellphone users.
q Upto 3,000,000/= fine or a maximum of 2
years in jail.

34
 10/3/2023

2.3 Registration of Data Controllers

The Data Protection Act of 2019
and Processors
◻ To paraphrase an ICT CS: ◻ All data controllers and data
◻ KQ, tourist hotels etc must comply processors must be registered with
when handling personal data from the Data Commissioner.
clients. ◻ They must register themselves and
◻ Also phone-based lenders such as
renew their registration every 3
Safaricom, who gather tons of
years.
p e rs o n a l d at a t h r o u gh se r v i c e s
offered jointly with local banks.

2.4 Transfer of Personal Data Outside Kenya 2.4 Transfer of Personal Data Outside Kenya

◻ All data controllers/data processors must ◻ The following conditions ensure that cross-border data
ensure at least one copy of personal data to processing is carried out with proper safeguards and
which the Act applies is stored on a server or consideration for data subjects' rights and privacy.
data centre located in Kenya 1. Adequate Protection
2. Consent
◻ Cross-border processing of sensitive personal
data is prohibited 3. Legal Obligations
4. Vital Interests
 the transfer of personal data to foreign countries or
international organisations is only allowed when 5. Public Interest
ce rtain cond it ions are met or unde r cert ai n 6. Legal Claims
circumstances specified in the Act...

35

2.4 Transfer of Personal Data Outside Kenya
◻ Adequate Protection: if the foreign
country or organisation ensures an
adequate level of protection for the
data.
the receiving entity must have data
protection laws or mechanisms in
place that are equivalent or similar
to those in Kenya.
2.4 Transfer of Personal Data Outside Kenya
◻ Legal Obligations: if such transfers
are necessary for the performance of
a contract between the data subject
and the data controller or for the
implementation of pre-contractual
measures taken at the data subject's
request ...
10/3/2023
2.4 Transfer of Personal Data Outside Kenya
◻ Consent: if the data subjects have
provided explicit and informed
consent for their data to be
transferred abroad.
This consent must be obtained
before the data transfer takes
place.
2.4 Transfer of Personal Data Outside Kenya
Example:
◻
◻ A cloud service provider, hosting sensitive data for various
clients, is legally obligated to implement strict security measures
to protect the confidentiality and integrity of the data.
◻ To comply with these legal obligations, the provider regularly
conducts security audits, encryption of stored data, and access
control measures.
◻ They must also report any data breaches promptly to both their
clients and relevant authorities, as required by data protection
regulations.
◻ These legal obligations ensure the safety and privacy of client
data stored on their servers.
36

2.4 Transfer of Personal Data Outside
Kenya
◻ Vital Interests: if the data transfers are necessary
to protect the vital interests of the data subject,
particularly in life-threatening situations.
◻ The processing of personal data may be necessary
to protect the person's life or physical health in e.g.
 medical emergencies,
 natural disasters, or
 si tua tions wh ere an i ndi vidual 's l i fe is i n
immediate danger.
2.4 Transfer of Personal Data Outside Kenya
◻ Public Interest: if the data transfers are
necessary for the performance of a task
carried out in the public interest or in the
exercise of official authority.
e.g., to conduct a public health survey
during a disease outbreak.
This is done in the public interest to
protect the health of the population.
10/3/2023
2.4 Transfer of Personal Data Outside Kenya
◻Vital Interests Example:
◻If you are unconscious and
admitted to a hospital, medical
professionals may process your
personal data without consent if it
is necessary to provide life-saving
treatment.
2.4 Transfer of Personal Data Outside Kenya
◻ Legal Claims: Transfers of data may be
allowed if they are necessary for the
establishment, exercise, or defense of legal
claims.
 E.g. a law firm processes personal data
without consent to pursue a legal claim on
behalf of a client in a court case.
 This processing is necessary for the
establishment, exercise, or defense of legal
claims ...
37
 10/3/2023

2.4 Transfer of Personal Data Outside Kenya 2.5 Exemptions

◻ Legal Claims Example: ◻ The processing of personal data is exempt
A software company is facing a legal dispute with a former
from the provisions of the Data Protection
◻

employee who claims they were wrongfully terminated.

◻ To defend themselves, the company needs to gather evidence Act;
related to the employee's performance, attendance records,
and communication logs during their employment.  for national security or public order
◻ This involves collecting personal data, such as the employee's reasons;
work-related emails, attendance records, and performance
evaluations.  when disclosure is required by or under
◻ The company processes this personal data without the explicit any written law or by an order of the
consent of the former employee, as it's necessary for the court.
defense of their legal claim against the wrongful termination
allegation.

How DPL Is Enforced in Kenya How DPL Is Enforced in Kenya

◻ Through the Data Protection Act and q A Data Protection Commissioner
various regulations that operationalise the serves as the Data Protection
provisions of the Act.
Authority that:
◻ The Data Protection (Compliance and

Enforcement) Regulations, 2021 outline qr e g i s t e r s o r g a n i s a t i o n s /

the compliance and enforcement businesses that own, manage, or
provisions for the Data Commissioner, control data.
Data Controllers, and Data Processors.
qinvestigates data infringements

38
 10/3/2023

How DPL Is Enforced in Kenya How DPL Is Enforced in Kenya

◻ The Act requires that any person who acts as a ◻ Cross-border processing of sensitive
data controller or data processor must be
personal data is prohibited and only
registered with the Data Commissioner.
 ... and renew their registration every 3 years.
allowed when certain conditions are
◻ Every data controller or data processor is
met or under certain circumstances
required to ensure the storage, on a server or specified in the Act.
data centre located in Kenya, of at least one ◻ In case of non-compliance with these
serving copy of personal data to which the Act
applies.
regulations, penalties may be
imposed.

The Kenyan Data Commissioner’s Roles The Kenyan Data Commissioner’s Roles

◻ The ODPC (Office of the Data 1. Oversee the implementation of

Protection Commissioner) ensures and be responsible for the
that personal data is handled enforcement of the Data Protection
responsibly and that individuals’ Act.
privacy rights are upheld. 2. Establish and maintain a register

◻ They do this via the following 11 of dat a co nt ro ll e rs and data

roles ... processors.

39

The Kenyan Data Commissioner’s Roles
3. Exercise oversight on data
processing operations, either of own
motion or at the request of a data
subject, and verify whether the
processing of data is done in
accordance with the Act.
4. Promote self-regulation among data
controllers and data processors.
The Kenyan Data Commissioner’s Roles
7. Take such measures as may be
necessary to bring the provisions of this
Act to the knowledge of the general
public.
8. Carry out inspections of public and
private entities with a view to evaluating
the processing of personal data.
10/3/2023
The Kenyan Data Commissioner’s Roles
5. Conduct an assessment, on its own initiative
or at the request of a private or public body,
for the purpose of ascertaining whether
information is processed according to the
provisions of this Act or any other relevant
law.
6. Receive and investigate any complaint by
any person on infringements of the rights
under this Act.
The Kenyan Data Commissioner’s Roles
9. Promote international cooperation in matters
re lat i n g t o dat a prot e ct i o n an d en su re
country’s compliance on data protection
obligations under international conventions and
agreements.
10.Undertake research on developments in data
processing of personal data and ensure that
there is no significant risk or adverse effect of
any developments on the privacy of individuals.
40
 10/3/2023

The Kenyan Data Commissioner’s Roles Enforcement of DPL: Kenya vs EU

11. Perform such other functions ◻ T h e D at a Co m m i s s i o n e r i n

as may be prescribed by Kenya plays a crucial role in
any other law or as enforcing data protection laws.
◻ In comparison, EU’s GDPR is
necessary for the promotion
enf orce d by e ac h m e m be r
of the object of this Act.
state’s national data protection
authority ...

Enforcement of DPL: Kenya vs EU Enforcement of DPL: Kenya vs EU

These authorities are independent public
q
◻ Like Kenya’s Data Commissioner,
authorities that supervise, through investigative
and corrective powers, the application of the these authorities have powers to
data protection law. qcarry out investigations in the form
q They provide expert advice on data protection of data audits,
issues and handle complaints lodged against
qissue warnings for non-compliance,
violat ions of the GDPR and the relevant
national laws. qissue corrective measures such as
q There is one such authority in each EU Member bans on processing and fines.
State.

41
 10/3/2023

Enforcement of DPL: Kenya vs EU

◻ Unlike Kenya where there is

a single Data Commissioner,
GDPR enforcement can vary
by member state as each
state has its own national
data protection authority.

42