Data Protection is an emerging legal subject that
has captured the attention of many jurisdictions. Kenya finally caught on with
the rest of the world when it enacted the Data Protection Act (DPA) 2019 which
was operationalized in November 2020 when the Data Commissioner, Immaculate Kassait, was
appointed. The Act established the Office of the Data Protections Commission
(ODPC) which has now began its operations under the Act. Very recently the ODPC
was seen flexing its muscles when it issued its first fine of Kenya Shillings
Five Million (Kshs 5,000,000/-) against Oppo for breaching the provisions of the
DPA.
The DPA has
borrowed heavily from the General Data Protection Regulation of the European
Union which is lauded to be the most progressive data protection regulation in
the world. It is therefore safe to state that the DPA is equally progressive; it creates rights of data subjects, provides for
principles of data protection, provides for commercialization of data, creates
offences, prescribes penalties and
so on.
The scope of its application is wide as it applies
to any data processor or controller processing data belonging to data
subjects in Kenya whether or not the data processor or controller is
established or ordinarily resident in Kenya. The Act possesses a unique quality
of extraterritorial application which may pose a practicality
challenge.
Although the extraterritorial clause is standard
clause for many Data Protection legislation across the world, these clauses are
difficult to enforce as and of themselves due to the old-age international law
principles of sovereignty of states. To mitigate this, nations
have resorted to pursuing bilateral agreements thereby ensuring
that their municipal data protection statutes are enforced and that each
other's sovereignty is protected. A good example is the Privacy Shield
Agreement between the United Stated and the European Union. This agreement
imposes upon the US a responsibility to in place data protection measures that
are aline with the requirements of the EU General Data
Protection Regulation without which the EU could not allow data transfer to the US.
The internet has turned the world into a global village; completely breaking national boundaries and making communication very easy. For instance, social media has developed into one of the most popular tool of communication. There is no escaping it; its utilization is widespread and its effects are global. Many Kenyans have access and have created profiles on social media platforms such as Facebook, Instagram, Twitter, Whatsapp, Youtube, Linkedin, Titktok . These social media platforms are created and owned by companies that are based abroad, with some situated in the United States, Ireland and others in China.
A reading of section 4 (b)(ii) of the DPA suggests that the Act
applies to the companies owning social media in spite of their nationality
provided that they are processing the personal data of data subjects located in
Kenya.
There are numerous amounts of personal data protection in the hands of
the companies owning social media networks. In order to ensure that the data
belonging to Kenyan social media users is protected as envisioned by the
Act, the Data Commissioner may need to work towards entering into bilateral
agreement with countries that host the companies owning popularly social media
platforms by Kenyans. The DPA mandates the Data Commissioner to promote
international cooperation in matters relating to data protection which mandate will, in
my estimation, be discharged achieved progressively.
The law must not be left to operate in a vain and
as such the ODPC should take up the burden of
ensuring that all the provisions of the DPA have a concrete application. It
shall be interesting to witness how they the ODPC will ensure that section
4(b)(ii) is made practical.