Let them cry not in the Range Rover

This article was first published on Nairobi Business Monthly November 2016

Many apply foundation to hide black eyes. Others don shades to hide red eyes. Others fell on the stairs while others just ignore the whole vibe when it is brought up. Author Yvonne Adhiambo Owuor wrote in her book Dust (2013) about the four languages of Kenya: English, Kiswahili, Memory and Silence. We have embraced the former too quick. We refuse to talk about the ghosts that roam in our midst. The words accept and move on are engraved in our hearts. More will die and it will go unreported because of our selective outrage.

Gory images of chopped hands were all over digital media. The outrage was as instant as the middle class knack for tweeting and we saw some action being taken. Same script when musician Koffi Olomide kicked a dancer at the airport. The chap was arrested and deported without being tried, but the message was sent. You cannot assault a woman in public in our world of digital media.

But what about the world where people don’t really care about taking videos? What about that part of Kenya where the chief and pastors have to quell fires amongst couples day in day out? Should official action be a result of digital outrage? Can’t we just develop norms where women, primary victims in gender-based violence, are respected?

Kenya has really good laws that address this vice. The Constitution, Article 28 recognizes a person’s right to dignity and Article 29, recognizes the right not to be subjected to any form of violence from either public or private sources. The Penal Code’s Chapter 26 is on assault, which is basically used in charging perpetrators of gender-based violence.

However, these laws don’t seem to do much in terms of addressing gender based violence. There are two scenarios of this vice: Domestic violence and gender based violence at the work place. The latter is almost never reported because of fear of victimization and unemployment. So a lot of abuse goes unreported and even where there are out in the open, the victims are in too much fear that they apologise for provoking the boss. We saw this play out well when Koffi Olomide’s dancer recorded a video together with the singer to defend his action.

Few years ago, Alassane BA of Shelta Afrique was accused of assaulting staff, Karen Kandie. Upon his arrest, he invoked diplomatic immunity and the court held that he could not be tried in Kenya. This was among the few cases of gender-based violence at the work place that got reported. Unfortunately, Ms Kandie did not get justice.

When it comes to domestic violence, the challenge is that they are majorly crimes of passion.  A common scenario during trial processes of perpetrators is where the complainant withdraws charges so as to secure the release of the accused due to various reasons. In some cases, the perpetrator might be the sole breadwinner and their stay in remand is not doing the family any good. Or maybe the victim has been coerced by the perpetrators relatives to forgive him.  Or in cases where the accused was able to secure their release after paying cash bail, the complainant and accused who most likely still live together will attend court then go back to the same house, or even bed.

In 2015, the Protection against Domestic Violence Act was enacted to provide for the protection and relief of victims of domestic violence. The drafters of law seem to have understood the challenge of prosecuting domestic violence from the protection clauses the Act contains. The act seems to have picked the geist of the Criminal Procedure Code Section 176, which promotes reconciliation in cases of common assault.

The Act is elaborate in its definition of violence and a relationship, which is meant to clear all ambiguities during interpretation. It also obligates the Police Service to have protection mechanisms for victims of the violence. Hence there is no shortage of laws to address this vice.

The silver bullet seems to be in society developing norms where women are respected and protected, where women are viewed and treated as human beings with dignity and not property. Norms where reconciliation between parties in a case of domestic violence is done with the best interests of the victim and not family image.

To get a lasting solution to this vice, religious and community leaders must come together so as to avoid creating conflicting norms. In the recent case of Jackline Mwende, the lady who lost both hands, she narrated how her religious leader encouraged her to stay in the marriage. The vow ‘Till death do us apart’ does not include death induced by one of the partners in the marriage. Hence in their teachings, religious leaders must come out strongly against this vice while working together with security agencies in creating effective protection mechanisms.

We should strongly condemn gender-based violence and unite to eradicate an environment where the vice thrives. While silence is golden, in this case it is a poison that is killing us slowly. Creating an environment where people can speak out should be our priority.
“Of pain you could wish only one thing: that it should stop. Nothing in the world was so bad as physical pain. In the face of pain there are no heroes.” – George Orwell

Should we really regulate tech?

An edited version to this article was first published on Nairobi Business Monthly October 2016

Lady Justice Mumbi Ngugi of the High Court of Kenya declared, in May, section 29 (b) of the Kenya Information and Communication Act unconstitutional. This provision of law was found to be vague by the learned judge. Geoffrey Andare, a web developer who was charged under that Section in 2015 successfully challenged its constitutionality and the charges against him were dropped. This was the case for other bloggers who had been arrested for the offense this year.

Fast-forward to July and a Bill whose purpose is to regulate ICT practitioners surfaced. Its vagueness is stupefying to the extent that it may appear like there must be a vague law that touches on ICT at any given time.

Laws are not created to be aspirational documents and it is unfair to everyone including lawmakers to engage in acts of futility. This is why understanding the subject matter of a law is important. Information and communication technology is not only complex but also disruptive. It is a wave, which has destroyed careers at the same rate that it has created them.

The proposed law in Section 2 states the definition of ICT which ropes in all the possible uses of the technology including collecting, storing, processing, using and sending out of information. The definition includes the use of computers, mobile apparatus or any telecommunication system in the aforementioned activities. Further in the same Section, ICT practice is defined as practice of ICT for a fee or gain either in kind or cash while a practitioner is an individual who will be registered under the law to practice. From those definitions, pretty much everyone in this digital age becomes an ICT practitioner. Why? We use computers at the work place – practice for gain. Doctors use computerized machines for diagnosis- practice for gain. Use your phone to place a bet for a soccer match – practice for gain. The Bill ropes in everyone who uses technology and it raises the various jurisprudential questions. What mischief does it seek to remedy by regulating use of ICT by everyone?

Section 6 of the Bill provides for an institute and states it functions, which are already being executed by the Ministry of Information and Communication Technology and the Kenya ICT Authority. Global market forces also play a big role in enforcing some of these functions such as ensuring high standards amongst persons who engage in ICT practice. In our current digital world, enterprises compete globally. That is evidenced by the heavy use of social media and email servers that are not locally owned. Hence purporting to enforce standards for ICT nationally while the market is forcing us to catch up with the rest of the world will be jocose.

The institute in the proposed legislation will engage in protecting, assisting and educating Kenyans on matters to do with the profession of ICT. While the protection aspect of that function can be supported by Article 46 of the Constitution, existing government bodies such as the Communications Authority of Kenya already have consumer protection regulations to execute that role. Other protection mechanism exist in the market where information spreads as fast as digital media, forcing those who engage in ICT practice to prioritise user experience and consumer needs. The ICT Authority has been engaging in education activities on ICT, which renders the institute’s proposed function redundant.

On proposed function of approving of courses and administering examinations, it may be argued that the institute intends on creating uniformity in terms of qualifications like lawyers and accountants have. This function leads to the next one, which is, registration and license of ICT practitioners who according to Section 15 must have a degree and three years of experience. These requirements show a clear lack of understanding as to how the ICT industry works. Bill Gates, Steve Jobs, Mark Zuckerberg and many other prolific innovators in the ICT world have no university degrees to their names but they have changed the world. Had they been Kenyan at this time, they would not be allowed to engage in the practice of ICT. The ICT labour market tends to pick on the brilliant innovators who can do the job rather than individuals with papers. That is why it has been able to grow so fast because it is open to everyone who has something to offer. Placing restrictions based on academic qualification will outrightly amount to stifling innovation because, now even school going children are coding and making applications.

The Bill also states that the proposed institute will act as an arbitrator in any disputes between a licensed ICT Practitioner and a client. This proposal seems to be off, considering we have Chartered Arbitrators in the country and law courts. From recent history of the industry, disputes seem to be between those who engage in the practice of ICT with the example of the dispute between the brains behind Angani Cloud. The institute would have been better placed addressing such disputes because they affect the growth of the ICT industry. It would also have proposed to promote the industry internationally rather than itself though almost all listed functions are and can be executed by the existing bodies.

Sections 20 and 23 of the Bill are a noose on the necks of many in the industry currently since it insists on one having a license and prohibits those who won’t have it from recovering fees for ICT services. In our current corporate world, companies have invested in social media managers who handle their social media. No course in school teaches this yet it is a service that is so crucial to today’s business where digital presence is key. The people hired for these jobs fall under the scope of this Bill by virtue of engaging in ICT practice for gain. So will the enactment of this law spell doom for these people who engage in ICT practice in a field that is not taught in any school? Will it be illegal to be a blogger or have a YouTube channel? What about those who work for international tech companies remotely? Will this proposed law apply to them?

Lon Fuller in his book the Morality of Law writes about King Rex who promulgated a law that required his subjects to appear before the throne once summoned in ten seconds. His subjects responded by sending him a leaflet which read, “To command what cannot be done is not to make law; it is to unmake law, for a command that cannot be obeyed serves no end but confusion, fear and chaos.”

To criminalise the use of a computer or mobile phone for gain is not to make law. It is to unmake law. It is forcing our Silicon Savannah to drink hemlock. It is to command that which cannot be obeyed, enforced and even investigated, which is causing confusion, fear and chaos. The brains behind the Bill should really reconsider their stand and if possible, withdraw the Bill. If not, they should engage stakeholders. The Cabinet Secretary in charge is on record claiming that the Bill did not come from his Ministry and experts have found its provisions contradictory to the National Information & Communications Technology (ICT) Policy of 2016. As we embark on the journey of achieving Vision 2030, it is important for all of us to be on the same page so as to work together. For it is in our best interest as people that we progress together.

Why block chain technology can help resolve land transaction woes


An edited version to this article was first published on  Business Daily September 2, 2016

Land is dear to Kenyans. Despite how we abhor agriculture, everyone wants to own a plot somewhere. A result of this obsession is a lot of speculation in buying of land, over pricing and graft in the land registries. Law courts are busy deciding cases involving land transactions. And it runs across the divisions in the High Court, from the Land and Environmental Division to the Family Division.

We have recently witnessed high profile land rows where individuals have been accused of selling off a single parcel to many parties. While due diligence is key in investigation of titles especially in the conveyancing procedure, one can never be so sure with the results they get.

There are incidences where the official search results have shown the vendor as the owner only for the real owner to show up after completion of the transaction.

A solution to these pitfalls in the conveyancing process is block chain technology. A block chain is often described as a widespread, global distributed ledger running on millions of devices and open to anyone.

In it, anything of value like money, titles of land can be moved and stored securely and privately. The technology has a system of establishing trust though not through intermediaries like banks but through mass collaboration and powerful cryptography algorithms. This ensures integrity and trust between strangers while making it difficult to cheat. While cryptocurrencies like Bitcoin are the most notable products of block chain technology, land can be transacted through this technology.

The advantages that this type of transaction will have will be the availability of incorruptible land records. This will be availed by the distributed public ledger which tracks and records every transaction whose security is ensured due to its decentralised medium.

Hence where a buyer intends on investigating the title that a land vendor claims to have, block chain technology will enable verification of title since it will show the transaction records of that property and the owner and all previous owners.

South American countries like Honduras, have already committed to replace their existing land records with block chain technology which will eventually allow citizens to sell or buy property online. The distributed ledger is being embraced by more corporations like Factum which is applying it to the non-financial market of data management. The corporation uses public block chain-based identity ledgers in database management and data analytics to support applications.

Factom can be used by businesses and governments in simplification of records management, record business processes, and to address security and compliance issues. It maintains a permanent, time-stamped record of data in the block chain that allows companies and governments to reduce the cost and complexity of conducting audits, managing records while complying with the set laws. The Constitution of Kenya lists transparency as one of the principles of land policy and block chain technology will play a big role in ensuring that there is integrity in the system.

Bitland, a NGO in Ghana is also developing a land title system based on the Tao block chain. It is doing this since the Ghanaian government has failed to develop a fair and efficient land administration system despite numerous attempts. The system will also use GPS and satellite to verify the accuracy of the plots of land. Just like in Kenya where identifying the last owner of property rights over a  piece of land is an issue, they hope the system will reduce the disputes or make them more visible to prospective buyers. This will ensure security and reduce ownership cases.


While the distributed ledger might be the technology’s biggest strength, many legal questions arise. The question on who to sue when things go wrong since the entire structure of the block chain is decentralised is major.

Another challenge is on the form of conveyancing transactions, keeping in mind that most transactions that are legally binding are based on precedent forms and documents.

There is hope for this though, since it is expected that as time goes on consensus will develop with code libraries and there will be a uniformity.

While solutions cannot just be copy pasted from another jurisdiction, Kenya can pick lessons from nations that have already started using the technology.

The making of a cybercrimes law: A tale of two Bills before Parliament

cyber law

An edited version to this article was first published on Business Daily August 15, 2016

If there is an industry that is hard to regulate, it is information and communication technology. Other than being too dynamic, it is complex. There is a common saying that states that a year in tech is 90 days. This out rightly means it is an industry which states all over the world will continue playing chase when it comes to regulation. Here in Kenya, the legislature has come up with two bills of similar nature. Namely, the Computer and Cybercrimes Bill, sponsored by Leader of Majority Hon. Aden Duale and the Senate’s Cybercrimes and Protection Bill sponsored by Chairperson, Committee on Information and Technology Sen.Mutahi Kagwe.

The Good

Cybercrime rates have been growing by the day and it is encouraging to see that the government is taking action. The Computer and Cybercrimes Bill seeks to criminalise unauthorised access and interference, gaining access with the intention of committing an offence and unauthorised interception. The latter being in the spirit of protecting the right to privacy which is enshrined in the Constitution.

Unauthorised disclosure of passwords or access codes, child pornography, computer forgery, computer fraud, cyber stalking and cyber-bullying are also criminalized. Distinct features of this bill are the clauses which provide for confiscation or forfeiture of assets and proceeds of cybercrime. The bill also provides for a compensation order for victims and it has an entire chapter on how cybercrimes committed outside Kenya will be prosecuted. The extraterritorial nature of this proposed law is good considering the nature of cybercrimes. The Bangladesh Bank was hacked into by persons who were not within its borders. The chapter also provides for extradition of suspects, though relying on the Mutual Legal Assistance Act 2011. Lest we forget, Kick Ass Torrents creator Artem Vaulin was extradited from Poland to the United States of America under such an agreement.

The Cybercrimes and Protection Bill on the other hand will criminalise unlawful access to a computer system, system interference, unlawful interceptions, fraud and cyber-bullying. All these are covered in the other bill. The other offences in this senate bill are interception of electronic messages or money transfers, wilful misdirection of electronic messages, forgery, unauthorised modification of data and even cyber terrorism.

One can say that this bill is elaborate since it ropes in more cyber offenses that are not in the Computer and Cybercrimes Bill. These offenses include issuance of false e-instructions, phishing and identity theft and impersonation which is rampant in this age of social media. Electronic distribution of pornography and child exploitation are also outlawed. The provision on child exploitation will be in important in curbing the developing menace where children meet people on social media who later take advantage of them sexually. This proposed law will also make it illegal to distribute intimate images of a jilted lover while it also illegalizes cyber-squatting.

 The Bad

The investigation procedures in the Computer and Cybercrimes Bill leave a lot to be desired. While the normal procedure is that a court issues a warrant is before security officers take any action that would infringe the privacy of an individual, there are clauses that allow any officer to act without a warrant. While it may be argued that the intention of the provisions is to avoid unnecessary delay, there is a high likelihood of human rights breaches if the bill is enacted into law without those provisions being aligned with the Constitution.

The Cybercrimes and Protection Bill on the other hand has clauses that have some constitutional conformity as far as the right to privacy is concerned. The bill prohibits the sharing of some personal information in the course of investigation like health records. Despite this, Kenya still needs the Data Protection Bill 2013 to be assented into law because data protection principles would provide a better guide with the handling of personal data. The bill also proposes a National Cyber Threat Response Unit which will investigate cybercrime cases. This unit is not provided for in the Computer and Cybercrimes Bill which will allow any officer to confiscate a computer system just because they believe that one is committing a crime with it.

And the Ugly…

The mere fact that we have two draft laws seeking to regulate the same thing at the same time from the same legislature is appalling. It is at this point that we ask what mischief the legislature sought to remedy that they drafted two bills. In the event both bills become laws, we will have a situation similar to that in Lon Fuller’s book ‘The Morality of Law.’ In the book Lon Fuller tells the story of King Rex who made contradictory law and his subjects sent him a pamphlet written “This time the king made himself clear in both directions.” In this case of the two draft laws, the contradictions are likely to arise because one law provides for lenient sentences while the other prescribe a harsh sentences for the same crimes. With this in mind, will we be wrong if we say that the legislature made it clear in both directions?

We hope that the relevant bodies will work together and harmonise the two bills because together, it will be a very good piece of legislation. That way the weaknesses of each draft law will be dealt with. Conformity to the bill of rights as contained in the Constitution should guide the drafters in the harmonization.  In the same spirit, the Data Protection Bill and the Access to Information Bill should be enacted because they are long overdue.

Why the taxman should keep off our wallets


This article was first published on Nairobi Business Monthly August 2016.

It is true that two things are certain, taxes and death. It is also true that we are in the information technology age where technology is becoming a major part of our lives day after day. The effect is that we now have new mediums of conducting business. We have virtual lives, virtual businesses and even virtual wallets.

It is common knowledge that a third of what is always collected by the Kenya Revenue Authority is never accounted for. The efforts of sealing this loophole never see the light of day. The taxman however, is always keen on increasing tax so as to meet targets. This year he has gone after the small-scale farmers. He also wants to snoop into every individual’s bank account and mobile money account with the aim of catching tax cheats.

He wants to profile individuals using the confidential financial data. He intends on legitimizing his deeds in the Finance Bill 2016, which is still top secret yet it raises serious human rights concerns.

Lest we forget, Thomas Hobbes in his book the Leviathan writes on how man left the state of nature so as to form the commonwealth. In our case, the commonwealth is the state, a creation of man. The state did not form man, hence man reserves the right to self-determination. If we are to carry on with the Hobbesian theory, man surrendered his absolute rights so as to co-exist with others. His rights are inherent, not granted by the state, just recognized by it. This means rights like the right to privacy, a conscience and opinion on how affairs of the state should be run are not gifts but entitlements.

All this is asserted in the Constitution of Kenya whose preamble starts with the words; “We, the people of Kenya…” The first article of the Constitution carries on with this tempo by expressly stating that:

“All sovereign power belongs to the people of Kenya and shall be exercised only in accordance with this Constitution.”

On matters to do with finance, the grundnorm as Hans Kelsen calls the supreme law; in Article 201 states the principles of public finance. The first principle of public finance is that there shall be openness and accountability. The law was drafted to include the requirement of public participation so as to achieve this objective.

The supreme law also states in Article 31 that every individual has the right to privacy. This right includes the right not to have information relating to their private affairs unnecessarily required and revealed. It also protects the privacy of an individual’s communications since they are easily infringed in this technological era. Other than the grundnorm, the other laws that protect a person’s right to privacy are laws that regulate the telecommunications industry. This industry birthed mobile money services and the law prohibits the industry service providers from sharing confidential consumer information it collects with third parties.

With the security challenges that we face as a nation, the government has pushed for enactment of laws that limit certain rights. These laws have clauses with procedures on how confidential information in the custody of a service provider can be acquired by third parties (read governmental bodies). This procedure includes the relevant governmental bodies getting a court order to compel the service provider to release the information. The taxman desires to circumvent this procedure using the secretive Finance bill 2016.

Not the first time

The right to privacy has for a long time been under threat. It is not the first time state agencies have attempted to claw it. In 2014, the Security Laws Amendment Act was passed. In it were amendments to Section 36 of the NIS Act, which required the need of court order by the agency to access personal information. These provisions were challenged in court and were found unconstitutional in early 2015.

While so much effort is being put to claw the right to privacy, legal mechanisms that ought to be in place to protect it are not there. There has been reluctance by relevant state bodies to enact the Data Protection Bill of 2013 into law. Yet it would have played a big role in regulating the information technology industry, which is ever evolving. Every day, new innovations come with new legal challenges and the law is playing catch up.

In India, the taxman is now profiling people according to their Facebook posts. Woe unto you if you are in the business of selling impressions, for you will pay what they think you need to pay and not what you should actually pay as tax. With our ambitious Kenyan taxman, snooping into people’s mobile money accounts will catch so many ‘tax cheats’, from students who receive monies from parents to people in the rural areas who always receive money from the urban areas. The taxman is likely to create an unfair tax system that will rope in many illegible persons from the profiling he intends to do.

If people are not willing to be open with their spouses on matters to do with finances, what about the state? This push for access of personal information is not only in bad faith but also likely to be open to abuse.  We should pick a lesson from the old Arab fable of the camel nose. If the camel gets his nose in the tent, his body will soon follow. Allowing a little breach will allow more breaches to take place in the future by other bodies. And our Constitution will be nothing but an aspirational document just like its Chapter 6.

The word ’burden’ is used in the constitution to describe the duty of paying taxes. This burden ought to be shared fairly. This contribution to the national bourse further gives us the right to determine the direction that our nation takes. Be it in how we want to be governed or whether we agree to KRA using our data to create individual profiles, Article 255 gives us that right of determination through a referendum. Instead of burdening citizens with taxes, state agencies that deal with finances need to look at how it deals with the issue of graft, which bleeds our public coffers.

Computer and Cyber Crime Bill welcome long overdue

To address the problem, the ICT ministry has come up with the Computer and Cyber Crimes Bill 2016. Many say the proposed law is long overdue. The Bill seeks to combat cybercrimes and provides for international co-operation to punish perpetrators who are in other jurisdictions. Among the offences listed are unauthorised access and unauthorised interference of computer systems.

The Bill has a provision that criminalises unauthorised interception of communication.

We all remember the IFMIS procurement system and password saga at the National Youth Service (NYS). Now it will be a crime to share passwords without authority for unlawful purposes like wrongful gain. This crime will be punishable upon conviction with a fine not exceeding Sh10 million or imprisonment for five years.

The Bill has provisions that will go a long way in upholding data protection principles. Another plus in the Bill is the provision that outlaws child pornography. Issues dealing with cyber fraud and forgery have also been provided for in the Bill. These crimes are very common and many people have been victims.


Perpetrators of these crimes risk a jail term not exceeding ten years or Sh20 million fine. The major challenge with this provision is where fraudsters are in prison as has been the norm. It is not clear how the law will deal with such cases.

Online stalkers and cyber bullies are also at risk of conviction if this Bill passes. The menace has become rampant in this age of social media. The effect of this is usually psychological trauma with some victims opting to commit suicide.

For cases of fraud, the court can order for confiscation and forfeiture of assets acquired from the proceedings of cybercrime. The aspect of compensation of victims is also provided for expressly in this bill. Here, the court will order the convicted person to pay the victim a specified amount of money.

People who commit other crimes under other laws but using a computer system will be liable to conviction. On procedures, the Bill has provisions that will require investigating agencies to seek court orders before search and seizures. Here the agencies need to prove to the court that limiting the right to privacy is necessary.

The Bill can be said to be a step in the right direction. However, upon its enactment, civil education should be done extensively so that victims of cybercrime may know that they have recourse under the law.

CHASE BANK: How not to handle a misinformation crisis


This article was first published on  Nairobi Business Monthly June 2016

Today’s businesses have learnt that life and death are a click away. Whatever you say online will be used against you in the court of public opinion. Philippines boxing champion Manny Pacqiao learnt this lesson the hard way after his ratings dropped following a homophobic tweet which he had posted. His mistake cost him an endorsement contract with Nike.

When Central Bank of Kenya (CBK) Governor Patrick Njoroge placed Chase Bank under receivership after it faced liquidity problems, he cited inaccurate social media reports as one of the causes of the bank run that led to panic withdrawals. The Inspector General of Police later issued a statement that a blogger had been arrested and would be charged for misuse of social media to disseminate falsehoods against the sector.

The information shared during the period that the Chase Bank saga took place raises an interesting conflict of interest where the shareholders’ interests are pitied against the customers’. The bank released two conflicting financial statements, which aroused curiosity that many speculators in social media rode on. The arrest of the blogger after the damage shows how bad things can go when customers are kept in the dark in this age of information and technology.

Were bloggers really liable for the bank run?

The right to access to information has been in the minds of people as early as when the tenets of civilisation were established. Sweden is said to have recognised this right as early as 1766 followed by France in 1789 when it adopted the Declaration on Human and Civil Rights. In 1948, it was included in the United Nation Declaration of Human Rights, Article 19 and later the International Convention on the Civil and Political Rights of 1966.
The Constitution of Kenya in Article 35 provides the right to information to citizens as it states:

“(1) Every citizen has the right of access to—
(b) information held by another person and required for the exercise or protection of any right or fundamental freedom.”

The right to freedom of speech, which is found in Article 33 has also generally been held to include the right to know or the right to information since it states that:
“(1) Every Person has the right to freedom of expression, which includes;
(a) Freedom to seek, receive or impart information or ideas…”

Therefore one can rightfully claim their right to information in Kenya as they are provided in Article 35(1), and Article 33(1). Business entities are obligated by law to provide their customers with information as stated in Article 46 of the Constitution of Kenya, which states that:

“(1) Consumers have the right—
(b) to the information necessary for them to gain full benefit from goods and services;
(3) This Article applies to goods and services offered by public entities or private persons.”

Section 22 of the Banking Act requires banks to publish a copy of its last audited balance sheet and last audited profit and loss statements within three months of the end of each financial year in a national newspaper. All these laws require businesses and in particular financial institutions to provide its consumers with information so as to boost consumer confidence in their product. Failure to do so can be disastrous, especially during a misinformation crisis.

In 2014, the World Economic Forum listed digital misinformation as one of the threats to our society. These digital wild fires are capable of causing unprecedented damage because of there complexity and nature of big data. Since we live in a digital age where consumers yearn for information, failure to share information is disastrous. Hence the public relations team at Chase Bank should have done more. They should have countered the lies rather than expect things to fall into place with their press releases.

How to salvage such a situation

The best way corporations can deal with a digital misinformation crisis is by preparation. It is prudent that public relation practitioners are well prepared to handle such crisis without antagonizing the company’s image;

Prepare a digital misinformation counter crisis plan

Companies need to develop a digital misinformation counter crisis plan and test it. The plan is not a blueprint but a reference. It saves time during a crisis by pre-assigning tasks, pre-collecting information, and serving as a guide. This preparation presumes there is a designated crisis team where members know what to do.

Develop a social media policy for the company

The plan ought to be used in this step where a social media policy is developed and published. This policy ought to be clear on the best practices for differentiating the blurring lines between personal and professional activities. It should also establish clear guidelines for an appropriate commentary. The end result of this will be well-trained public social media managers who can correct the misinformation and reclaim the online narrative.

Start monitoring your company’s brand.

A maxim of equity that can be applicable in this case is “Equity aids the vigilant and not the indolent”. The social media managers and public relation officers ought to monitor the reputation of their brand so as not to be found flat-footed during a crisis. There are many free and cheap tools that can be used in brand monitoring and crisis warning. They enable the social media mangers to select keywords and they record each time they are used on various social media channels.

While at it, develop your social media presence and influence

The monitoring should help a company identify social media platforms relevant to their brand. The social media managers ought to listen and engage in online conversations. Credibility will be built in the long run since content-rich social media presence and goodwill is vital during a crisis. While doing this, it is important to engage industry influencers who will most likely communicate positive messages about your company’s brand in the unfortunate event of a crisis.

Work on your story in advance

If possible, a company can create a separate website for the crisis in advance as part of their digital counter crisis plan. It will be made live when it is required as its background information, facts and figures. It is the best place for a company to promote its side of the story during a crisis and their social media manager ought to drive traffic to it at that time.

During the crisis, listen then act

The negative comments ought to be put in context and the tone too needs to be checked. It is also important to investigate the commentator’s influence on social media and if their misinformed narrative is spreading like a wild fire.

Sell your story

Since a company has its crisis website ready and team prepared, they should execute their reputation redemption plan accurately and the story should be consistent. The communication provided at this time ought to explain the facts of the situation while explaining what the company is doing to address the crisis. Showing empathy is very important. It gives consumers hope that their concerns are being addressed. While doing this, it is important that the team monitors and listens any hashtag or keyword used to identify the crisis situation while responding accordingly.

Learning from experience also includes learning from other people’s mistakes. Observe how other companies have survived or perished through the crisis storm and do an analysis on whether your company is ready. Prevention is definitely better than cure. A good experience was when O2 had a massive network outage. Their Twitter account became inundated with complain tweets from frustrated customers. Instead of issuing the standard corporate responses that most companies release, they responded directly to the tweets with an honest and light-hearted demeanor. This human approach changed the sentiments that people had at that time.

Chase Bank failed in dealing with the wild fire online and as the Governor said, it consumed the company. The company did not put much effort in countering the narrative neither did it provide another narrative that would have restored consumer confidence in their brand. It is important that companies learn from this incident and prepare for this type of crisis.

Consumer Privacy and data protection in E-commerce in Kenya


This article was first published on Nairobi Business Monthly April 2016.

We have recently watched the standoff between technology giant Apple and the US Department of Justice over an order from a Federal Magistrate in California. The Magistrate asked the company to help the FBI to get into Syed Rizwan Farook’s iPhone by disabling a security feature that is likely to lock investigators out if they made 10 unsuccessful tries to determine the correct password. The move by Apple had been applauded by privacy rights groups all over the world as a step into the right direction in their cause. Back in Kenya, though not really moved by those events, we are one of the top nations in m-commerce since our e-commerce is through our cell phones.

We never ever give much thought about the security of the personal data in our communication gadgets. No one pays attention to the sheets of paper written “terms and conditions” that they sign. All they want is services, to send and receive money.

When Samuel D. Warren and Louis D. Brandeis wrote The Right to Privacy for the Harvard Law Review, they did not know that many years later technology would have brought forth a risk to informational privacy. Currently, there is the ability to learn the most intimate things about a person and unprecedented access to information about people. Prior to their 1890 article, there was no legal mechanism to protect the breach of this right. They called for the protection of the person, and for securing to the individual the right ‘to be let alone.’

Erwin Chemerinsky in his 2006 article Rediscovering Brandeis Right to Privacy has argued that what Warren and Brandeis had in mind was informational privacy and not privacy in the sense of autonomy, abortion, among others. According to his interpretation, the two stated that a principle, which protects personal writings and any other productions of the intellect, is the right to privacy. They concurred that the law had no principle to formulate the extent of this protection to the personal appearance, sayings and to personal relations.

50 years later, in 1948, the drafters of the Universal Declaration of Human Rights recognised the right to privacy in Article 12. This right has been enshrined in various international human rights instruments other than the Universal Declaration of Human Rights.  As technology advanced so has the need for the law to be developed to keep up.

The right to privacy is inseparable from the right to personal data protection. Other than standing for “the right to be let alone” and “concealment of information” from others, privacy also has to do with the “control over information about ourselves”. The European Union has recognised that and the European Union Data Retention Directive intertwines interferences with the right to privacy along with the right to data protection.

The Kenyan Constitution, which was enacted in the year 2010, states in Article 31, “Every person has the right to privacy, which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed and the privacy of their communications infringed.” The drafters of this clause must have had in mind the fact that in this age of the Internet and advanced telecommunications, corporates could access personal information without consent of the owner.

In the year 2013, the Data Protection Bill 2013 was drafted to give effect to Article 31(c) and (d). This can be said to be because most claims made whenever there is a breach of consumer data confidentiality; especially in jurisdictions where there are no laws on data protection, are made under breach of right to privacy.

How companies use consumer data

It is important to note that the more we advance in technology, the more we lose our grip on one fundamental human right that is crucial for our being. Every day, we give up key components of our right to privacy for the allure of being tech-savvy. Information and communication technology service providers like telecommunication companies, search engines; social media sites in the course of doing business collect data on their consumers.

They use this data to strategise and study their markets. They also use it to know the viability of their different business products.

The use of the collected data is not governed by any written law. These companies have the discretion to use the data in other commercial activities such as Targeted Online Advertising also known as Online behavioral advertising (“OBA”) where web companies engage collect information about your specific online activity (like WebPages you frequently visit) and use the information to show you advertisements and content that they believe might be of relevance to you.

While this might sound wrong, consumers actually agree to this in the terms and conditions when they sign-up and set up their online accounts with the different service providers. Hence, Internet companies are absolved of any blame when it comes to breach of the right to privacy.

A review of top service providers’ terms and conditions show that they claim that they have rights over the data they collect. Google’s Terms of Service state that by using their services, a consumer agrees that Google can use his or her data in accordance to their privacy policies. In their privacy policies, they indicate that they use the information they collect from all their services to provide, maintain, protect and improve them, to develop new ones, and to protect the company and their users. They also confess that they use the information to offer consumers tailored content like more relevant search results and adverts. Considering that consumers do not pay for these services, the collection and use of consumer data by companies like Google and Facebook can be justified.

Kenyan companies have not been left behind in the exploiting of consumer’s personal data. In the Terms and Conditions of the Okoa Stima Service clause 11, a consumer authorizes the service provider (Safaricom) to reveal, receive, record or utilize consumer data relating to their use of the service by merely registering for it. The terms also state that the service provider may reveal consumer data to a third party involved in the provision of the services including but not limited to Kenya Power; who is the sole electricity provider in Kenya, perhaps the only reason why a consumer registered for this service. It further states that it may reveal for reasonable commercial purposes connected to your use of the Services, such as marketing and research related activities.

How far can they go?

But questions always arise on how far is too far with the use of data collected from consumers and clients by these companies. In 2014, the Canada’s Privacy Commissioner found that Google Inc. had violated Canadian privacy law through targeted online advertising. This was after a man complained about adverts targeted to him based on a medical condition. He had searched for a device to help with his sleep apnea when he later noticed adverts for similar devices when he visited other websites. The adverts were delivered by Google’s AdSense service. The Interim Privacy Commissioner Chantal Bernier said that it is up to the organization collecting the data (in this case, Google) to identify what is sensitive information and ensure it is not used improperly.

This case brought up the debate on what is sensitive information that cannot be used by service providers. In Canada, the law allows an organization to collect personal information without consent of the individual but that section of the law has a claw back. The collection has to be in the interests of the individual especially where consent cannot be obtained in a timely way. That law gives further guidance on how the information can be used.

According to section 2 of the UK Data Protection Act 1998, sensitive personal data is personal data consisting of information on the racial and ethnic origin of the data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, whether he is a member of a trade union, his physical or mental health or condition, his sexual life and the commission or alleged commission by him of any offence, the disposal of such proceedings or the sentence of any court in such proceedings. The Kenyan Bill on Data Protection has borrowed from the UK law verbatim but the process of enacting seems to have stopped.

The Bill has been criticized by experts as wanting in some crucial aspects. It has no provision for extraterritorial jurisdiction which is crucial considering the nature of the subject matter and advancement of technology. The bill also does not cover direct marketing yet it can be a serious breach of privacy and data protection rights. This is because a consumer’s contacts and personal activities are usually used to profile an individual. The Bill does not restrict the transfer of personal data to other third parties who may be in or outside Kenya. This tends to happen even when a company is sold and its assets are acquired by other entities during mergers and acquisitions.

The only source of protection to personal data seems to be the Kenya Information and Communications (Consumer Protection) Regulations Section 15, which is on confidentiality.

This section prohibits service providers from monitoring and disclosing the content of any information transmitted through their licensed systems by intercepting communications and related data. It also prohibits service providers from selling personal information without the consent of the consumer. Section 17 of that law prohibits unsolicited communications, which is usual with marketers.

The country is in dire need for a data protection law that will regulate the handling of consumer personal data. The proposed Bill should be passed with relevant changes that will protect consumers from data mining activities that are likely to happen. The proposal in the Bill to have the Commission on Administrative Justice to act on breach of data protection laws can be said to be a step in the right direction since the Commission has offices in all Huduma Centres, hence very accessible to members of the public.