Is the Kenyan legal system ready for the Big data industry?

This article was first published in the Business Daily newspaper on the 22nd of June 2017.

Source: Forbes

Thousands around the world have signed up to online platforms for different services such as email, social media and news. Due to the borderless nature of the internet, markets are unlimited and people from different jurisdictions can subscribe to these sites. Note that despite the universal access, internet borders exist to enable people to pay for stuff using their local currencies, to provide use of local languages to users and regulation purposes.

Silicon Valley giants tend to have the advantage of the ‘data-network effect’ which enables them use data collected from customers in exchange for ‘free’ services such as email and social media. They use this data to attract more customers who generate more data that is used in improving services which attracts more customers. Behind this phenomena is a lot of behavioral economics, big data analysis and ad targeting.

Most of these data usually comes from personal communication devices, hence within the ambit of privacy laws and regulations in the nations where they are registered. In jurisdictions like Kenya where there are no strict privacy laws, it is usually up to the service providers’ good will to vet what data they will use and what they cannot use.

While it may appear to be a win-win situation because people don’t pay for access to online platforms, a data subject ought to have more say in how their personal information is being used. Many internet corporates have turned their subscribers to data mines which raises many ethical and legal questions.

First, there is the constitutional right to privacy. This is enshrined in Article 31 of the Constitution which protects the privacy of ones communications from being infringed. The Data Protection Bill is for an act that will give effect to Article 31 while regulating the processing and use of personal data.

The European Union laws on the right to privacy are really strict and they give more power to the data subject on their data unlike the US laws which are lax. In March, the US Congress passed a resolution to roll back the Federal Communications Commission (FCC) privacy rules which would have required Internet Service Providers to get a customer’s express permission before selling “sensitive data” like their browsing history. These regulations would have given the data subject a stronger say over their data like in Europe but the Congress voted against it.

A perusal of the draft Kenyan data law shows that service providers will still have a lot discretion, pertaining the use of personal data as they will be required to only notify the data subject. It allows the sale of personal data if permitted by any other law. It would be great if individuals are legally empowered to allow their personal data to be used by service providers who collect it like in the EU region.

The challenge of such a provision is that people have “learned helplessness”, where no one cares to read the terms and conditions of the online services they subscribe to according to Alessandro Acquisti of Carnegie Mellon University. Hence there is a possibility that very few will exercise this right even when they are codified.

Secondly, data is “non-rivalrous” hence it can be copied and used by more than one entity at a time. This means that data can easily be used for other purposes than those agreed between the data subject and data controller (service provider). This has been the case in Kenya where people have raised complaints that they are receiving geographically targeted text messages from political aspirants. Such incidences are a definite breach of a data subject’s rights.

Thirdly, the Kenyan data protection bill has provisions for mandatory data sharing with government agencies. This not unheard of as nations such as Germany have laws that require insurers to jointly maintain data on issues such as car accidents that smaller firms cannot compile on their own. This data sharing is even part of the European Union’s new General Data Protection Regulation (GDPR), that will require online services to make it easy for data subjects to transfer their data to other service providers including competitors. However,

Regional legislation of cyber laws has worked for Europe who can boast of the right to be forgotten. For African countries, that may be the best approach since a united market has bigger bargaining power than individual states. There is a draft convention, the African Union Convention on Cyber-security and Personal Data Protection which contains regulations on data protection. If this draft is ratified, we can even demand that the some of servers of the biggest internet corporations be hosted within in the continent and prohibit transfer of personal data from outside Africa. China has draft regulations that require firms to store all “critical data” collected on servers based in the country. The United Kingdom Data Protection Act prohibits data controllers from transferring personal data outside the European Economic Area.

Consumers of online services need to remember that there is nothing like free lunch. Where the product is free, the product is probably you. Online corporations have become dependent on free data and they clearly have no interest in changing their deal with their users. Despite that, it is important that fundamental rights such as the right to privacy are protected.

Edited version of the article as published in the Business Daily