Is the Kenyan legal system ready for the Big data industry?

This article was first published in the Business Daily newspaper on the 22nd of June 2017.

Source: Forbes

Thousands around the world have signed up to online platforms for different services such as email, social media and news. Due to the borderless nature of the internet, markets are unlimited and people from different jurisdictions can subscribe to these sites. Note that despite the universal access, internet borders exist to enable people to pay for stuff using their local currencies, to provide use of local languages to users and regulation purposes.

Silicon Valley giants tend to have the advantage of the ‘data-network effect’ which enables them use data collected from customers in exchange for ‘free’ services such as email and social media. They use this data to attract more customers who generate more data that is used in improving services which attracts more customers. Behind this phenomena is a lot of behavioral economics, big data analysis and ad targeting.

Most of these data usually comes from personal communication devices, hence within the ambit of privacy laws and regulations in the nations where they are registered. In jurisdictions like Kenya where there are no strict privacy laws, it is usually up to the service providers’ good will to vet what data they will use and what they cannot use.

While it may appear to be a win-win situation because people don’t pay for access to online platforms, a data subject ought to have more say in how their personal information is being used. Many internet corporates have turned their subscribers to data mines which raises many ethical and legal questions.

First, there is the constitutional right to privacy. This is enshrined in Article 31 of the Constitution which protects the privacy of ones communications from being infringed. The Data Protection Bill is for an act that will give effect to Article 31 while regulating the processing and use of personal data.

The European Union laws on the right to privacy are really strict and they give more power to the data subject on their data unlike the US laws which are lax. In March, the US Congress passed a resolution to roll back the Federal Communications Commission (FCC) privacy rules which would have required Internet Service Providers to get a customer’s express permission before selling “sensitive data” like their browsing history. These regulations would have given the data subject a stronger say over their data like in Europe but the Congress voted against it.

A perusal of the draft Kenyan data law shows that service providers will still have a lot discretion, pertaining the use of personal data as they will be required to only notify the data subject. It allows the sale of personal data if permitted by any other law. It would be great if individuals are legally empowered to allow their personal data to be used by service providers who collect it like in the EU region.

The challenge of such a provision is that people have “learned helplessness”, where no one cares to read the terms and conditions of the online services they subscribe to according to Alessandro Acquisti of Carnegie Mellon University. Hence there is a possibility that very few will exercise this right even when they are codified.

Secondly, data is “non-rivalrous” hence it can be copied and used by more than one entity at a time. This means that data can easily be used for other purposes than those agreed between the data subject and data controller (service provider). This has been the case in Kenya where people have raised complaints that they are receiving geographically targeted text messages from political aspirants. Such incidences are a definite breach of a data subject’s rights.

Thirdly, the Kenyan data protection bill has provisions for mandatory data sharing with government agencies. This not unheard of as nations such as Germany have laws that require insurers to jointly maintain data on issues such as car accidents that smaller firms cannot compile on their own. This data sharing is even part of the European Union’s new General Data Protection Regulation (GDPR), that will require online services to make it easy for data subjects to transfer their data to other service providers including competitors. However,

Regional legislation of cyber laws has worked for Europe who can boast of the right to be forgotten. For African countries, that may be the best approach since a united market has bigger bargaining power than individual states. There is a draft convention, the African Union Convention on Cyber-security and Personal Data Protection which contains regulations on data protection. If this draft is ratified, we can even demand that the some of servers of the biggest internet corporations be hosted within in the continent and prohibit transfer of personal data from outside Africa. China has draft regulations that require firms to store all “critical data” collected on servers based in the country. The United Kingdom Data Protection Act prohibits data controllers from transferring personal data outside the European Economic Area.

Consumers of online services need to remember that there is nothing like free lunch. Where the product is free, the product is probably you. Online corporations have become dependent on free data and they clearly have no interest in changing their deal with their users. Despite that, it is important that fundamental rights such as the right to privacy are protected.

Edited version of the article as published in the Business Daily

Consumer Privacy and data protection in E-commerce in Kenya

Cyber-Security-2

This article was first published on Nairobi Business Monthly April 2016.

We have recently watched the standoff between technology giant Apple and the US Department of Justice over an order from a Federal Magistrate in California. The Magistrate asked the company to help the FBI to get into Syed Rizwan Farook’s iPhone by disabling a security feature that is likely to lock investigators out if they made 10 unsuccessful tries to determine the correct password. The move by Apple had been applauded by privacy rights groups all over the world as a step into the right direction in their cause. Back in Kenya, though not really moved by those events, we are one of the top nations in m-commerce since our e-commerce is through our cell phones.

We never ever give much thought about the security of the personal data in our communication gadgets. No one pays attention to the sheets of paper written “terms and conditions” that they sign. All they want is services, to send and receive money.

When Samuel D. Warren and Louis D. Brandeis wrote The Right to Privacy for the Harvard Law Review, they did not know that many years later technology would have brought forth a risk to informational privacy. Currently, there is the ability to learn the most intimate things about a person and unprecedented access to information about people. Prior to their 1890 article, there was no legal mechanism to protect the breach of this right. They called for the protection of the person, and for securing to the individual the right ‘to be let alone.’

Erwin Chemerinsky in his 2006 article Rediscovering Brandeis Right to Privacy has argued that what Warren and Brandeis had in mind was informational privacy and not privacy in the sense of autonomy, abortion, among others. According to his interpretation, the two stated that a principle, which protects personal writings and any other productions of the intellect, is the right to privacy. They concurred that the law had no principle to formulate the extent of this protection to the personal appearance, sayings and to personal relations.

50 years later, in 1948, the drafters of the Universal Declaration of Human Rights recognised the right to privacy in Article 12. This right has been enshrined in various international human rights instruments other than the Universal Declaration of Human Rights.  As technology advanced so has the need for the law to be developed to keep up.

The right to privacy is inseparable from the right to personal data protection. Other than standing for “the right to be let alone” and “concealment of information” from others, privacy also has to do with the “control over information about ourselves”. The European Union has recognised that and the European Union Data Retention Directive intertwines interferences with the right to privacy along with the right to data protection.

The Kenyan Constitution, which was enacted in the year 2010, states in Article 31, “Every person has the right to privacy, which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed and the privacy of their communications infringed.” The drafters of this clause must have had in mind the fact that in this age of the Internet and advanced telecommunications, corporates could access personal information without consent of the owner.

In the year 2013, the Data Protection Bill 2013 was drafted to give effect to Article 31(c) and (d). This can be said to be because most claims made whenever there is a breach of consumer data confidentiality; especially in jurisdictions where there are no laws on data protection, are made under breach of right to privacy.

How companies use consumer data

It is important to note that the more we advance in technology, the more we lose our grip on one fundamental human right that is crucial for our being. Every day, we give up key components of our right to privacy for the allure of being tech-savvy. Information and communication technology service providers like telecommunication companies, search engines; social media sites in the course of doing business collect data on their consumers.

They use this data to strategise and study their markets. They also use it to know the viability of their different business products.

The use of the collected data is not governed by any written law. These companies have the discretion to use the data in other commercial activities such as Targeted Online Advertising also known as Online behavioral advertising (“OBA”) where web companies engage collect information about your specific online activity (like WebPages you frequently visit) and use the information to show you advertisements and content that they believe might be of relevance to you.

While this might sound wrong, consumers actually agree to this in the terms and conditions when they sign-up and set up their online accounts with the different service providers. Hence, Internet companies are absolved of any blame when it comes to breach of the right to privacy.

A review of top service providers’ terms and conditions show that they claim that they have rights over the data they collect. Google’s Terms of Service state that by using their services, a consumer agrees that Google can use his or her data in accordance to their privacy policies. In their privacy policies, they indicate that they use the information they collect from all their services to provide, maintain, protect and improve them, to develop new ones, and to protect the company and their users. They also confess that they use the information to offer consumers tailored content like more relevant search results and adverts. Considering that consumers do not pay for these services, the collection and use of consumer data by companies like Google and Facebook can be justified.

Kenyan companies have not been left behind in the exploiting of consumer’s personal data. In the Terms and Conditions of the Okoa Stima Service clause 11, a consumer authorizes the service provider (Safaricom) to reveal, receive, record or utilize consumer data relating to their use of the service by merely registering for it. The terms also state that the service provider may reveal consumer data to a third party involved in the provision of the services including but not limited to Kenya Power; who is the sole electricity provider in Kenya, perhaps the only reason why a consumer registered for this service. It further states that it may reveal for reasonable commercial purposes connected to your use of the Services, such as marketing and research related activities.

How far can they go?

But questions always arise on how far is too far with the use of data collected from consumers and clients by these companies. In 2014, the Canada’s Privacy Commissioner found that Google Inc. had violated Canadian privacy law through targeted online advertising. This was after a man complained about adverts targeted to him based on a medical condition. He had searched for a device to help with his sleep apnea when he later noticed adverts for similar devices when he visited other websites. The adverts were delivered by Google’s AdSense service. The Interim Privacy Commissioner Chantal Bernier said that it is up to the organization collecting the data (in this case, Google) to identify what is sensitive information and ensure it is not used improperly.

This case brought up the debate on what is sensitive information that cannot be used by service providers. In Canada, the law allows an organization to collect personal information without consent of the individual but that section of the law has a claw back. The collection has to be in the interests of the individual especially where consent cannot be obtained in a timely way. That law gives further guidance on how the information can be used.

According to section 2 of the UK Data Protection Act 1998, sensitive personal data is personal data consisting of information on the racial and ethnic origin of the data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, whether he is a member of a trade union, his physical or mental health or condition, his sexual life and the commission or alleged commission by him of any offence, the disposal of such proceedings or the sentence of any court in such proceedings. The Kenyan Bill on Data Protection has borrowed from the UK law verbatim but the process of enacting seems to have stopped.

The Bill has been criticized by experts as wanting in some crucial aspects. It has no provision for extraterritorial jurisdiction which is crucial considering the nature of the subject matter and advancement of technology. The bill also does not cover direct marketing yet it can be a serious breach of privacy and data protection rights. This is because a consumer’s contacts and personal activities are usually used to profile an individual. The Bill does not restrict the transfer of personal data to other third parties who may be in or outside Kenya. This tends to happen even when a company is sold and its assets are acquired by other entities during mergers and acquisitions.

The only source of protection to personal data seems to be the Kenya Information and Communications (Consumer Protection) Regulations Section 15, which is on confidentiality.

This section prohibits service providers from monitoring and disclosing the content of any information transmitted through their licensed systems by intercepting communications and related data. It also prohibits service providers from selling personal information without the consent of the consumer. Section 17 of that law prohibits unsolicited communications, which is usual with marketers.

The country is in dire need for a data protection law that will regulate the handling of consumer personal data. The proposed Bill should be passed with relevant changes that will protect consumers from data mining activities that are likely to happen. The proposal in the Bill to have the Commission on Administrative Justice to act on breach of data protection laws can be said to be a step in the right direction since the Commission has offices in all Huduma Centres, hence very accessible to members of the public.