This article was first published on Nairobi Business Monthly April 2016.
We have recently watched the standoff between technology giant Apple and the US Department of Justice over an order from a Federal Magistrate in California. The Magistrate asked the company to help the FBI to get into Syed Rizwan Farook’s iPhone by disabling a security feature that is likely to lock investigators out if they made 10 unsuccessful tries to determine the correct password. The move by Apple had been applauded by privacy rights groups all over the world as a step into the right direction in their cause. Back in Kenya, though not really moved by those events, we are one of the top nations in m-commerce since our e-commerce is through our cell phones.
We never ever give much thought about the security of the personal data in our communication gadgets. No one pays attention to the sheets of paper written “terms and conditions” that they sign. All they want is services, to send and receive money.
When Samuel D. Warren and Louis D. Brandeis wrote The Right to Privacy for the Harvard Law Review, they did not know that many years later technology would have brought forth a risk to informational privacy. Currently, there is the ability to learn the most intimate things about a person and unprecedented access to information about people. Prior to their 1890 article, there was no legal mechanism to protect the breach of this right. They called for the protection of the person, and for securing to the individual the right ‘to be let alone.’
Erwin Chemerinsky in his 2006 article Rediscovering Brandeis Right to Privacy has argued that what Warren and Brandeis had in mind was informational privacy and not privacy in the sense of autonomy, abortion, among others. According to his interpretation, the two stated that a principle, which protects personal writings and any other productions of the intellect, is the right to privacy. They concurred that the law had no principle to formulate the extent of this protection to the personal appearance, sayings and to personal relations.
50 years later, in 1948, the drafters of the Universal Declaration of Human Rights recognised the right to privacy in Article 12. This right has been enshrined in various international human rights instruments other than the Universal Declaration of Human Rights. As technology advanced so has the need for the law to be developed to keep up.
The right to privacy is inseparable from the right to personal data protection. Other than standing for “the right to be let alone” and “concealment of information” from others, privacy also has to do with the “control over information about ourselves”. The European Union has recognised that and the European Union Data Retention Directive intertwines interferences with the right to privacy along with the right to data protection.
The Kenyan Constitution, which was enacted in the year 2010, states in Article 31, “Every person has the right to privacy, which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed and the privacy of their communications infringed.” The drafters of this clause must have had in mind the fact that in this age of the Internet and advanced telecommunications, corporates could access personal information without consent of the owner.
In the year 2013, the Data Protection Bill 2013 was drafted to give effect to Article 31(c) and (d). This can be said to be because most claims made whenever there is a breach of consumer data confidentiality; especially in jurisdictions where there are no laws on data protection, are made under breach of right to privacy.
How companies use consumer data
It is important to note that the more we advance in technology, the more we lose our grip on one fundamental human right that is crucial for our being. Every day, we give up key components of our right to privacy for the allure of being tech-savvy. Information and communication technology service providers like telecommunication companies, search engines; social media sites in the course of doing business collect data on their consumers.
They use this data to strategise and study their markets. They also use it to know the viability of their different business products.
The use of the collected data is not governed by any written law. These companies have the discretion to use the data in other commercial activities such as Targeted Online Advertising also known as Online behavioral advertising (“OBA”) where web companies engage collect information about your specific online activity (like WebPages you frequently visit) and use the information to show you advertisements and content that they believe might be of relevance to you.
While this might sound wrong, consumers actually agree to this in the terms and conditions when they sign-up and set up their online accounts with the different service providers. Hence, Internet companies are absolved of any blame when it comes to breach of the right to privacy.
A review of top service providers’ terms and conditions show that they claim that they have rights over the data they collect. Google’s Terms of Service state that by using their services, a consumer agrees that Google can use his or her data in accordance to their privacy policies. In their privacy policies, they indicate that they use the information they collect from all their services to provide, maintain, protect and improve them, to develop new ones, and to protect the company and their users. They also confess that they use the information to offer consumers tailored content like more relevant search results and adverts. Considering that consumers do not pay for these services, the collection and use of consumer data by companies like Google and Facebook can be justified.
Kenyan companies have not been left behind in the exploiting of consumer’s personal data. In the Terms and Conditions of the Okoa Stima Service clause 11, a consumer authorizes the service provider (Safaricom) to reveal, receive, record or utilize consumer data relating to their use of the service by merely registering for it. The terms also state that the service provider may reveal consumer data to a third party involved in the provision of the services including but not limited to Kenya Power; who is the sole electricity provider in Kenya, perhaps the only reason why a consumer registered for this service. It further states that it may reveal for reasonable commercial purposes connected to your use of the Services, such as marketing and research related activities.
How far can they go?
But questions always arise on how far is too far with the use of data collected from consumers and clients by these companies. In 2014, the Canada’s Privacy Commissioner found that Google Inc. had violated Canadian privacy law through targeted online advertising. This was after a man complained about adverts targeted to him based on a medical condition. He had searched for a device to help with his sleep apnea when he later noticed adverts for similar devices when he visited other websites. The adverts were delivered by Google’s AdSense service. The Interim Privacy Commissioner Chantal Bernier said that it is up to the organization collecting the data (in this case, Google) to identify what is sensitive information and ensure it is not used improperly.
This case brought up the debate on what is sensitive information that cannot be used by service providers. In Canada, the law allows an organization to collect personal information without consent of the individual but that section of the law has a claw back. The collection has to be in the interests of the individual especially where consent cannot be obtained in a timely way. That law gives further guidance on how the information can be used.
According to section 2 of the UK Data Protection Act 1998, sensitive personal data is personal data consisting of information on the racial and ethnic origin of the data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, whether he is a member of a trade union, his physical or mental health or condition, his sexual life and the commission or alleged commission by him of any offence, the disposal of such proceedings or the sentence of any court in such proceedings. The Kenyan Bill on Data Protection has borrowed from the UK law verbatim but the process of enacting seems to have stopped.
The Bill has been criticized by experts as wanting in some crucial aspects. It has no provision for extraterritorial jurisdiction which is crucial considering the nature of the subject matter and advancement of technology. The bill also does not cover direct marketing yet it can be a serious breach of privacy and data protection rights. This is because a consumer’s contacts and personal activities are usually used to profile an individual. The Bill does not restrict the transfer of personal data to other third parties who may be in or outside Kenya. This tends to happen even when a company is sold and its assets are acquired by other entities during mergers and acquisitions.
The only source of protection to personal data seems to be the Kenya Information and Communications (Consumer Protection) Regulations Section 15, which is on confidentiality.
This section prohibits service providers from monitoring and disclosing the content of any information transmitted through their licensed systems by intercepting communications and related data. It also prohibits service providers from selling personal information without the consent of the consumer. Section 17 of that law prohibits unsolicited communications, which is usual with marketers.
The country is in dire need for a data protection law that will regulate the handling of consumer personal data. The proposed Bill should be passed with relevant changes that will protect consumers from data mining activities that are likely to happen. The proposal in the Bill to have the Commission on Administrative Justice to act on breach of data protection laws can be said to be a step in the right direction since the Commission has offices in all Huduma Centres, hence very accessible to members of the public.