The life of a Kenyan in 2021 is a big data-mining game. Personal information is shared in the course of financial transactions for e-commerce and dial-deliveries which have now become the norm due to the influx of motorcycles.
The result of this data-mining game is the many complaints, mostly on social media, by people about the unsolicited marketing messages they receive.
These complaints usually describe how one’s personal information was used for direct marketing after they paid for the service or goods using mobile money.
Other complaints range on the question of how the businesses marketing their products got the recipient’s contacts.
The genesis of these complaints are rogue businesses and content service providers who refuse to follow the law and use unorthodox methods to get people’s personal information.
Courtesy of anti-terrorism security laws such the Private Security Regulation Act of 2016, guards manning buildings have the power to record and temporarily withhold identification documents.
While this law limits their use of the information to security purposes, there is no requirement for systems within private security companies that ensure that data protection principles are adhered to.
Due to the Covid-19 pandemic, the Ministry of Health mandated the introduction of passenger manifests for Public Service Vehicles travelling beyond 50 kilometres and attendance registers for places of worship.
All these laws add to situations where Kenyans have to share their personal information for legitimate purposes but the information gets misused.
The Constitution and the Data Protection Act provide adequate remedies for this menace but the problem seems to be more complex because of two reasons.
First, the lack of awareness by citizens and secondly, impunity by entities that process personal information.
A 2019 study by Ipsos on behalf of the Centre for International Governance Innovation (CIGI) found that only 44 percent of Kenyans are concerned about their online privacy.
In 2021, an opinion poll jointly commissioned by Amnesty International Kenya and the Open Institute conducted by Infotrak and Research Consulting Limited found that only 54 percent of Kenyans are aware of their right to privacy.
The right to privacy ranked fifteenth in the order of issues Kenyans are aware of while 70 percent were still unaware of the Data Protection Act.
With such a high population unaware of their rights under the law, rogue businesses continue to act with impunity with the confidence that they might not be reported to the newly established Office of the Data Protection Commissioner.
On direct marketing, the Data Protection Act states that personal data shall not be used for commercial purposes unless express consent has been sought and obtained from the recipient.
The Act further describes consent as any manifestation of express, unequivocal, free, specific and informed indication of an individual’s signifying agreement to the process of their personal data.
Recently, the Data Protection Commissioner and the Cabinet Secretary in the Ministry of ICT, Innovation and Youth Affairs established the Task Force on the Development of the Data Protection Regulations.
Opt-out versus Opt-in
The task force developed draft General Regulations stating that an entity may use personal data concerning an individual for the purpose of direct marketing only if they have collected the personal data from the individual, notified them of the purpose for collection, and the individual has consented to the use.
The business will also be required to provide a simple opt-out mechanism.
Many businesses justify unsolicited messages by arguing that they have provided an opt-out mechanism but the Kenyan law actually requires an individual to opt-in.
This is a different approach from Europe where the ePrivacy Directive allows a limited exemption from the strict opt-in requirement for direct marketing by electronic mail to individuals whose details the business obtained ‘in the context of the sale of a product or service’. This exemption, however, limits the direct marketing to similar products or services only.
Since it seems people’s personal information is everywhere and its collection is not stopping soon, the best thing that can be done to remedy the situation is to create a culture of adherence to data protection laws, especially through purpose limitation.
Businesses should learn to use personal information for the sole reason they acquired it for. If they acquired it in the course of a mobile money payment transaction, the information should not be used for marketing purposes unless the individual expressly opted in and gave consent for direct marketing.
The Office of the Data Protection Commissioner on the other hand needs to work on citizen awareness.
This will enable more people to report on data protection infringements which will eventually lead to them issuing penalty notices to businesses that do not follow opt-in for direct marketing as required by law.