In April 2021, the office of the Kenyan Data Commissioner issued draft data protection guidelines which were subjected to public participation before their adoption. These are:
- The Data Protection(Compliance & Enforcement) Regulation, 2021
- Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021
- The Data Protection (General) Regulations, 2021
Our firm was one of the two firms requested to submit its thoughts and comments on the draft regulations. Below are our thoughts and comments on the draft Data Protection (Compliance & Enforcement) Regulation 2021 highlighting areas of concern and our recommendation to the Office of the Data Protection Commissioner to ensure not only a legally sound regulation but also one that would practically enable business in a world of data privacy.
Part II – Complaint Handling Procedure
Area of Concern | Recommendation by | |
1. | Reg 4 Lodging of Complaints | Section 4 provides for the mechanisms for complaining. This Section does not provide for what constitutes a complaint. Does a request for Alternative Dispute Resolution constitute a complaint? Does a notice of dispute to the Office of the Data Commissioner constitute a complaint? The regulations need to demystify this to avoid confusion and speculation by any person making a complaint. The regulations do not specify the criteria for data breach notifications. We recommend that the Data Commissioner issues Personal data breach notification guidelines. Since there are so many advantages of outsourcing cloud computing services, such as cost and flexibility, and higher levels of IT security assurance, it would be important to issue guidelines to facilitate control of data processing from a cloud computing angle, criteria and assessment for cloud service procurement requirements, governance and responsibility to provide uniformity in assessing and managing risks related to data protection. Section 4(1)d provides that a complaint can be lodged orally. The section does not provide for guidelines on how oral complaints will be lodged. What will be the verification procedure for valid complaints in this case? We have noted that Form 1 only provides for the written complaint. Section 4(2)d provides for making complaints anonymously. It is not clear how the anonymity will be handled. The section accords the complainant’s anonymity but it is not absolute. The complaint can be disclosed to the Respondent therefore vitiating the whole principle of anonymity. In addition, anonymity is discretionary for the Office of the Data Commissioner. The Complainant should have this right absolutely. |
2. | Reg 5 Register of Complaints | The Data Commissioner will maintain a register of complaints. Will the register of complaints held be accessible to the public for perusal? It is important to note that the Office of the Data Commissioner is not immune to breaches or data protection weaknesses. Are there internal safeguards on how the data provided by the members of the public will be handled? Will there be a privacy notice that provides how they protect data and personal information will be handled? |
3. | Reg 6 Screening of Complaints | The regulations have not provided for what mechanisms will be put in place to monitor the progress of complaints. We recommend that the Data Commissioner provides a draft complaint handling procedure which will help reduce the risk of organizations feeling uncertain, confused and overwhelmed. The Data Commissioner can subject the guidelines to commentary by the public. Section 6(3) has provided for circumstances where the Data Commissioner may decline to admit a complaint. However, there are no criteria for determining the parameters for declining to admit a complaint. There is a risk of a lack of uniformity when it comes to admitting complaints. Subject to Section 6(4), The Data Commissioner will take action upon screening the complaint. There are no timelines provided for when a complaint is made to when the action plan is taken. Parties must be aware of timelines of when the Office will act upon the complaint. This will also ensure there is no undue delay in acting on the complaints. |
4. | Reg 11 Notification of a Complaint to the Respondent | The regulations provide for 14 days for the Respondent to put in a response to the complaint upon admission. However, the Regulations have not specified a period of notifying the Respondent upon admission of the complaint. The Respondent may require more time to enable them to adequately respond to the complaints. In this case, the Data Commissioner should have discretionary powers to extend timelines, upon request by the respondent. It is important to consider certain situations whereby the liability falls on a joint processors or joint controllers. What happens if one joint controller is reported but upon further investigations you discover that the liability also falls on another joint controller? What happens when a Controller is reported but the liability falls on the processor? Who will join the parties? Will there be a 3rd party liability? There may be an issue of privity of contact where the complainant and the entity in breach don’t have a nexus but the entity is required to pay compensation to the Complainant. |
5. | Reg 13 The Outcome of a Complaint | Section 13(3)e provides for the remedy of an order for compensation to the data subject. How will the Data Commissioner be guided when making these orders for compensation? |
6. | (Reg14) Negotiation, Mediation or Conciliation | We appreciate that these regulations have embraced Alternative Dispute Resolution Mechanisms. Section 14(1) makes provisions for the Data Commissioner to facilitate the negotiation, mediation and conciliation. In this case, what does facilitate mean? Will the Office appoint a mediator? Will the office be the mediator in the matter? Impartiality may come into question because the Data Commissioner is the enforcer and prosecutor as well. In addition, the Regulations have not envisioned instances of Arbitration. Will the arbitral award be adopted by the Data Commissioner? Will the parties need to file the award with the Data Commissioner? Subject to Section 14(6), It is not clear what happens when a party who has opted for mediation, negotiation or conciliation, withdraws or no resolution is found such that the process is not concluded. |
Part III – Enforcement Provisions
7. | Reg 18 Appeals against Enforcement Notice | There are conflicting timelines as to when a party may appeal against an enforcement notice. Form 7 refers to 30 days while the regulations refer to 21 days. This may bring confusion when it comes to interpretation. |
8. | (Reg 19) Issuance of an Enforcement Notice | Section 19(1) c provides for administrative fines. There should be a schedule of fines to guide on criteria used to issue fines. The transparent criteria for issuance of fines will ensure comparability and uniform application across all complaints. |
9. | Part III Enforcement Provisions | The Data Commissioner will be encountering various complaints from tech giants who have a lot of technical expertise and use very advanced systems. This will require the Office of the Data Commissioner to be well-equipped in the technical know-how to be able to assert enforcement decisions against well-established tech-savvy companies. |