In April 2021, the office of the Kenyan Data Commissioner issued draft guidelines which were subjected to public participation before their adoption. These are:
- The Data Protection(Compliance & Enforcement) regulation, 2021
- Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021
- The Data Protection (General) Regulations, 2021
Our firm was one of the two firms requested to submit its thoughts and comments on the draft regulations. Below are our thoughts and comments on the draft Data Protection (Compliance & Enforcement) Regulation 2021 highlighting areas of concern and our recommendation to the Office of the Data Protection Commissioner to ensure not only a legally sound regulation but also one that would practically enable business in a world of data privacy.
1. Part II – Enabling the Rights of a Data Subject
Area of Concern | Recommendation by TripleOKLaw LLP | |
1. | (Reg 4) Consent by Data Subject | It would be prudent for Regulation 4(3) to require that a data subject be informed of their right to withdraw consent before processing personal data where such processing relies solely on the data subject’s consent. |
2. | (Reg 8) Data Access Request | The Regulations should include a provision obligating data controllers and processors to use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. The provisions in Reg 8(4)(a) are not clear as to how a data subject accessing his/her personal data would result in a serious threat to a data subject’s life, health or safety. This should be clarified to avoid complaints on breach of the Right to Access Information enshrined in Article 35 of the Constitution. |
3. | (Reg 10) Data Portability | Regulation 10 grants data controllers and processors discretion in deciding when to deny a subject his/her right to portability. However, we suggest that the Regulations provide instances where the right to data portability may be denied mainly because the Regulations are intended to enable the data subject’s rights rather than inhibit them. For instance, the provision could read: A request for data portability may be declined on the grounds that a request is —: a) Manifestly unfounded; b) or excessive. A request may be manifestly unfounded if: a) the individual clearly has no intention to exercise their right to data portability; b) the request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption; c) the request makes unsubstantiated accusations against a data controller/processor or their specific employees; d) the individual is targeting a particular employee against whom they have some personal grudge; or e) the individual systematically sends different requests with the intention of causing disruption. A request may be excessive if: a) it repeats the substance of previous requests; or b) it overlaps with other requests. Such or similar provisions would ensure that data controllers and processors do not unlawfully deny data subjects their right to data portability based on their discretion. |
2. Part III – Restrictions on the Commercial Use of Personal Data
(Reg 14, 15, 16 & 17) Permitted Commercial Use of Personal Data |
The regulations provide for an opt-out but have not provided for an opt-in when it comes to direct marketing. In the wake of the digital transformations, there may be certain loopholes to exploit in these regulations. 1. Disguising or Concealing the Identity of the Sender There are certain instances where direct marketing is done, and the identity of the sender is concealed or disguised. This should be strictly prohibited. This is in the spirit of transparency and in order to uphold the data subject’s rights. 2. Host Mailings The regulations are silent on host mailings. Host mailings are where the Data Controller encloses Third Party materials on its mailings. Data Controllers have been known to use third-party materials while conducting direct marketing activities. In this regard, the Data Controller should make sure that host mailings are clearly identifiable. Any selective criteria which have a detrimental effect on the rights of the Data Subject must not be used e.g. use of sensitive data linked to a sales pattern (past purchases of a pharmaceutical product). 3. Right to object to Disclosure of Personal Data to Third Parties The Data Controllers or Data Processors while processing personal data may require third parties to carry out their functions. This will warrant the disclosure of Data Subject’s personal information to Third Parties for direct marketing purposes. In this regard, the data subject should be informed of the disclosure of their personal information to third parties and therefore afforded the right to object to such disclosures. The Data Subject should not be surprised to receive direct marketing from third parties on behalf of the Data Controller. Subsequently, the Data subject should be informed of the effect of their objection. The Data Controllers and/or Data processors should have in place an agreement that binds the 3rd Parties to the same privacy obligations. 4. In house Suppression Lists We appreciate the fact that the Regulations have issued a procedure to be followed by a subject when they no longer want to have direct marketing. However, good practice is that the data processors or data controllers should have in place an in-house suppression system that blocks identifiable data of Data Subjects who have requested not to be approached for Direct Marketing Purposes. This will avoid situations where the data subjects receive the marketing information way after they withdraw their consent. The regulations have also not provided for a duration in which Data Processors or Data controllers should stop sending the Data Subject marketing information upon withdrawal of consent. The Data Controller or Data Processor may also have in place an updated suppression request archive to keep track of the requests. |
3. Part IV — Obligations of Data Controllers and Data Processors
(Reg 18) Retention of Personal Data |
In addition to the mandatory provisions that should be contained in a retention schedule outlined in Reg 18(4), the General Regulations should also require that the schedule outline the nature of personal data to be retained. | |
(Reg 21) Automated Individual Decision Making |
In addition to the requirements that controllers must meet in carrying out automated individual decision making, we suggest that the General Regulations incorporate the following: a) A requirement for regular quality assurance checks of data controllers/processors systems to make sure that individuals are being treated fairly and not discriminated against, whether on the basis of sensitive personal data or otherwise In addition to the above, a requirement for algorithm auditing to ensure testing of algorithms used and developed by the systems used to ensure they are actually performing as intended. b) Further, a requirement that data controllers/ processors employ specific measures for data minimization to incorporate clear retention periods for profiles. We further suggest that the General Regulations should regulate instances where a controller/processor shares/transfers personal data with organisations who use such personal data to profile data subjects and such profile is being used to make decisions about them. |
|
(Reg 22) Data Protection Policy |
We appreciate that the General Regulations provide for mandatory clauses that a privacy policy should include. However, based on best practice, and in furtherance of the principle of transparency to the data subject, we suggest that Reg 22 incorporate the following additional mandatory inclusions: a) The legal basis for processing data for the intended purpose; b)Whether the controllers/processors will use personal data in automated decision-making and the measures taken; and c) The sources of the personal data when the controller/processor collects it from third parties, including publicly accessible sources. |
4. Part V ⸺ Elements to Implement Data Protection by Design or by Default
(Reg 28, 29, 30, 31, 32, 33 & 34) Elements for Data Protection Principles |
The General Regulations proceed to set out elements for each principle that may be included in the data protection by design or default. However, the regulations have not provided for the Principle of Fairness when it comes to privacy by design or default. Fairness We recommend the following under the principle of fairness: -> Granting the data subjects the highest degree of autonomy possible with respect to control over their personal data. -> The data subjects must be able to communicate and exercise their rights with the controller; -> Data processing should correspond with data subjects’ expectations; -> Nondiscrimination against data subjects; -> No exploitation of the needs or vulnerabilities of data subjects; -> Avoidance or mitigation of asymmetric power balances; -> Respect the fundamental rights and freedoms of the data subject; -> Incorporate qualified human intervention capable of recovering biases that machines may create; and -> Provide information about the processing of personal data based on algorithms that analyse or make predictions about data subjects, such as work performance, economic situation, health, personal preferences, reliability or behaviour, and location or movements. |
5. Part VI ⸺ Notification of Personal Data Breaches
(Reg 35) Categories of Notifiable Data Breach |
We appreciate that the General Regulations provide for categories of notifiable breaches. However, borrowing from best practice, we suggest that the regulations make mention of specific notifiable data rather than a blanket mention of categories of notifiable breaches. This can be achieved through issuing further guidelines. For instance, the European Data Protection Board recently issued Guidelines 01/21 on Examples regarding Data Breach Notification. These guidelines are informed by common experiences faced since the GDPR became applicable and are intended to assist data controllers and processors in deciding how to handle data breaches and what factors to consider during risk assessment. The regulation/guidelines take into account instances that give rise to breaches including: 1. Ransomware 2. Data exfiltration attacks 3. Internal human risk source 4. Lost or stolen devices and paper documents 5. Mispostal 6. Social engineering The General regulations or further guidelines should make provision for the above which can be divided into two categories: a) Human error(e.g. lost devices) resulting in a breach that can be reduced using measures such as encryption and standard operating procedures; and b) External attacks resulting in breaches which can be reduced using measures such as encryption and regular backups. The regulations or further guidelines should document the organizational and technical measures that data controllers/processors should adopt to identify, notify and mitigate the risks. |
|
(Reg 36) Notification to Data Commissioner |
In addition to the particulars of a data breach notification enumerated in Reg. 36, the Regulations should set minimal requirements on the plans and procedures that data controllers should put in place for handling eventual data breaches. The EU guidelines have set in place certain takeaways which Kenya could adopt to help mitigate risks relating to a potential data breach. These include the requirement for having an internal incident response process and internal documentation to support it. Such measures will hold controllers accountable. Separately, we suggest that, further to Section 43(6) of the Data Protection Act, the General Guidelines should provide that, Communication to the data subject shall not be required if any of the following conditions are met: a) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to is no longer likely to materialize b) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner |
6. Part VII ⸺ Transfer of Personal Data Outside Kenya
(Reg 38, 39, 40 & 41) Transfer of Personal Data outside Kenya. |
We appreciate the parameters `provided in the guidelines with regard to international data transfers. Due to the risks posed by such activities, it is imperative to outline a much-detailed threshold for the transfers to be done. The ambiguity left for interpretation and compliance by a transferring entity may not be enough to ensure appropriate safeguards are in place. In Europe we have seen instances of threat to national security, so stakeholders will be keen to see whether data controllers will be subjected to strict requirements on international transfers. The following are our recommendations as a minimum to safeguard personal data: 1. Essential Guarantees -> The processing of personal data should be based on clear, precise and accessible rules; -> The processing must be necessary and proportionate with regard to the legitimate objectives pursued; -> An independent oversight mechanism should exist; and -> Effective remedies need to be available to affected individuals. 2. Technical Measures -> Encrypting the data using a state-of-the-art algorithm that is robust against cryptanalysis and “flawlessly implemented”. -> Pseudonymizing the data so that it cannot be attributed to a specific data subject or be used to single out the data subject within a larger group, without additional information. 3. Contractual Measures -> The parties to implement certain technical measures before the transfer takes place -> The transferring entity to provide the recipient with certain information on the ability of public authorities to access the data provided to assist the transferring entity with its assessment of those laws -> The recipient to certify that it has not purposefully created, and is not legally required to create, a back door that the authorities can use to access the data -> The parties are to review all surveillance requests from the authorities to ensure that they are valid, and use best endeavours to challenge any invalid requests including via the courts -> The parties to notify affected individuals of any surveillance requests, where legally permitted, to give them the opportunity to challenge the legality of the surveillance request -> The recipient is to regularly publish a cryptographically signed message informing the transferring entity that, as of a certain date and time, it has received no orders to disclose personal data 4. Organisational Measures -> Adopting “strict and granular” data access and confidentiality policies and best practices that ensure that personal data is only accessed on a strict need-to-know basis -> Segregating any personal data that is not strictly necessary to be transferred to a third country -> Appointing a specific team, that is responsible for dealing with requests that involve personal data transferred from Kenya. The team should involve experts on IT, data protection and privacy laws and should report to senior legal and corporate management In addition to the requirements provided for cross-border transfer. It would be important to incorporate the following provisions as rights for the transferring entity: 1. The transferring entity right to suspend the transfer and/or terminate the contract where the recipient is not able to comply. 2. The recipient must inform the transferring entity promptly of any inability to comply and certify that it has no reason to believe that applicable legislation prevents it from fulfilling its obligations. The recipient must also be notified if those requirements change in a manner that would have a substantial adverse effect. 3. If the transferring entity receives a notification from the recipient of a change in the relevant legislation likely to have a substantial adverse effect on the transfer, it must forward the notification to the Office of the Data Commissioner if it decides to not suspend the transfer. Then, the supervisory authority has a right to conduct an audit of the recipient to ascertain whether the proposed transfer should be suspended or prohibited to ensure an adequate level of protection. We recommend that the Office of the Data Commissioner comes up with further independent guidelines for cross-border transfers as other jurisdictions have done. The office can even go further and provide templates for forms to be filled by the entities which will be a guidance on the threshold. In the EU the European Commission has come up with draft Standard Contractual Clauses as a minimum for the transfer of personal data to third parties in other jurisdictions to ensure there are appropriate safeguards. |
7. Part VIII — Data Protection Impact Assessment
(Reg 42, 43, 44 & 45 and the third schedule) Data Protection Impact Assessment – Processing Activities and Assessment Reports |
We appreciate that the General Regulations adopt best practices with regard to the processing activities that require data protection impact assessment. In addition to those provisions; 1. It would be prudent to also incorporate the following as processes that require a DPIA: a) processing personal data in a way that involves tracking individuals’ online or offline location or behaviour; and b) processing personal data that might endanger the individual’s physical health or safety in the event of a security breach. 2. The General Regulations should make it mandatory for data controllers/processors to publish DPIA reports to allow for accessibility to data subjects pursuant to the principle of accountability. Currently, regulation 44(5) which makes provision for this allows for discretion which may be abused to deny data subjects access. Exemptions should only be allowed where there is legitimate secrecy. 3. Under part 1 of the DPIA template provided for in the third schedule, we suggest that the regulations include a requirement for data controllers/ processors to address the following: a) any issues of public concern that could arise in the data flow process; b) and the technological and security measures adopted by the controller/processor. 4. Under part 3 of the third schedule that assesses the risks to the rights and freedoms of the data subject, we suggest that the assessment questions consider ‘whether the project involves the use of technology that would cause re-identification of pseudonymized’ data to ensure the privacy of the data subject’s personal data. |