Proposed law lacks stronger consumer controls
Data protection bill lacks data portability provision which is a key principle in data privacy and protection laws.
Data protection bill lacks data portability provision which is a key principle in data privacy and protection laws. FILE PHOTO | NMG
Last week, a mobile phone user on twitter blew the whistle on a sim card swap fraud that was done without him sharing his personal identification information. A number of other users who have also fallen victim also came out collaborating the accusation. The Communications Authority of Kenya and Safaricom later released separate statements warning mobile phone users against disclosing personal identification information amid the simcard swap fraud.But in those statements the crux of the matter was actually avoided.The fact that sim cards can be swapped without users sharing their personal details means that fraudsters are accessing customers’ personal details held by the mobile network operators bringing to question whether customers are really in control of their personal informationNow, Senate ICT Committee chair Senator Gideon Moi has submitted a data protection bill to the House in an attempt to review Kenya’s data protection laws. In retrospect looking at the importance of such a bill, it was surprising that this bill was not available anywhere online for thorough scrutiny during the public participation stage. This confirms what many have observed over time that the process of public participation in the legislative process is being reduced to a mere ceremonial passing event. But more profoundly, is the bill intended to address our current weaknesses data protection?
There are three principles used to analyze an effective data protection law.First, a good data privacy and protection law gives consumers the ability to access and manage their data, authorise and revoke sharing of their data. For example, the new European Union General Data Protection Regulation primarily provides consumers with greater rights to manage how their data is shared by their service provider with third parties.Looking at the proposed bill it provides elaborate clauses on consent in collecting of information as well as management of collected information but provides loopholes and damaging exemptions subject to misuse and abuse. Like there is need to make the burden for both “inform” and “receive” consent and not just a “pass-through” consent.The right for consumer to ask for deletion of their data with any agency, what is sometimes referred to as right to be forgotten, is an important principle in data protection but missing in the bill.Also, article 12 (e) of the bill provides that an agency can fail to comply with the laid down data collection procedures if compliance would prejudice the purpose for which the information is collected, This clause opens doors for misuse of consumers’ personal information.Second, there is need to define clearer and stronger rules on data receivers and processors including liabilities for their conduct. A good data protection law puts liability of handling private and sensitive information on data collectors.For example, in the current widespread simcard swap frauds more liability should be placed on mobile network operators so that they can implement tight internal controls to detect and mitigate such frauds especially since their agents collect a lot of personal information (ID number and signatures) when customers deposit/withdraw money. Third, the bill lacks data portability provision which is a key principle in data privacy and protection laws.This is the right for consumers to port data to third-parties they designate to receive such information. For example, if I wish to move from my current bank to another, I would simply request my current bank to share all my information to the bank I intend to move to and if admitted I can move with all my data.The biggest feature about data portability is that it enhances consumer control over his/her personal information as well as encourage competition by eliminating switching costs like in the case of porting from one bank to the other. In short, what seem to have been lost in the proposed law is that data protection basically includes the various facets of data privacy, protection and liability laws for stronger consumer consent and control.