Draft Data Protection Bill critically limited, says ARTICLE 19
ARTICLE 19 submitted its comments on the Draft Kenya Data Protection Bill 2009 (draft bill) to the Constitution Implementation Commission of Kenya (CIC) in October 2011.
DATA PROTECTION AND FREEDOM OF INFORMATION
ARTICLE 19 believes that data protection and freedom of information are complimentary rights designed to empower citizens to protect their rights and to improve the transparency of both public and private bodies. ARTICLE 19 supports the adoption of well-crafted data protection laws that protect individuals' rights while ensuring government transparency and freedom of expression.
Over 70 countries have now adopted data protection laws covering the collection and use of personal information. Over 50 of those countries also have freedom of information laws.
The right of data protection has been growing in Africa over the last few years. So far, eight countries in Africa (Angola, Benin, Burkina Faso, Cape Verde, Mauritius, Morocco, Senegal, and Tunisia) have adopted comprehensive laws. Earlier this year, ECOWAS adopted a Supplementary Act A.SA.1/01/10 on Personal Data Protection which requires all member states to adopt data protection laws.
Scope of the Draft Bill Overly Limited
The draft bill appears to only apply to personal information held by public authorities (described in Article 3 as both a "controller" and "agency", which is undefined). This is significantly weaker than the similar laws in the eight African countries, as well as the 70 other national data protection laws across the world, which apply to both public bodies and private bodies such as corporations and non-profit bodies. The draft bill is more akin to the Privacy Acts found in many countries which only apply to government bodies.
While the draft bill will bring greater accountability to the processing of information about Kenyan citizens held by government bodies, the restriction to public bodies substantially limits the usefulness of the act as a means to enhance international trade to Kenya. European (and many other countries') law limits the transfer of personal information for outsourcing and other reasons to only countries with adequate data protection laws, which is why many countries in Africa, Asia and Latin America have adopted laws recently. This bill as drafted will not allow European data controllers to transfer personal information to Kenya because it does not apply to the private sector. Thus a major reason for adopting the bill will not be achieved.
A positive effect of this limitation is that 'invasion of personal privacy' may not be used as a justification to prosecute journalists who have published personal information in the public interest, such as corruption by public officials. This may remain a problem in other legislation such as the criminal code. Most data protection laws remedy this problem by putting in specific exemptions for information collected for journalistic or artistic purposes.
The draft bill should be extended to apply to the private sector. If it is, there should be an exemption specifically for media and academic, artistic, and journalistic activities.
( . . . )
Download the Draft Data Protection Bill:
Kenya_ARTICLE19_Data_Protection_Bill_Final.pdf (432 KB)