Hot on the heels of Europe’s widely celebrated General Data Protection Regulation (GDPR), which became effective 25 May 2018, Kenya’s first piece of legislation specifically addressing data collection, processing and storage has now been presented before the Senate and released for public debate and scrutiny. The Data Protection Bill 2018 (‘The Bill’), as it is officially termed, was released earlier this month by the Committee on Information, Communication and Technology, chaired by Baringo County Senator, Gideon Moi.
As discussed on numerous occasions on this column, and similarly emphasised by like-minded columnists, the digital revolution is currently underway, not only in Kenya but the world over. From the industrial age where cash was crowned King, I dare say that in today’s age, it is not cash but information that is King.
It is the recognition of the significance and prominence of information in the world we live in today that has necessitated regulators round the world to revisit data protection, leading to GDPR as the titular legislative piece on matters data protection. Similar to the vast powers conferred to the American Foreign Corrupt Practices Act (FCPA) on matters corruption, GDPR hopes to be the global legislative trend setter on matters data protection, with extra-territorial reach.
True to speak, GDPR has far reaching consequences, with anyone that is engaged in trading of goods and services with the EU block being captured under its net. With cross-border and third party compliance requirements, the effects of GDPR will be felt worldwide.
Kenya, in her first attempt at a legislation exclusively tailored to target data protection concerns, largely moulded the Data Protection Bill 2018 after GDRP, inclusive of cross-border and third party compliance requirements. Indeed, it is arguably a decent first stab at data protection. However, it is not expected to be the final product, with a number of changes in the pipeline before it is presented to the President for accent.
The above notwithstanding, the draft Data Protection Bill 2018 as currently stands is not without criticisms. Notably, civil society groups have come up in arms at the content of Section 3 of the Bill, which excludes the application of provisions of the bill in processing of personal data in the context of national security and the prevention, detection and identification of criminal activities. I contend, however, that this exclusion is not only to be expected, but is state legislative practice as well.
End of the day, however, whether a critic of a celebrant, consensus can be drawn to the fact that this is a first step in a very important process. With the value attached to information, and the increasing relevance of data, including big data, the existence of comprehensive data protection legislation is intrinsically necessary in today’s age.