logo
ADVERTISEMENT

WANGARI: KRA to be exempted from data protection in Finance Bill

Taxman will now have easier and full access to all possible data and information from third parties such as telcos

image
by Josephine Mayuya

Siasa19 May 2024 - 06:45
ADVERTISEMENT

In Summary


  • Digital rights advocates forewarned that unchecked powers could unsettle the entrepreneurial risk appetite for innovation in Kenya.
  • What are the wider ramifications for failing to adequately protect sensitive customer data?
KRA officer Christine Milimo assists a member of the public rushing to beat the deadline to file tax returns at the support centre at the Nairobi Railways Club

As Kenya’s Data Protection Act, 2019 turns five this month, we reflect on this positive milestone, progress, challenges and the future of protecting the privacy and personal data of Kenyan citizens.

A dark spot on this positive development is the Treasury’s proposed amendments to the Data Protection Act of 2019, giving special exemptions, enhanced data monitoring and sharing powers to the Kenya Revenue Authority.

Its impact on Kenya’s financial services sector is a major concern.

Beyond the dynamics of the digital applications, our legal uncertainties, data privacy and security threats in the financial sector, there are public alarms from experts cautioning against KRA’s unrestricted and unmonitored access.

The proposal in the Finance Bill, 2024 aims to exempt KRA from the provisions of the Kenya Data Protection Act when accessing personal and financial information deemed “necessary” for tax assessment and collection.

KRA will now have easier and full access to all possible data and information from third parties such as telcos, M-Pesa and banks.

These new proposals are part of Kenya’s Draft Medium-term Debt Strategy for 2024-25 – 2026-27.

The proposal comes swiftly after the implementation of the Electronic Tax Invoice Management System (eTIMs): a data management and reporting system by KRA. To boost tax revenue collection, Kenya’s National Treasury proposes the following integrations:

  1. Integration of tax administration systems with those of the Integrated Population Registry (IPRS);
  2. Integration of tax administration systems with telcos and banks;
  3. Integration of KRA tax administration systems with betting and gaming systems;

At the peak of the evolving data threats, risks and concerns around protecting consumer information, the Data Protection Act introduced measures to protect the rights of data subjects, including the right to access, rectify and erase personal data.

Consequently, this gives individuals greater control over their personal data while helping promote transparency and accountability among data controllers.

While KRA states that the goal is purely meant to enhance tax compliance and close loopholes, digital rights advocates have forewarned that unchecked powers could unsettle the entrepreneurial risk appetite for innovation in Kenya.

Another key provision will allow KRA to require any business to directly integrate its operational systems with the agency’s electronic tax system known as eTIMS. Failure to comply would attract penalties of as much as Sh2 million ($16,000) per month – a potentially existential threat for smaller start-ups.

KRA is pursuing the “national interest” by digitising all revenue collection processes while accessing granular, real-time, data on commercial transactions from the businesses.

In this quest, how will KRA conduct their businesses, associated risks and mechanisms to mitigate them and what are the wider ramifications for failing to adequately protect sensitive customer data?

A keen analysis of the data protection impact assessment conducted in accordance with Section 31 of the Data Protection Act reveals that as a country, we are not mature and full-blown to collect, process and store personal digital data securely without infringing the right to privacy and protection of Kenyans.

Further, the report provides inadequate information on cross-border data-sharing safeguarding requirements to be complied with by KRA before transferring personal data outside the country, data localisation requirements and the exemptions from the UK General Data Protection Provisions (GDPR).

KRA is poised to face a significant consent architecture. They must provide a notice to customers seeking consent to process their personal data for specific purposes. KRA must take steps towards developing technical capabilities to maintain records of all such notices, consents and customer responses.

This consent architecture now also gives consumers the right to withdraw their consent for the processing of any personal data at any point in time. The technological ease of enabling withdrawal of consent must be at par with the ease with which consent was taken.

KRA will have to carefully navigate this requirement to meet compliance. At the same time, KRA will have to ensure that they are not caught unawares due to sudden withdrawal of consent. They must simultaneously comply with the Central Bank of Kenya’s fairly extensive regulatory regime for banking and financial services.

As businesses navigate this evolving landscape, it is clear that the success of this data protection exemption and similar initiatives hinge on addressing data privacy, security, legal uncertainties and public concerns.

The path forward requires careful consideration and collaboration to unlock the potential benefits, while safeguarding the rights and interests of all stakeholders involved.

Kenya can forge a digital identity future that enhances services, inclusion, and economic growth through a comprehensive and well-considered approach.

Postgraduate Student at the University of Edinburgh. [email protected], @kennedykwangari

ADVERTISEMENT

logo© The Star 2024. All rights reserved