Data protection bill lacks data portability provision which is a key
principle in data privacy and protection laws. FILE PHOTO | NMG
Last week, a mobile phone
user on twitter blew the whistle on a sim card swap fraud that was done
without him sharing his personal identification information. A number of
other users who have also fallen victim also came out collaborating the
accusation.
The Communications Authority of Kenya and
Safaricom later released separate statements warning mobile phone users
against disclosing personal identification information amid the simcard
swap fraud.But in those statements the crux of the matter was actually
avoided.
The fact that sim cards can be swapped without
users sharing their personal details means that fraudsters are
accessing customers’ personal details held by the mobile network
operators bringing to question whether customers are really in control
of their personal information
Now, Senate ICT Committee
chair Senator Gideon Moi has submitted a data protection bill to the
House in an attempt to review Kenya’s data protection laws. In
retrospect looking at the importance of such a bill, it was surprising
that this bill was not available anywhere online for thorough scrutiny
during the public participation stage. This confirms what many have
observed over time that the process of public participation in the
legislative process is being reduced to a mere ceremonial passing event.
But more profoundly, is the bill intended to address our current
weaknesses data protection?
There are three principles used to analyze an effective data protection law.
First,
a good data privacy and protection law gives consumers the ability to
access and manage their data, authorise and revoke sharing of their
data. For example, the new European Union General Data Protection
Regulation primarily provides consumers with greater rights to manage
how their data is shared by their service provider with third parties.
Looking
at the proposed bill it provides elaborate clauses on consent in
collecting of information as well as management of collected information
but provides loopholes and damaging exemptions subject to misuse and
abuse. Like there is need to make the burden for both “inform” and
“receive” consent and not just a “pass-through” consent.
The
right for consumer to ask for deletion of their data with any agency,
what is sometimes referred to as right to be forgotten, is an important
principle in data protection but missing in the bill.
Also,
article 12 (e) of the bill provides that an agency can fail to comply
with the laid down data collection procedures if compliance would
prejudice the purpose for which the information is collected, This
clause opens doors for misuse of consumers’ personal information.
Second,
there is need to define clearer and stronger rules on data receivers
and processors including liabilities for their conduct. A good data
protection law puts liability of handling private and sensitive
information on data collectors.
For
example, in the current widespread simcard swap frauds more liability
should be placed on mobile network operators so that they can implement
tight internal controls to detect and mitigate such frauds especially
since their agents collect a lot of personal information (ID number and
signatures) when customers deposit/withdraw money. Third, the bill lacks
data portability provision which is a key principle in data privacy and
protection laws.
This is the right for consumers to
port data to third-parties they designate to receive such information.
For example, if I wish to move from my current bank to another, I would
simply request my current bank to share all my information to the bank I
intend to move to and if admitted I can move with all my data.
The
biggest feature about data portability is that it enhances consumer
control over his/her personal information as well as encourage
competition by eliminating switching costs like in the case of porting
from one bank to the other. In short, what seem to have been lost in the
proposed law is that data protection basically includes the various
facets of data privacy, protection and liability laws for stronger
consumer consent and control.
No comments:
Post a Comment