Africa needs own data protection regulations

Kenya’s data protection is elusive regardless of the DPA. FILE PHOTO | NMG
 By Ombo Malumbe

Africa is known for various impressive, annoying, hurting, and disappointing factual events. The Data Protection Act No. 24 of 2019 (DPA), is one of the fabricated tales. There are startling writings that indicate the African continent has been – probably still is – a testing ground on various issues,
including biochemical experiments.

These practices enable the experimenters to collect raw data to enable them to understand whether the version of whatever tested is worth it or needs further improvement.

Kenya had the opportunity to take notes while observing the western countries grapple with issues on data protection, but that did not happen. Kenya, like most African countries, borrows a lot from Western countries when it comes to making a step to legislate on “new” areas of law.

However, even when having the opportunity to implement useful Research and Development (R&D) practices and procedures, it terribly fails and merely adopts the Copy and Paste Principle, which is quite fast. However, it lacks a sense of direction because there is no R&D.

While the writing of the DPA has the taste of the United Kingdom’s Data Protection Act, 2018 & 1998, there are other elements from other legislations. On April 27, 2016, when the European Union (EU) was approving the famous General Data Protection Rules 2016/679/EU (GDPR), it shared a firm conclusion about the Directive through its Official Journal of European Union.

It stated that the Directive 95/46/EC (the Directive) “objectives and principles of the Directive remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity.”

The EU concluded that there was a need to advance the issue on Data Protection. As a result, the Directive had to be repealed in favour of the GDPR.

The European Commission Decision 2000/520/EC that was birthed as a result of the Directive, both repealed, in letter and spirit, influenced critical provisions under the DPA. Therefore, like the Commission Decision 2000/520/EC, the DPA provides that Data Controllers and Data Processors can self-regulate.

The idea of self-regulating provided a loophole for the Data Controllers, and Data Processors in the US have their Government engage the EU on diplomatic terms, which the US did through its Department of Commerce (DoC).

The results of these diplomatic discussions resulted in effecting Commission Decision 2000/520/EC popularly known as the Safe Harbour Regulations.

The Safe Harbour Regulations operated for at least a decade before questions were raised about its legality and whether it is superior or inferior to the Directive.

The legislators in Kenya had the opportunity to conduct R&D and perform the necessary comparative analysis on why the EU, post Maximillian Schrems v Data Protection Commissioner C-362/14 decision, had to invalidate the application of the Safe Harbour Regulations.

Also, what is new in the GDPR that must be adopted by Kenya to protect the data subjects in Kenya. It means that later on after the citizenry realise the DPA provides elusive Data Protection, the future legislators will repeat the words indicated under the Official Journal of European Union.

The legislators will state that while the objectives and principles of the DPA, 2019 remain to be sound, the DPA has failed to protect the data subjects to the extent that the then legislators envisioned.

It is with the lack of or poor R&D practices that Kenya failed to take the observers position like researchers conducting experimental tests on a guinea pig.

Thereafter, it should have come up with a near-perfect instrument that protects the interests of Kenyans and not blind the citizenry to protect the entities accessing the personal data. While the DPA has some elements as those of the Directive, Data Protection Act, 2018 & 1998, and the GDPR, the DPA fails to factor critical issues such as avoiding to provide companies with the Self-Regulating option.

That option is not available under the indicated laws or regulations – whether repealed or not – save for Commission Decision 2000/520/EC that was rendered invalid by the Court of Justice of the European Union. Therefore, it is evident that Kenya’s data protection is elusive regardless of the DPA.

Ombo Malumbe, via email