BAKE Kenya and Data Protection: Are Regulations Doing Enough to Protect Kenyans?

Are Kenyans protected online? Is there data safe in the hand of third party handlers? Are Kenyans themselves aware of their online rights?


Yesterday, BAKE Kenya had an interactive online session with some leading experts in the data protection and human rights area. Earlier on, BAKE had held the same meeting with different hosts, but the agendas explored the same areas in data privacy, protection of personal data, and the way forward for business and human rights online in the state.

One thing that was highlighted throughout the session is that the majority of Kenyans understand what privacy is, but are hardly aware of privacy in the digital space. This point was explored extensively by Grace Mutung’u, a Research Fellow at CIPIT at Strathmore University.

It emerged that there is a privacy paradox among Kenyans, where internet users demonstrate a tendency toward behaviours that compromise their online activities. A certain degree of risk perception illustrates diverse knowledge of privacy protection strategies (as backed up by Parliament Acts), but according to Advocate of the High Court and Data Privacy Protection Expert Mugambi Laibuta, local data protection strategies are still insufficient and are yet to be enforced fully.

Furthermore, the hosts added that while Kenya internet users show an interest in the privacy of their data and maintain a positive attitude toward privacy-protecting behavior, this rarely translates to their actual behaviour.

Still, Kenyans deserve to have their data protected; but Mugambi says that data protection regulations are just not stringent enough. Or enforcement is under par.

Some of these issues have been linked to data handlers that are not doing enough to inform the public about their right to privacy. Some handlers are also blatantly misusing data submitted to them by their customers.

For instance, bulk SMS providers and their associated businesses are some of the main culprits that were mentioned in the session. We have seen cases where customers are spammed with promotional messages that they did not ask for. And who is to blame; the business or the bulk SMS provider? It is an area that has been talked about extensively but has hardly seen any key developments in the past couple of years. The issue was also delved into two years ago – and friends of the industry are still waiting for answers.

Nevertheless, these actions cement the assertions that online service providers have demonstrated that robust data protection decisions and abstract risk awareness cannot be interchanged. In other words, data protection decisions do not change according to modified preferences. This is why there is a stark disparity between stated preference and actual online behaviour.

The part of where the Data Protection Act appears not to do enough can be echoed its failure to educate Kenyans about their rights, and the manner they should behave online. While most Kenyans are aware of their privacy risks on the internet, they still have a tendency to share private info in exchange for services, some of them personalized.

Finally, there’s a need to interrogate the issue of compliance, especially in data protection. The interrogation process should be all-encompassing, including a human rights angle.