Data Protection Bill: Portability section

Thank you for starting this discussion Rafe,

I agree 30 days to honor consumer data request could be too long compared
to Access to Information Act that gives 21 days. Perhaps we should leave it
for the data protection authorities to set guidelines for different
industries and probably encourage automated retrieval of personal data by
the end users.

I am also of the view that data portability cannot be free of charge in all
circumstances. I get the point that the term \’reasonable\’ may be subject to
abuse (perfect demonstration is in the presidential elections petition),
but there is also a cost element to collecting data. Why would a company
want to transfer it for free to another company? Of course would love to
hear others opinion on this.

On Fri, Jul 5, 2019 at 5:40 PM Rafe Mazer via kictanet <> wrote:

> Hi KICTA Net members. I\’m Rafe Mazer, a consumer protection in digital
> financial services specialist working in Kenya the past 5 years (and
> globally on this toic for 10+ years.)
> I just saw the new Data Protection Bill within the National Assembly (
> and wanted to raise a discussion internally about Section 38 on Data
> Portability to see if KICTA Net may want to engage further on the topic.
> Specifically there are two aspects that were concerning:
> 1. The allowance for 30 days to honor a data subject\’s request for
> information held on them.
> In a digital economy, this is an excessively long period, and also quite a
> blunt instrument to apply across the entire economy, where health records
> are different from government records are different from financial records,
> etc. This would also kill the utility of portability in spaces like
> FinTech. Imagine I want to use my economic history with data controllers to
> get competing mobile loan offers. It could take up to 30 days to share that
> information, which is not aligned with the near-instant nature of these
> products and consumers\’ expectations on timing. Already the Bill rightly
> notes portability should only apply where \”technically feasible\” to exempt
> low-tech industries or providers, so there is no sense is saying that those
> who are deemed to be able to comply technically with portability should
> have up to 30 days to do so. If this language is kept in it will be used to
> delay–and defacto deny–consumer use of their data for increased choice in
> digital segments of the economy.
> Further, since access to information is included in the same section as
> portability, and they are not explicitly differentiated, you could argue
> data controllers have not just 30 days to honor a portability request, but
> to even tell you what data they hold on you the data subject. This is far
> too long a time to permit for a basic consumer data right. Right now some
> providers offer financial statements to the data subject much faster than
> that–in minutes or seconds–but allowing 30 days could encourage setting
> practices to that standard going forward, reducing consumer access to their
> own data not improving it.
> 2. The allowance of a \”reasonable fee\” to be charged for a portability
> request could lead to anti-competitive and excessive pricing. \”Reasonable\”
> is highly subjective, and we have seen Competition Authority already had to
> intervene to stop anti-competitive use of wholesale USSD rates in mobile
> financial services (
> It is highly likely a \”reasonable fee\” window would be deployed similarly
> where beneficial to firms and require ex-post intervention. The original
> language from the 2018 Bill where this was free of charge seems a much
> better approach.
> Curious to hear others\’ thoughts or context on this section, and how
> KICTANet could help to fix this section for the final version of the Bill
> so we don\’t create an anti-innovation and anti-consumer portability regime
> that will be the law of the land.
> Thanks for the chance to share and discuss on this platform,
> Rafe Mazer
> _______________________________________________
> kictanet mailing list
> Twitter:
> Facebook:
> Unsubscribe or change your options at
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people\’s times and bandwidth,
> share knowledge, don\’t flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.