KICTANet produced the Memorandum on policy regulatory framework for privacy
and data protection submitted to the task force on Privacy and Data
Check on the submission section here:
When you look at the reporting issue as a business entity, is 30 days good
enough? When creating laws, we must be able to balance interests of
different stakeholders. How many extra resources would a company need to
produce reports in a week? Two weeks? A month? Probably 30 days is a
On Fri, Jul 5, 2019, 18:39 Rafe Mazer via kictanet <
> Also like the point on leaving flexibility in the Law not saying 30 days
> across the entire economy.
> Rafe Mazer
> Consumer Protection and Behavioral Research Consultant
> Nairobi, Kenya
> +254 723950645
> On 5 Jul 2019, at 11:23 AM, Liz Orembo <firstname.lastname@example.org> wrote:
> Thank you for starting this discussion Rafe,
> I agree 30 days to honor consumer data request could be too long compared
> to Access to Information Act that gives 21 days. Perhaps we should leave it
> for the data protection authorities to set guidelines for different
> industries and probably encourage automated retrieval of personal data by
> the end users.
> I am also of the view that data portability cannot be free of charge in
> all circumstances. I get the point that the term \’reasonable\’ may be
> subject to abuse (perfect demonstration is in the presidential elections
> petition), but there is also a cost element to collecting data. Why would a
> company want to transfer it for free to another company? Of course would
> love to hear others opinion on this.
> On Fri, Jul 5, 2019 at 5:40 PM Rafe Mazer via kictanet <
> email@example.com> wrote:
>> Hi KICTA Net members. I\’m Rafe Mazer, a consumer protection in digital
>> financial services specialist working in Kenya the past 5 years (and
>> globally on this toic for 10+ years.)
>> I just saw the new Data Protection Bill within the National Assembly (
>> and wanted to raise a discussion internally about Section 38 on Data
>> Portability to see if KICTA Net may want to engage further on the topic.
>> Specifically there are two aspects that were concerning:
>> 1. The allowance for 30 days to honor a data subject\’s request for
>> information held on them.
>> In a digital economy, this is an excessively long period, and also quite
>> a blunt instrument to apply across the entire economy, where health records
>> are different from government records are different from financial records,
>> etc. This would also kill the utility of portability in spaces like
>> FinTech. Imagine I want to use my economic history with data controllers to
>> get competing mobile loan offers. It could take up to 30 days to share that
>> information, which is not aligned with the near-instant nature of these
>> products and consumers\’ expectations on timing. Already the Bill rightly
>> notes portability should only apply where \”technically feasible\” to exempt
>> low-tech industries or providers, so there is no sense is saying that those
>> who are deemed to be able to comply technically with portability should
>> have up to 30 days to do so. If this language is kept in it will be used to
>> delay–and defacto deny–consumer use of their data for increased choice in
>> digital segments of the economy.
>> Further, since access to information is included in the same section as
>> portability, and they are not explicitly differentiated, you could argue
>> data controllers have not just 30 days to honor a portability request, but
>> to even tell you what data they hold on you the data subject. This is far
>> too long a time to permit for a basic consumer data right. Right now some
>> providers offer financial statements to the data subject much faster than
>> that–in minutes or seconds–but allowing 30 days could encourage setting
>> practices to that standard going forward, reducing consumer access to their
>> own data not improving it.
>> 2. The allowance of a \”reasonable fee\” to be charged for a portability
>> request could lead to anti-competitive and excessive pricing. \”Reasonable\”
>> is highly subjective, and we have seen Competition Authority already had to
>> intervene to stop anti-competitive use of wholesale USSD rates in mobile
>> financial services (
>> It is highly likely a \”reasonable fee\” window would be deployed similarly
>> where beneficial to firms and require ex-post intervention. The original
>> language from the 2018 Bill where this was free of charge seems a much
>> better approach.
>> Curious to hear others\’ thoughts or context on this section, and how
>> KICTANet could help to fix this section for the final version of the Bill
>> so we don\’t create an anti-innovation and anti-consumer portability regime
>> that will be the law of the land.
>> Thanks for the chance to share and discuss on this platform,
>> Rafe Mazer
>> kictanet mailing list
>> Twitter: http://twitter.com/kictanet
>> Facebook: www.facebook.com/KICTANet/
>> Unsubscribe or change your options at
>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>> for people and institutions interested and involved in ICT policy and
>> regulation. The network aims to act as a catalyst for reform in the ICT
>> sector in support of the national aim of ICT enabled growth and development.
>> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>> online that you follow in real life: respect people\’s times and bandwidth,
>> share knowledge, don\’t flame or abuse or personalize, respect privacy, do
>> not spam, do not market your wares or qualifications.
> Best regards.
> PGP ID: 0x1F3488BF
> kictanet mailing list
> Twitter: http://twitter.com/kictanet
> Facebook: www.facebook.com/KICTANet/
> Unsubscribe or change your options at
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people\’s times and bandwidth,
> share knowledge, don\’t flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
kictanet mailing list