Day 8: Policy and Regulatory Framework on Privacy and Data Protection- Key issues

Dear listers,
During the discussion on the draft data protection policy and bill, a
summary of issues includes:

– Listers recommended that the policy be expanded to look not only into
data privacy but also issues to enable a privacy respecting data economy
such as skills gap, standards, public funded data, data centers etc.
– L
isters appreciated the principles for data protection as provided for in
the bill and called for ways of translating them into privacy promoting
practices within the data economy. For example, there was advocacy for
inculcation of data minimisation.
– Concerns were raised that if proper mechanisms were not put in place,
there was a risk of small data holders such as MSMEs not being able to
comply and the bill being a risk to innovation and growth.
– Data subject rights as provided for in the bill were viewed as
progressive. While there was debate on whether the right to be forgotten
should be absolute, listers recommended for this right with regard to
research data as well as data about children.
– While discussing data processors and controllers, listers debated on
data sovereignty and data residency and gave input on how Kenya could be
better facilitative of a local data economy. Listers also mused on
decisions made through automated means and how developments in artificial
intelligence impacted on personal privacy.
– On offences, some listers thought that they were not reflective of
data economy activities and that while they may be punitive to small
players, they were lenient for larger ones. Hence they recommended
graduated penalties. Listers also recommended for civil remedies to injured
persons under this law. Further, areas that did not have specified
penalties, for example not notifying a data subject in case of a breach,
were flagged out.
– The proposed institutional framework- office of the DPC came with
concerns on financing the office, powers of the DPC as well as independence
of the office.
– Finally, on exemptions, there was a recommendation for more
specificity to avoid eating into privacy of data subjects.

We shall translate these points, together with those shared during the face
to face forum at Strathmore University into submissions to the Task Force.
We appreciate all those who gave input, asked questions and followed the
discussion to learn.
Please point out other areas we may have missed in this summary and ask
your questions- At least two members of the Task Force are here to attend
to you.