Safeguarding Data Rights in the Information Age

Kenya is undergoing a revolutionary transformation that positively impacts the economy and society. Kenya’s mobile penetration has shot to 133.7 per cent, and the internet is at a usage level of 42 per cent, paving the way for the emergence of innovative digital services such as e-commerce, mobile money and government e-platforms, as noted by the Communications Authority of Kenya. Data is now at the centre of this transformation as it is the most vital resource fuelling the engine of innovation, the fuel behind informed decisions and the raw material for sustained economic growth. However, with progressive digitisation, there are also significant challenges regarding data protection and privacy. This reality calls for urgent dialogue and action to safeguard data rights and reinforce those rights as human rights.

Over the past 10 years, Kenya has emerged as a beacon of digital innovation in Africa. Mobile money services such as M-Pesa, processing over KSh 21 billion in transactions annually, have also transformed the financial space. The growth of e-commerce platforms and the seamless integration of digital technologies into public service delivery demonstrate Kenya’s eagerness to embrace the digital age. These developments have resulted in large amounts of our personal information, from credit card electronic payments to our fingerprints, being harvested and analysed. Meanwhile, innovation and convenience keep flourishing. But with this rapid advancement comes new challenges that we must carefully consider.

The impact of data has taken on new dimensions, expanding beyond the impact of mobile money and e-commerce to shape sectors like agriculture, education, and healthcare. For example, electronic platforms offer farmers instant weather reports and prices at the market, while health technology innovations have improved patient access to critical services. The Huduma Centres and the e-citizen platform are government-led initiatives that harness technology for better public services. Still, these developments are highly dependent on data, which, when mismanaged or abused, risks the rights of individuals and institutions.

The collection, retention, and use of personal data are subject to high scrutiny, especially as privacy violations, unauthorised data sharing, and sensitive data misuse are raising global concerns. Kenya adopted significant legislation in 2019 in the form of the Data Protection Act (DPA), which acknowledged the need for strong and strict data protection. However, problems persist within this paradigm. The Act defines principles for the processing of data, the rights of data subjects, and obligations for data controllers and data processors. The establishment of the Office of the Data Protection Commissioner (ODPC) has played a crucial role in overseeing compliance and accountability in the sector.

Although these advances are notable, many gaps remain. Resource limitations and a lack of public awareness hamper the enforcement of the DPA. An Amnesty International report found that only 67% of the Kenyans surveyed knew about the provisions of the DPA. This lack of awareness enables many citizens to fall prey to exploitation since they aren’t aware of their legal rights. This is made worse because organisations that process personal data are not always fully compliant. Rapid developments in artificial intelligence, biometrics and data analytics highlight the importance of creating regulatory systems that keep pace with technological advances and remain relevant and effective rather than falling behind. For instance, the biometric data collected in the National Integrated Identity Management System (NIIMS) has raised concerns about data security and management as the data collected is extremely sensitive, such as fingerprints and facial recognition.

While these emerging technologies offer convenience and efficiency, they also provide new vulnerabilities that can be exploited if not adequately protected. The increasing volume of data has given rise to a myriad of ways that can cause misuse and security breaches. Cases of data misuse and data breaches have already come to light, proving bad data management. For example, a breach of data held by a large telecom provider in 2019 affected the personal information of millions of users, revealing the risks associated with a lack of data protection. 

To make matters worse, biometric data is increasingly being used for identity verification. Thirty-six million Kenyans are registered users in the country’s National Integrated Information Management System (NIIMS) and have participated in biometric voting processes in the last four elections. While biometric systems improve efficiency and accuracy, there are still questions about how sensitive data is stored and secured, and regulators have limited ability to monitor for compliance effectively.

Loss of privacy can result in identity theft, economic abuse and emotional distress. According to IBM’s cost of data report, highlighting the real-world costs of insufficient safeguards. For corporate organisations, failure to comply with these laws can lead to high penalties, loss of consumer confidence, and damage to the company’s reputation. Weak protections for data rights also undermine public trust in institutions and risk eroding democratic processes through unauthorised surveillance or manipulation of data, which threatens the integrity of our governance systems.

However, public awareness remains a key challenge to effectively enforcing data protection laws. Many Kenyans do not know their rights under the DPA. Lacking the knowledge of their rights, people are susceptible to becoming victims of exploitation, be it invasive data sharing or identity theft. Public awareness campaigns must be conducted widely and made available to a diverse population to combat this. This translates into implementing digital literacy as a part of the curricula in educational institutions to develop a generation that is tech savvy and aware of its data rights. These initiatives will enable people to call for accountability from companies and organisations that process their information, preserving their rights. Emphasis must be placed on educating citizens about data rights and the importance of privacy, how they can report violations, and why decision-makers should care about citizen education in this space.

The capacity of regulatory bodies is another major challenge in promoting strong data protection. The ODPC has made great progress enforcing the Data Protection Act, but it is grossly underfunded and lacks the technical expertise needed to monitor compliance and respond to breaches effectively. The ODPC must be strengthened to protect citizens’ data rights. This can be done through further resourcing, training, and partnerships with global regulators who can provide guidance and best practices. The ODPC also requires more significant funding to have the resources, staff and infrastructure necessary to address an ever-increasing number of complaints and investigations. 

The problem is further compounded by the pace of technological advancement, which is ahead of the regulatory regime. The ODPC should keep pace with developing technologies and risks to data they might introduce and update their oversight practices accordingly. The private sector is also foundational in the protection of data. We must require corporations that collect consumer data, telecom companies, financial institutions, and e-commerce platforms to follow best practices in protecting that data. Thus, companies must review their data protection policies and practices for compliance with the DPA, implement adequate cybersecurity measures to protect personal data and prioritise transparency in processing personal data.

Public and private sector collaboration can obtain stronger data protection standards and higher consumer confidence in how their data is handled. The government must incentivise businesses to do more than the minimum required to protect consumer data, such as through certifications or tax breaks. This way, through the development of public-private partnerships, Kenya will have an ecosystem in which businesses will comply with the law and take action to protect their customers’ data.

Technology can help tackle data protection challenges as well. For instance, encryption protects data when it is transmitted and stored. Privacy-enhancing technologies (PETs) such as differential privacy and secure multi-party computations can help protect much of the personal information while enabling organisations to extract meaningful insights. Moreover, companies must use data minimisation, only collecting the necessary data in their processes. All businesses and institutions must take on privacy-by-design principles, which means that privacy is integrated into the systems and processes of an organisation from the beginning. Investing in secure data solutions research, development, and real-world deployments are other ways governments can help promote these technologies.

Finally, as Kenya embraces emerging technologies like artificial intelligence and blockchain, it must ensure that data protection instruments keep up with technology. With Kenya marching towards a digital future, protecting data rights is about compliance with the law and doing what is right. Strong protections for personal data are critical for delivering justice, encouraging innovation, and instiling confidence in a digital society. It will take a concerted effort from the government, businesses, and citizens to fill in the cracks of Kenya’s data protection framework.

Kenya deserves a digital economy that respects human rights and promotes inclusivity, which is only possible with privacy and accountability front and centre. Data rights protection is key to sustaining a credible digital ecosystem in Kenya. Safeguarding privacy is a collective effort between the government, regulatory bodies, businesses, and individuals, all contributing to ensuring data protection and respect for privacy. These strategies equip Kenya to mitigate the risks emerging technologies create by addressing legal voids, enhancing public literacy, expanding regulatory capacity, and cultivating private sector accountability, which will help guarantee an equitable, inclusive, and rights-respecting digital future for the country.