Data Mining: What are your rights?

Cambridge Analytica, a United Kingdom based data analysis firm, was involved in a scandal that came to light in March 2018, exposing the manner in which our personal data is used against us. This company, using data mining tactics, was able to target specific groups of people with “fake news” and scare mongering tactics that were sometimes tantamount to hate speech. It is difficult to measure the extent to which the tactics used by the firm actually influenced the choice for voters, particularly in Kenya where voting during elections has primarily been tribal based.

The actions of Cambridge Analytica have raised questions of how often our data is sold to companies without our knowledge and the legality of the same. In Kenya, there are few limits to the kind and amount of data that companies can sell. Some social media accounts and online data websites have user agreements where users must consent to the use and sale of their personal data in order to use the site. All actions that you do using the Internet can be tracked and the data sold with minimal, if any legal repercussions. This is changing as more countries strengthen their data protection laws

The right to privacy is enshrined in Article 31 of the Kenyan Constitution. This article protects your right not to have information relating to your family or private affairs unnecessarily required or revealed, or the privacy of your communications infringed. This right with regard to data protection remains to be properly applied as Kenya does not have any specific law that governs data protection and its specifics. Moreover, the same does not seem to be an immediate priority for the Government as we have had the Data Protection Bill of 2018, which has not been passed into law.

Data Protection in Kenya is fairly limited as the Kenya Information and Communications Act 2009, only criminalises the interception of data that is done knowingly and unlawfully. This means that in order for a person to be convicted of an offence under the Act, the prosecution would have to prove that the unlawful interception of data was done knowingly. The 2010 regulations expanded the scope of the Act by also criminalising the unlawful monitoring, interception and disclosure of data transmitted through licensed systems. The 2010 Regulations for the Act also outlaw the monitoring, interception and disclosure of data transmitted through licensed systems.

Further, the newly enacted Computer Misuse and Cyber Crimes Act, 2018 has enhanced the provisions of the above mentioned act by providing serious fines and potential imprisonment for the unlawful interception of data, particularly data that is sensitive in nature and data that was unlawfully procured from a secure system.

It is worth noting that majority of the large scale abusers of personal data are foreign social media companies and search engines. Any legislation enacted would therefore be difficult and expensive to enforce. Moreover due to financial disparities, any fine imposed by Kenyan Courts is unlikely to have a material effect on such companies. Therefore, any protection the above bills would afford the public would be minimal at best.

There has been a global move towards the protection of data including a massive effort by the European Union which enacted the Global Data Protection Rules (GDPR) which came into force earlier this year. The GDPR applies to all persons that deal in the personal data of residents of the European Union.

While the GDPR’s regulations may be unenforceable in many jurisdictions due to cost and unfavourable laws governing the enforcement of foreign judgements, the free market economy may force its imposition. European companies or companies with a large database of European clients are more likely to opt to carry out business with compliant companies thus forcing companies with a global reach to comply or face extinction. Popular sites such as Uber, Facebook, Twitter and Pinterest already altered their privacy policies in order to comply with the GDPR, and issued notices informing the public of those changes.

This move, though targeted toward the protection of data of the European Union residents, shall also lead to increased global data protection as it is unlikely that the major players would enact protections as envisaged under the GDPR but limit the same to only residents of the European Union due to the global nature of business in the post-internet world. In light of the GDPR and the data sharing scandals, most countries are revamping their data protection laws. The congress hearing of the Facebook CEO shows that governments are no longer willing to ignore the uncensored sale of individuals’ data.

Kenya, as a leading player in the African market, should not be left behind.

As we await government intervention, we should use social media carefully in order to protect our data. Everyone should take care to read user agreements to determine what we have signed up for, hold off on giving consent for the service providers to use personal data as they see fit, use “strong” passwords, and share less personal information online.