The life of a Kenyan in 2021 is a great data mining game. Personal information is shared in the course of financial transactions for electronic commerce and telephone deliveries which have now become the norm due to the influx of motorcycles.
The result of this data mining game is the many complaints, mainly on social media, from people about the unsolicited marketing messages they receive.
These complaints generally describe how a person’s personal information was used for direct marketing after they paid for the service or goods using mobile money.
Other complaints concern the question of how the companies that market their products got the recipient’s contacts.
The genesis of these complaints are rogue companies and content service providers that refuse to follow the law and use unorthodox methods to obtain personal information from individuals.
Courtesy of counterterrorism security laws, such as the Private Security Regulation Act of 2016, the guards who man the buildings have the power to search and temporarily retain identification documents.
While this law limits your use of information for security purposes, there is no requirement for systems within private security companies that ensure compliance with data protection principles.
Due to the Covid-19 pandemic, the Ministry of Health ordered the introduction of passenger manifests for public service vehicles traveling beyond 50 kilometers and attendance records for places of worship.
All of these laws add to situations where Kenyans have to share their personal information for legitimate purposes, but the information is misused.
The Constitution and the Data Protection Law provide adequate solutions to this threat, but the problem appears to be more complex for two reasons.
First, the ignorance of the citizens and second, the impunity of the entities that process personal information.
A 2019 study conducted by Ipsos on behalf of the Center for International Governance Innovation (CIGI) found that only 44 percent of Kenyans are concerned about their privacy online.
In 2021, an opinion poll commissioned jointly by Amnesty International Kenya and the Open Institute conducted by Infotrak and Research Consulting Limited found that only 54 percent of Kenyans are aware of their right to privacy.
The right to privacy ranked 15th in the order of issues that Kenyans are aware of, while 70 percent were still unaware of the Data Protection Act.
With such a large population that they are unaware of their rights under the law, rogue companies continue to act with impunity in the confidence that they may not be reported to the newly created Office of the Data Protection Commissioner.
Regarding direct marketing, the Data Protection Law establishes that personal data will not be used for commercial purposes unless the express consent of the recipient has been requested and obtained.
The Law also describes consent as any manifestation of express, unequivocal, free, specific and informed indication of the significant agreement of a person with the processing of their personal data.
Recently, the Data Protection Commissioner and the Cabinet Secretary of the Ministry of ICT, Innovation and Youth Affairs established the Working Group on the Development of the Data Protection Regulation.
Opt-out versus opt-in
The working group produced a draft General Regulation which states that an entity may use personal data of a person for direct marketing purposes only if it has collected the personal data of the person, has notified the purpose of the collection and the person has consented to the use.
The company will also need to provide a simple opt-out mechanism.
Many companies justify unsolicited messages by arguing that they have provided an opt-out mechanism, but Kenyan law actually requires an individual to choose to participate.
This is a different approach than in Europe, where the Electronic Privacy Directive allows a limited exemption from the strict acceptance requirement for direct email marketing to individuals whose data was obtained by the company “in the context of the sale of a product or service”. However, this exemption limits direct marketing to similar products or services only.
Since it seems that people’s personal information is everywhere and its collection will not stop anytime soon, the best that can be done to remedy the situation is to create a culture of adherence to data protection laws, especially through limitation of purpose.
Businesses must learn to use personal information for the sole reason that they acquired it. If acquired in the course of a mobile money payment transaction, the information should not be used for marketing purposes unless the person has expressly opted in and consented to direct marketing.
The Office of the Data Protection Commissioner, on the other hand, must work on raising public awareness.
This will allow more people to report data protection breaches, eventually leading them to issue penalty notices to companies that do not follow the direct marketing option as required by law.
The writer is a privacy practitioner and advocate for the High Court of Kenya.