In this section, you can access the different parts of our guide for policy engagement on data protection “The Keys to Data Protection”. The guide is intended to help organisations and individuals improve their understanding of data protection, by providing a framework to analyse the various provisions which are commonly presented in a data protection law.
The guide was developed from Privacy International’s experience and expertise on international principles and standards applicable to the protection of privacy and personal data, and our leadership and research on modern technologies and data processing.
Part 1 introduces data protection: what it is, how it works and why it is essential for the exercise of the right to privacy.
While data protection laws vary from country to country, there are some commonalities and minimum requirements, underpinned by data protection principles and standards which tend to be reflected in the structure and content of relevant legislation. Each part of the report presents these, including:
Part 8 provides some additional resources on data protection, and outlines opportunities for organisations to engage on data protection.
Much of our engagement on data protection for the last decade has been undertaken through our work with our partners in the Privacy International Network. We would like to take the opportunity to acknowledge their incredible efforts to promote and advocate for the adoption of data protection laws across the world.
Please reach out to Privacy Internation on email if you have any feedback on the guide via: firstname.lastname@example.org
The State of Privacy in Kenya is the result of an ongoing collaboration by Privacy International and the National Coalition of Human Rights Defenders – Kenya.
Key Privacy Facts
1. Constitutional privacy protections: Article 31 of the Kenyan Constitution specifically protects the right to privacy.
2. Data protection law: Kenya does not currently have specific data protection legislation. However, a Data Protection bill was tabled in Parliament in 2015.
3. Data protection agency: Kenya does not have a specific data protection authority.
4. Recent scandals: Kenyan and international civil society groups report high levels of extrajudicial surveillance.
5. ID regime: The Integrated Population Registration System (IPRS) collects data from a dozen databases held by various government agencies.
Article 31 of the Constitution specifically protects the right to privacy. It states:
“Every person has the right to privacy, which includes the right not to have—
(a) their person, home or property searched;
(b) their possessions seized;
(c) information relating to their family or private affairs unnecessarily required or revealed; or
(d) the privacy of their communications infringed.”
Furthermore, Article 2 states that Kenya’s international obligations, such as its commitment to the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights, which include privacy rights, are part of Kenyan domestic law. It states:
“(5) The general rules of international law shall form part of the law of Kenya.
(6) Any treaty or convention ratified by Kenya shall form part of the law of Kenya under this Constitution.”
Kenya is a signatory to or has ratified a number of international conventions with privacy implications, including:
The Communications Authority of Kenya (CA) regulates the telecommunications industry and collects statistics on the sector. Mobile penetration was recorded at 86.2 % in March 2017, with 39.1 million mobile subscriptions. There were an estimated 40.59 million internet users in Kenya in March 2017, representing an internet penetration rate of 89.4% according to the CA.
Social media is widely used in Kenya. Kenya is reported to have over 5 million active daily Facebook users, and 693,000 confirmed active users on Twitter, according to a study by Ogilvy, an advertising and public relations firm.
The Kenya Information and Communications Act (2009), penalises the unlawful interception of communications by service providers. Article 31 states:
“A licensed telecommunication operator who otherwise than in the course of his business—
(a) intercepts a message sent through a licensed telecommunication system; or
(b) discloses to any person the contents of a message intercepted under paragraph ; or
(c) discloses to any person the contents of any statement or account specifying the telecommunication services provided by means of that statement or account, commits an offence and shall be liable on conviction to a fine not exceeding three hundred thousand shillings or, to imprisonment for a term not exceeding three years, or to both.”
Article 83 states:
“(1) Subject to subsection (3), any person who by any means knowingly:—
(a) secures access to any computer system for the purpose of obtaining, directly or indirectly, any computer service;
(b) intercepts or causes to be intercepted, directly or indirectly, any function of, or any data within a computer system, shall commit an offence.”
Article 93 (1) states:
“No information with respect to any particular business which—
(a) has been obtained under or by virtue of the provisions of this Act; and
(b) relates to the private affairs of any individual or to any particular business,
shall, during the lifetime of that individual or so long as that business continues to be carried on be disclosed by the Commission or by any other person without the consent of that individual or the person for the time being carrying on that business.”
Read the full report here: https://privacyinternational.org/node/1005
Inside Communications Surveillance and Counterterrorism in Kenya Executive Summary
This investigation focuses on the techniques, tools and culture of Kenyan police and intelligence agencies’ communications surveillance practices. It focuses primarily on the use of surveillance for counterterrorism operations. It contrasts the ction and reality of how communications content and data is intercepted and how communications data is fed into the cycle of arrests, torture and disappearances.
Communications surveillance is being carried out by Kenyan state actors, essentially without oversight, outside of the procedures required by Kenyan laws. Intercepted communications content and data are used to facilitate gross human rights abuses, to spy on, pro le, locate, track – and ultimately arrest, torture, kill or disappear suspects, as this report documents. The Kenyan constitution guarantees freedom from torture, cruel, inhuman and degrading treatment and the right to a fair trial as fundamental rights.
These abuses have marred Kenya’s counterterrorism operations and further eroded Kenyans’ already weak trust in the agencies responsible for protecting them. This investigation also explores the potential impact of unaccountable communications surveillance on the upcoming 2017 election cycle.
The National Intelligence Service (NIS) regularly shares information with police agencies, some of whom have been engaged in gross human rights abuses, according to multiple independent media, civil society and Kenya National Commission on Human Rights (KNHCR) investigations. The NIS appears to have direct access to communication networks across Kenya. This direct access means that the network operator itself has little to no knowledge of the interception of communications occurring on its network, and therefore no real ability to check these powers or report potentially abusive use of communications surveillance powers. The role of the Communications Authority in facilitating direct access in Kenya requires more scrutiny. All responses to Privacy International’s requests for comment are included in the text.
Particularly in an election year, there is a pressing need to begin to reform the practice of communications surveillance, preventing a future threat of greater abuse.
Read the whole report here: http://nchrdk.org/wp-content/uploads/2018/03/Track-Capture-Kill-Kenya.pdf