The more people get connected via the Internet, the more businesses leverage the power of the Internet to reach consumers, and governments, NGOs, companies, and individuals acquire data capturing and data processing technologies, the more privacy becomes illusionary. This is despite the fact that privacy has been identified as a fundamental human right. Privacy International puts it this way, “Privacy is a fundamental right, essential to autonomy and the protection of human dignity, serving as the foundation upon which many other human rights are built.” It is the recognition of this that the government of Kenya moved to support the United Nations Guiding Principles on Business and Human Rights by coming up with a National Action Plan for the implementation of UNGP.
Last week I highlighted the importance of the National Action Plan, provided a brief history of its conception, development, and stalemate. Today I want to demonstrate why it is even more important to accelerate the National Action Plan in the light of the continual awareness of privacy breaches by businesses in the country, despite the enactment of the Data Protection Act that was signed into Law on November 8, 2019.
A tweet by Angela Oduor Lungati brought the discussion of personal privacy amidst technological adoption by businesses and the government into the limelight, when she tweeted that “One Africa place on Waiyaki Way is using facial recognition to grant people exit from their building. No prior warning, no opting out, no indication of how they handle that data after you’re gone”.
One Africa place on Waiyaki Way is using facial recognition to grant people exit from their building. No prior warning, no opting out, no indication of how they handle that data after you’re gone ??
— Angela Oduor Lungati (@AngieNicoleOD) February 23, 2020
The scenario described by Angela is not the only breach to privacy that is currently ongoing. A recent article by The Standard revealed how convoluted terms of conditions by Fintech companies offering mobile loans is allowing those companies to breach privacy at will. An issue highlighted by the article is how the Fintech companies including Branch, Tala, Okash and many other send messages to friends and families when someone has defaulted on a loan. Lastly a privacy breach that’s common with businesses is sending unsolicited messages – where without someone’s consent they collect phone numbers and distribute promotional messages to those numbers. A case in point is when a friend took his car for car-wash that belongs to a club. Once the club collected his phone number, they couldn’t stop bombarding him with promotional messages on events that were hosted by the club.
These breaches mostly happen because both the businesses and the consumers do not know that data privacy is part of personal privacy that needs to be protected, and that protecting such privacy is part of their human rights obligations. Actually, both businesses and individuals ought to be aware of the provisions of the Data Protection Law which prohibits acquisition and processing of personal data without direct explicit consent of the data owner. According to an analysis done by Bowmans, “Consent’ to the processing of personal data by the data subject must be an express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by a clear affirmative action.”
To create public awareness to facts such as privacy is a basic human right, and that data privacy is part of personal privacy that needs protecting, the United Nations came up with the Guidelines for Businesses and Human Rights in 2011 that offers 31 Principles that if implemented, Governments and Businesses will uphold Human Rights; guidelines that Kenya agreed with and started working towards by drafting the National Action Plan. Sadly, Kenya stopped following up on the National Action Plan in 2016 immediately the first draft was prepared by the Attorney General.
As the issues surrounding data privacy continue to become a growing concern amongst Kenyans, it is very important for the Attorney General to pick up on the National Action Plan so that the country can have the legal framework for implementing the Guidelines for Businesses and Humans Rights, such that those whose privacy shall be breached by businesses going forward can have strong foundation for having their concerns addressed amicably.