Data Privacy in An Electioneering Period

On 28^th January 2022, the world celebrated the World Data Privacy Day. The day seeks to raise awareness on and promote privacy and data protection best practices. Since the publication of the General Data Protection Regulation (GDPR) by the EU in 2016 and its subsequent implementation in 2018, many countries across the world have also put in place laws and regulations to promote data privacy and protection. Kenya has also not been left behind.

The legal underpinning for the right to privacy is housed under Article 31 of the Constitution of Kenya 2010 which provides for the right to privacy and specifically, the right not to have information relating to their family or private affairs unnecessarily required or revealed. In 2019, Kenya’s National Assembly enacted the Data Protection Act whose purpose is to make provision for the regulation of the processing of personal data and to provide for the rights of data subjects and obligations of data controllers and processors, all implemented by the Office of the Data Commissioner.

Mzalendo Trust’s report on Kenya’s digital landscape published in 2020 indicated that only 34.2% of those surveyed were very familiar with the provisions of the Data Protection Act. Hopefully this number has gone up since the establishment of the Office of the Data Protection Commissioner (ODPC). However, with the nearing elections, concerns have risen over the use of personal data particularly during the campaign period.

In the recent past, Kenyans have expressed outrage after finding themselves involuntarily registered into political parties through the eCitizen platform. While it was commendable that the ORPP (following intervention by the ODPC) moved with alacrity to provide an ‘opt out’ option addressing the issue, more questions are raised as to the place and role of data protection during the electoral period. In the 2017 General Elections, reports showed that there was involvement by Cambridge Analytica, leading to the spread of fake news and misinformation. Further, many Kenyans have also complained about receiving unwanted campaign messages from aspirants.

Data is central in every election, and with the uptake of social media to undertake digital campaigns, its importance is further heightened. Here, personal data is in reference to any information relating to an identified or identifiable natural person e.g. full name, identity card number, date of birth, gender, physical and postal address. This data is contained in many Government registries such as the Birth & Death registries, the National Social Security Fund and the National Hospital Insurance Fund. During elections, the IEBC voter registry and the ORPP membership lists are critical.

Data exploitation during the election cycle risks undermining fundamental democratic processes. Where large amounts of data are unlawfully and irregularly obtained, Kenyans are profiled based on their inferred political views and preferences, and thereafter receive targeted news and political messages designed to manipulate their views. Coupled with an electoral landscape filled with misinformation, disinformation and hate speech, the matters are worse. It raises serious queries as it brings about some of ‘democracy engineering.’

Various agencies have taken steps to address this. Under Sections 23 and 25 of the Kenya Information and Communication Act, the Communications Authority is mandated to protect the interests of all users of telecommunications services in Kenya with respect to tariffs, quality of service and availability of diverse products and services among others. In that regard, the Communications Authority of Kenya in collaboration with National Cohesion and Integration Commission (NCIC) developed guidelines  in July 2017 to regulate and prevent the transmission of undesirable political content via SMS and social media platforms. The Office of the Data Protection Commissioner has also developed a Guidance Note on Processing Personal Data for Electoral Purposes that seeks to assist data controllers and data processers dealing with voters personal data, including sensitive personal data, members of political parties personal data to understand their obligations under the Data Protection Act, 2019. While not a binding document, it provides much needed guidance to the sector.

What then is the way forward? First, the Regulations (before Parliament) need to be passed to enable the Data Commissioner to operationalize the Act. This will ensure that data controllers are more careful with personal data and promote purpose limitation. Secondly, a multi-agency collaborative approach towards the protection of personal data during the electoral period would fast-track addressing of complaints and reports sent in by Kenyans. Thirdly, public awareness on the rights of data subjects and on the obligations of data controllers needs to be intensified. Further, there needs to be an independent, proactive and comprehensive data audit of the data held by IEBC to ensure that all its systems are safe. After all, technology should reinforce trust in elections, not undermine them.

Posted by Loise Mwakamba on Feb. 2, 2022

Categories:  No tags