The right to privacy is established under Article 31 of the Constitution of Kenya, 2010 which states:
Every person has the right to privacy, which includes the right not to have—

(a) their person, home or property searched;
(b) their possessions seized;
(c) information relating to their family or private affairs unnecessarily required or revealed; or
(d) the privacy of their communications infringed.

Almost a decade after the promulgation of the constitution, life was finally breathed into this Article, especially 31(c) and (d), through the enactment of the Data Protection Act of Kenya. An act passed to provide for regulation of personal data, the rights of data subjects and obligations of data controllers and processors. This set us off on a new path and we since have achieved great milestones in Data protection as a nation. Among the milestones worthy of note are the establishment of the Office of the Data Protection Commissioner in November,2020; the development of several data protection regulations and the commencement of registration of data controllers and processors.
Section 25 of the Data Protection Act provides thus:
Every data controller or data processor shall ensure that personal data is —
a) processed in accordance with the right to privacy of the data subject;
b) processed lawfully, fairly and in a transparent manner in relation to any data subject;
c) collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
d) adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
e) collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
f) accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
g) kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected; and
h) not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject.
This section places an obligation on data controllers and processors to ensure that data collection and processing is done in accordance with the set principles of data protection while section 26 stipulates the rights of data subjects as follows:
A data subject has a right —
a) to be informed of the use to which their personal data is to be put;
b) to access their personal data in custody of data controller or data processor;
c) to object to the processing of all or part of their personal data;
d) to correction of false or misleading data; and
e) to deletion of false or misleading data about them.
These are the sections that guarantee data subjects protection from abuse of their right to privacy by data processors and controllers.
To counterbalance these rights, the Act in Section 51(2) spells out circumstances under which processing of personal data is exempted from the Act stating thus:
The processing of personal data is exempt from the provisions of this Act if —
a) it relates to processing of personal data by an individual in the course of a purely personal or household activity;
b) if it is necessary for national security or public interest; or
c) disclosure is required by or under any written law
Clause 63 of the Finance Bill 2024 now seeks to amend Section 51 (2) of the Data Protection Act by exempting from the provisions of the Act processing of personal data where disclosure is necessary for the assessment, enforcement or collection of any tax or duty under a written tax law. The clause states:
Section 51(2) of the Data Protection Act is amended by inserting the following new paragraph immediately after paragraph (b)-
(ba) disclosure is necessary for the assessment, enforcement or collection of any tax or duty under a
written tax law
This essentially grants Kenya Revenue Authority unfettered access and discretion in dealing with sensitive data. Such exemption from the application of the basic principles of data protection would see KRA control and process personal data of any magnitude and to any extent they deem fit without regard to the rights of subjects. They would collect more data than what is necessary for the purpose, process and store it by whatever means and even transfer it without the consent of the subjects. This especially poses a danger in an age where transfer of data between multiple agencies is so common and informs financial profiling.
While the right to privacy is not absolute and the bill doesn’t expressly state that its effect would be to limit the right to privacy as required by Article 24(2) of the constitution, it would definitely violate it if passed as proposed. The constitution not only lays down the pre-requisites for limitation of rights under the Bill of rights but also takes into account the relation between the limitation and its purpose and whether there are less restrictive means to achieve the purpose.
It is evident that this wasn’t considered by the drafters of the Finance Bill as a close reading of the entirety of Section 51 of the Data Protection Act acknowledges exemption from the provisions therein for reasons such as public interest and where disclosure is required under written law. These are both foreseen by Section 51 (2) (b) and (c) and do suffice as exemption for the purpose of KRA carrying out its mandate. By operation of this provision alone, such divulgence of personal data would reasonably be required of data subjects while still adopting the security safeguards envisioned by the Act.
There is need to exercise caution in creating exemptions through written laws as eventually the essence of data protection may be defeated if every state agency will require such exemption to execute its mandate. These exemptions are then prone to abuse that leaves data subjects open to violation of their rights.
It is therefore crucial that Clause 63 be deleted from the proposed Finance Bill to adhere to both international and the set Kenyan standards of data protection and avoid vitiating all the progress we have made towards becoming a data safety haven.

                            MURUGI A. STACY

Leave a Reply

Your email address will not be published. Required fields are marked *