Do the following scenarios ring a bell?

1. You walk into an establishment, you purchase goods or services through MPesa, a few hours or days later, the establishment in bombarding you with unsolicited promotional texts…

2. You sign in at the security desk while entering a building, you give your ID number and cell phone number, not so long after, the security officer at the desk is texting or calling you…

3. You hail a taxi using one of those mobile apps, you take your ride, pay and disappear into your errands, moments later the taxi driver is texting or calling you….

4. You hear that a company by the name Cambridge Analytica mined and sold your data for political purposes…

5. You constantly receive texts from your local politician. As far as you may recall, you have never ever shared your contacts with said politician but somehow they have your contacts and they know that you live or work in their electoral area…

6. You search the internet for your favourite sports team or make up or car or holiday destination and suddenly you are being bombarded with adverts on what you were searching…

7. You get unsolicited calls from an insurance company you have never interacted with, they are selling you insurance policies…

8. You have heard anecdotal evidence that state departments are selling data to private corporations for commercial purposes…

I could cite many more scenarios where our privacy is being intruded, our data is being used for purposes we did not intend or we out rightly feel stalked by persons or establishments. Data on our age, sex, profession, religion, political persuasion, level of education etc. is out there being used without our knowledge or consent.  Big data is said to be the new oil, trading in data and information is the golden goose.

But, are we as Kenyans triggered by the way our data is collected, collated, analysed, stored or traded without our knowledge or consent? Do we care that our personal data is being used for commercial, social or political purposes? Do we pay attention to instances where we willingly wish our data away?

For years we have had proposed draft Data Protection Bills floated and discussed, these however, have never progressed to the stage of being passed into law. There are many theories as to why having concrete data protection laws in Kenya always hits a snag. One of the theories is that data merchants are out to protect their turf, strong data protection laws would in effect kill many data trading initiatives. Secondly, many institutions do not want the hustle of having to seek consent from data owners in order to collect, collate, analyse, store or deal with data. However, the Senate ICT Committee recently published the ‘Data Protection Bill, 2018’. So all is not really lost.

In my view, we need strong and practical data protection regulation. Data on the other hand ought to be treated like personal property that may not be wished away or appropriated without express consent. The Constitution though, does not provide for a right to data protection. Nonetheless, Article 31 of the Constitution provides for the right to privacy. The Article states –

Every person has the right to privacy, which includes the right not to have—

– their person, home or property searched;

– their possessions seized;

– information relating to their family or private affairs unnecessarily required or revealed; or

– the privacy of their communications infringed.

Of note is that the above does not deal with today’s practical woes on data protection especially in a digital economy that transcends borders. Hence, the need to have some concrete and targeted data protection laws.

In my view there are five key issues such a law should provide for to protect the individual data owner:

1. Data should be dealt with like personal property and only the data owner should have exclusive say on how such property is handled;

2. Data collection, collation, processing, storage or trading should only be done with express consent of data owners;

3. Data owners should have the exclusive right to their data being corrected or deleted;

4. Data owners should have the right to access to their data; and

5. Data owners should have access to administrative and legal redress where they complaints regarding the above.

The question that remains is – ‘How much do you care about your data?’