Members of the National Assembly want to tame State agencies from arbitrarily snooping and collecting personal data under the guise of security.
In far reaching amendments to the Data Protection Bill 2019 to protect the liberties of citizens, a House committee has proposed amendments that would require security agencies to get ex-parte orders from the courts before they collect any private and confidential information to curb what they say is flagrant abuse of personal rights.
According to experts, the proposed law if passed, would negatively affect State agencies involved in the fight against terrorism, corruption, money laundering and tax evasion.
Among the agencies likely to be hit hard by the proposed amendment include Kenya Revenue Authority (KRA), Directorate of Criminal Investigations (DCI), Ethics and Anti-Corruption Commission (EACC) and the National Intelligence Service (NIS). Some of the agencies have been snooping on telephone records and conversations, financial transaction in banks and MPesa, National Hospital Insurance Fund (NHIF), Registrar of Persons, Kenya Power (KP) and water companies in what they classify as “persons of interest”.
A data protection expert, Henry Maina, who is also a former regional director of Article 19, says the proposed law would protect Kenyans from some of the unlawful tactics that some of the agencies have been using to extract information from some organisations for their use.
“If passed, the law is going to protect Kenyans from inter-agencies accessing information without seeking consent from the concerned individuals. For example, KRA would no longer extract an individual’s information from Safaricom, NHIF, Kenya Power or water companies without the individual’s consent,” he told People Daily on the phone last evening.
Maina says the law would also criminalise hospitals from sharing someone’s health records such as DNA with any State agency. “The law will create order in the way state agencies, particularly KRA, DCI, EACC, NIS use to get information about individuals,” he added.
In the amendments, the committee on Communication, Information and Innovation seeks to replace the word “order” with “interest” to broaden the definition of public interest to encompass an interest that is of common concern among citizens in the management of local and national affairs.
“That clause 51 of the bill be amended in sub-clause 2 by deleting the word order and substituting with interest,” reads proposal of committee chaired by Marakwet West MP William Kisang.
“Justification is to mandate public bodies seeking to retrieve data necessary for national security and public interest to secure ex-parte orders from the law courts before retrieving such information to safeguard the rights of data subjects against fragrant abuse”.
The committee is also seeking to bar individuals from using persona data for commercial purposes unless the individual has sought and obtained express consent from data subject or is authorised to do so under any written law and the data person has been informed of such when collecting the data.
A March 2017 investigation by Privacy International revealed that the NIS has direct access to Kenya’s telecommunications networks, which allows intercepting both communications data and content.
And DCI boss George Kinoti, who said he was yet to get the proposed bill and go through it, cautioned that such a move was likely to erode the gains made in the fight against corruption and terrorism.
“Caution must be made to ensure that investigative agencies are not gagged so much in the way they collect their information. In any way, criminals will not willingly allow you to go through their data involving financial transactions,” he said. The move by MPs comes after the High Court ruled in May that the case against Deputy Chief Justice Philomena Mwilu, who was facing 13 charges including abuse of office, tax evasion and receiving a loan under false pretenses from Imperial Bank Ltd should not proceed as investigators had illegally accessed her bank accounts.
Justice Helen Omondi ruled that the DCI violated her rights to privacy because the manner in which they obtained the evidence was illegal, adding that this was a misuse of the court order and misrepresentation. Already, Kinoti and the Director of Public Prosecutions Noordin Haji have appealed against the ruling in the Court of Appeal.
The Kisang-led team is also seeking to increase penalties for individuals who release data without consent from two years imprisonment to 10 years imprisonment as well as a fine of Sh3 million. Defending the amendments yesterday, Kisang appealed to his colleagues to adopt the committee recommendations, as they “will go a long way in ensuring that there is civility and order in the management of personal data”.
“The amendments will also change the way the telecommunication industry operates as will curtail them from giving away data without a court orders. Those seeking information must go to court first so that people’s rights are not abused,” he said. According to the committee, the initial proposed two years is too lenient and may not serve the purpose of ensuring the protection of personal data and thus enhancing the sentence would deter persons from committing offenses.
Apart from the penalties, the bill also gives the court powers to impose more sanctions including ordering forfeiture of any equipment used or connected in an way with the commission of an offence as well as ordering the doing of any act to stop continued contravention.