The Kenya Office of the Data Protection Commissioner (ODPC) has reportedly been working diligently over the past two years. One of its mandates was to regulate the online lending platform, which was characterized by flagrant personal abuses. However, what is stopping it from reaching its full potential?

The Kenya Office of The Data Protection Commissioner (ODPC) was instituted over two years ago. It was established under the Data Protection Act (DPA) 2019, which was signed by former Kenyan president, Uhuru Kenyatta. The law was designed to protect the personal data of Kenyan citizens and residents. It sets out several requirements for organisations that collect, process, or store personal data, including obtaining consent from individuals before collecting their data, keeping the data secure, and only using the data for the purposes for which it was collected. 

The ODPC began executing its functions in 2020, but did not collaborate with the media to clarify its mandate. Local media typically holds substantial power in creating awareness as it reaches a vast population directly. The ODPC rectified its oversight today, when it met with the media and other stakeholders such as the Media Council of Kenya.

Speaking at the engagement, Immaculate Kassait, the Kenya Data Commissioner stated, “It is also good for us as it allows us continued engagement on the Act while breaking any communications barriers on future engagements. It also presents an opportunity for feedback which will go a long way in improving how we operate as envisioned in the Data Protection Act.” 

Media participation is indispensable when it comes to sensitising the public about data protection. As such, the ODPC now aims to further educate and actively involve the media in understanding the Data Protection Act, the office’s mandate, regulations, and significant accomplishments.

Data processors and controllers

Several  issues came up during the session between the ODPC and the Kenyan media. One issue raised spoke to the fact that many organisations are not registered as data controllers or data processors. Data controllers typically determine the purposes and means of processing personal data, while data processors process personal data on behalf of the data controller. Registering as data processors and controllers ensures that organisations comply with data protection regulations and maintain the privacy and security of personal data they handle. So far, the ODPC has only registered a little over 2200 data processors and controllers.

At the meeting, the ODPC revealed that media companies will need to register as data processors and controllers in the coming days. This is necessary because media companies process and control data to understand their audience, deliver personalised content, and optimise advertising. These organisations also collect and analyse various data types such as demographics and browsing behaviour to make informed decisions and meet industry standards.

Kenya media companies may be asked to register as data processors and controllers in the coming days.

Loan apps continue to pose a menace

At the meeting, the Office remarked that it is undecided on how much to fine companies that abuse personal data. By law, guilty organisations can be fined up to KES 5 million ($364,000), which is not punishing enough for organisations that return massive profits according to the media. However, the Data Commissioner mentioned that this could change in the future. 

An unregulated online lending landscape gave loan apps free rein to harass Kenyans for years. In fact, it can be argued that lack of legislation was what motivated the signing of the Data Protection Bill, 2019. Prior to the signing of the Bill, online lenders could offer loans to locals and charge arbitrary interest rates. These loan apps capitalised on Kenyans’ appetite for loans, lowering the entry barrier and providing collateral-free loans so that anyone with a mobile money account and a smartphone could apply. 

However, these online lenders began to blatantly abuse the personal data they collected, using shaming and predatory tactics to compel defaulting borrowers to pay. 

Following the institution of the DPA, strides have been made towards regulating the industry. 32 loan apps out of hundreds have been licensed to run their operations in the country. Licensed apps must comply with set criteria such as implementing security measures to protect user data, having a physical office, and not usingunderhanded tactics when recovering their loans.

Data abuse cases are reported poorly

According to the Data Commissioner, the Office has received a total of 2,675 complaints, 857 of which have been acknowledged. These complaints are essential because they show that Kenyans are still wary of their online safety and have a platform where they can report abuse. The ODPC attributed the low number of acknowledged cases to several reasons, including the submission of anonymous or duplicate complaints or complaints outside the Office’s jurisdiction, the filing of unauthorised complaints on the behalf of others, and complaints from individuals evading contractual obligations. According to the ODPC, such actions undermine the credibility and effectiveness of the complaint system. 

“The ODPC only admits complaints where the potential data breach is against oneself or where instructions are provided for one to be represented by a third party,” added the Data Commissioner.

Kenya to host the 2024 NADPA General Assembly

Lastly, Kenya has won the bid to host the 2024 NADPA General Assembly, as announced during the 6th Annual General Meeting held in Burkina Faso on May 11, 2023. NADPA is a network of African privacy and data protection authorities aimed at facilitating exchanges and cooperation among its members.

Kenya has been elected as the 1st Vice Chair to the NADPA board, while Madam Samody Tchimouden Hadatam from Niger Data Protection Authority has been elected as the Chair.

Kenn Abuya Senior Reporter

Get the best African tech newsletters in your inbox