Inclusiveness is the practice of embracing every class of people in the society irrespective of race, gender, disability or others, especially those who might otherwise have been marginalized. Gender inclusion therefore entails the provision for all gender without discrimination against a particular sex, whether male or female. In the discourse of data privacy protection, since men are mostly referred to in legal framework, this is gender exclusion and gender inclusion will mean including women in the provisions for the protection and privacy in the same way as the men.

The digital gender divide brought about the speculations that men were more users of technology than women. Notably, research reveals that as at 2005 women were catching up with men in the use of internet. Women surpass men in number of app use, depending on the purpose, including the areas of health and medicine. Commercial growth rate for women’s participation in these online activities is greater than the one for men.

Kenya’s internet use by both gender is the same and stands at 29.7 while women’s use of mobile phone is higher standing at 92.7 compared to men at 90.0. WhatsApp and Facebook dominate social apps used by Kenyans across all ages. By gender, Kenyan men are more active in the use of Telegram (66.1%), LinkedIn (62.1%), and Skype (61.6%) while women are most active on Snapchat (61.9%), TikTok (53.6%) and Pinterest (50%). Money transfer increase the usage of mobile phones due to its convenience especially during the pandemic after the introduction of government restrictions on use of cash payments. In lower Eastern Kenya, more women than men were found to benefit from the use of mobile money transfer services (MMT) using their mobile phones.

The presence of women on the internet and their use of mobile phones bring to fore mechanisms on these platforms to regulate such use. This is because women may particularly be among the top list of vulnerable to have their privacy infringed by smart devices, apps, search engines and social media platforms. The UN Human Rights Council and the General Assembly have noted that violations and abuses of the right to privacy in the digital age may affect all individuals and have particular effects on women.

When it comes to the particular effect on women, privacy exposure, infringement, and other related issues are some of the concerns attached to internet use. Violation, cybercrime, third-party data sharing, gathering and exposure, online harassment, including the creation and dissemination of falsehoods and inaccuracies online are possible negative impact of social media use. Research provides that violations of their right to privacy in health issues have been found to be a disincentive to seeking care for subsequent deliveries for women.

International and regional data protection regulations contain provisions on data privacy and protection, from definition to establishment of systems, control etc. Presently the framework in many African countries are inadequate.  The sufficiency of these provisions for gender purposes are arguable. The mere fact that the right to privacy exist in constitutions does not preclude the adoption of a robust data protection law.

Nigeria has many legislations on data protection, yet not one is gender specific, or an expression of the recognition of its provision for women. While Kenya boasts of a robust data protection law, although still under analysis, the gender or women issue has not come up for consideration. The same can be said of South Africa with its robust human rights and women friendly legislations and policies. Indeed, the discourse with regards to women inclusion in the legal framework on data privacy and protection cannot be said to form the topic yet. This is even an upcoming topic in the academic circle, albeit a necessary one.

However, the field of data privacy and protection in Africa is still an evolving area and women inclusion can be contemplated and ensured now. The use of inclusive clauses like providing in definition clauses that where men is mentioned, it should be taken to include women may fill the gap. More research is also needed on women relating or dealings with the existing regulations. At this stage however, legislation or its reform to be gender inclusive or friendly may be necessary. Other approaches including budgeting for gender mainstreaming, already practiced by some countries may also be included.

The summary is that women should not be treated as afterthought in legislations, particularly in issues of importance like data privacy and protection in this information age, because a feminist internet is in the best interest of everybody in the society.

Dr Olayinka Adeniyi is a researcher on women’s rights at the Centre for Intellectual Property, and Information Technology Law (CIPIT) Strathmore University, Nairobi, Kenya. Her current research area is Gender and AI.

Kenya adopted the National Integrated Identity Management System (NIIMS) in 2019. The system was designed to create and maintain a national population register as a single source of information about Kenyan citizens and foreign residents in the country. The adoption of this system was met with numerous reservations particularly concerning security, privacy, and inclusivity. These issues were raised and challenged in the acclaimed Huduma Number case (Nubian Rights Forum & 2 others v Attorney General & 6 others; Child Welfare Society & 9 others (Interested Parties) that halted the nationwide biometric registration to collect the information for the NIIMS system and roll out of the Huduma number. The case resulted in the development of data protection laws and regulations, as well as additional legislation allowing for the establishment and use of NIIMS, which were not previously in place. The Government of Kenya began the first phase of the Huduma number rollout towards the end of 2020.

A risk-based assessment evaluates the digital ID system’s operation, privacy and security, the use of biometrics in the digital ID system, data lifecycle management, governance structures, and potential security threats. Privacy and security is an integral part of the functioning of the Digital ID system. The Huduma number case brought into question the system’s design, and its technical and functioning capabilities in ensuring the privacy and security of the data that would be processed for the proper functioning of the system. This is anchored to the operation of the NIIMS system especially in consideration of the use of biometrics which is highly susceptible to security threats. The system is vulnerable to serious threats due to the nature of the data collected and stored, the most serious of which are third-party data leaks and identity theft.  These potential threats are likely to negatively impact the data, the systems and the users whose data is stored and managed in the database.

The more data the system processes, the more complex the threats and the greater the need for strong security measures. These security measures are not only established by technical and organizational measures but also operational governance structures. Governance is significant in establishing public trust and protecting the constitutional right to privacy. The introduction of digital ID in Kenya led to the establishment of laws and policies that form the basis of governance that regulates the functioning of NIIMS. The Data Protection Act, 2019, the Registration of Persons NIIMS Regulations (2020), and the Data Protection (Civil Registrations) Regulations (2020) are the primary references for the statutory regulation of NIIMS. The risks posed by digital ID management systems cannot be overstated given the government’s continued reliance on personal data in providing services. The systems must therefore be continuously evaluated and improved while taking into account the risks the continued use poses to privacy, security, digital identity, and the overall functioning of the system.

NIIMS’s success or failure, will be determined by how well and consistently security measures are implemented. Access control mechanisms, network monitoring, and intrusion detection systems, are required to detect and respond to cybersecurity attacks. Most governments have established cybersecurity agencies, research centres, and standards and technology institutes to oversee such systems and ensure overall security within other systems that the public has access to. Running and maintaining such systems necessitates a consistent financial flow, adequately trained cybersecurity personnel, and a government that understands the importance of personal data privacy and security. The Kenyan government must take these issues into account, particularly in the system’s operation.

The transition to a digital ID management system is an unavoidable reality. Digital transformation, adoption, and increasing digitization opens the door to an infinite number of risks, those presently known, and those that might develop in the future. Vigilance on NIIMS’s technical infrastructure, potential security risks, and vulnerabilities, as well as the current legal framework, is necessary for determining whether the parameters established will remain sufficient in light of ever-changing processes and technology.

Florence A. Ogonjo is a Research Assistant at the Center for Intellectual Property and Information Technology Law (CIPIT) currently working on the research areas of digital ID, and Data Governance in Kenya.

Rachel Achieng is a Research Assistant at the Centre for Intellectual Property and Information Technology Law (CIPIT) currently working on the research areas of digital ID and data governance in Kenya.

The rationale for the implementation of an IPDT regulation arises from the realisation that it is pointless to establish a framework to protect personal data if those protections could be effectively circumvented by simply moving the data of the people it was designed to protect to another jurisdiction.^[2]

However, there is a concerning lack of clear and sufficient regulations, as exemplified by the newly proposed draft General Regulation^[3], which fails to provide a comprehensive supplementary IPDT framework to Part VI DPA. Furthermore, the ODPC has not conducted assessments on foreign jurisdictions, nor declared the minimum principles and characteristics of data protection laws that need to be satisfied when determining the adequacy of foreign data protection legislation. The lack of clear guidelines and criteria on lawful IPDTs enables organisations to flagrantly conduct cross border data transfers without concern for their data subjects and the possible violation of their privacy-related rights in foreign jurisdictions.

The paper, which is the extension of this blog, develops and proposes an evaluation criterion that shall be relied upon by the ODPC when determining the adequacy or proportionality of a foreign jurisdiction’s data protection laws in relation to the DPA.

Kenyan DPA

The DPA expressly provides that it shall ensure that the processing of personal data of a data subject is guided by the principles set out in section 25.^[4] Section 25(h) states that organisations must ensure that personal data is not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject. The significance of the inclusion of conditional IPDTs as a guiding principle to the DPA should not be considered a mere coincidence, as it attempts to address the mischief of circumventing obligations created under the DPA by transferring personal data to a more favourable or a deficiently regulated jurisdiction. The provisions of section 25(h) induced and influenced the provisions of the Part VI DPA on the ‘transfer of personal data outside Kenya’. The focus of the paper will be on the conditions under which voluminous and regular IPDTs are conducted, namely the Appropriate safeguard condition and the Adequate data regulation condition enshrined under Section 48(a) and Section 48(b) of the DPA.

The Kenyan IPDT framework does not establish a concise hierarchy of the conditions that may be used to conduct IPDTs. These conditions are, for the most part, consistent with the IPDT provisions of the GDPR. It is on this basis that the paper borrows elements from the GDPR’s IPDT framework in an attempt to address the inadequacies of the current Kenyan IPDT framework and establish a more definitive structure that may be relied upon to engage in lawful cross border data transfers.

Comparative Study

The paper shall briefly examine the global IPDT frameworks that are currently adopted and relied upon to determine the legality of IPDTs. The frameworks identified shall assist in supplementing the inadequacies of the DPA’s IPDT provision. More specifically, the paper shall refer to the General Data Protection Regulation (GDPR), its Recitals and guiding documentation, the Asia Pacific Economic Cooperation, Cross Border Privacy Rules (APEC CBPR) and OECD: 1980 Regulations and Revised and Updated Regulations on Protection of Privacy and Transport Flows of Personal Data. The identified frameworks shall inform the evaluation criterion and appropriate safeguards to be relied upon when conducting IPDTs as per Part VI DPA. In addition, the paper succinctly explores the need for the Kenyan IPDT framework to develop mechanisms enabling International Cooperation, Coordination, and Implementation of cross border transfers of personal data between the ODPC and foreign data protection supervisory authorities. Finally, the paper concisely develops an argument for the development of a more robust set of exemptions that permit data exporters to circumvent the Appropriate safeguard condition and the Adequate data regulation condition for conducting IPDTs.

In a nutshell, the paper advocates for the development of a more comprehensive Kenyan IPDT framework based on the current  foundation created by Part VI DPA. What is mostly learned from the conducted comparative analysis is the derivation of content and procedural principles, which are simultaneously present within the DPA and global IPDT frameworks. The authors also note that the adequacy guidelines reiterate that the data protection concepts do not have to mirror the GDPR terminology, but should reflect and be consistent with the concepts enshrined in the European data protection law. The ODPC may adopt a similar methodology, and evaluate a recipient’s data protection framework for synonymous concepts expressly defined under Section 2 of the DPA. Evaluation of the data protection concepts should not be limited to the DPA, alternatively, it should be inclusive of concepts furnished under subsequent regulations developed to supplement the DPA.

Amrit Labhuram is a Data Protection Lawyer and Research Assistant who works on Data Governance and International Personal Data Transfer research at CIPIT. He is currently pursuing certifications to be a globally recognised Data Protection Officer under the IAPP.

Micheal Butera is a Research Intern at CIPIT. He is currently working on a Data Localisation research project.

^[1] Data Protection Act (Act No. 24 of 2019) -<https://www.odpc.go.ke/download/kenya-gazette-data-protection-act-2019/#> on 12 July 2021.

^[2] Phillips M, ‘International  data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR)’ Human Genetics, 2018, 575-<International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR) | SpringerLink> on 12 July 2021.

^[3] Data Protection (General) Regulations, 2021 -<https://www.odpc.go.ke/wp-content/uploads/2021/04/Data-Protection-General-regulations.pdf> on 12 July 2021.

^[4] Section 3(b), Data Protection Act (Act No. 24 of 2019).