Future of Data Protection

Kenya’s sneak attack on privacy: changes to the law allow government access to phone and computer data

In Kenya, the right to privacy is already in jeopardy, but a new amendment to the law is deepening the crisis. On December 11, 2020, President Uhuru Kenyatta signed into law an omnibus bill introducing key amendments to the Official Secrets Act (Cap 187). The Statute Law Miscellaneous Amendment Act gives powers to the Cabinet Secretary of Interior and Coordination of National Security to access data from any phone or computer and introduces hefty penalties for anyone who refuses to comply. The signing of this amendment is a stealth attack on Kenya’s privacy laws and Kenyans’ fundamental rights. Furthermore, Kenya’s constitution protects privacy, and while the right to privacy is not absolute, this amendment further shreds it. 

Prior to the introduction of this amendment, the Official Secrets Act did not cover new technologies and limited government access to personal data related to telegraphs in the interest of national security and the public interest. Unfortunately, the act had no checks or balances and power rested solely on the Minister, as the position was then known.

Let’s take a closer look at what the amendment allows and why it fails to pass muster for protecting Kenyans’ rights. 

Surveillance without checks and balances

Under this amendment, when it is in the national interest of the state, “...the Cabinet Secretary may, apply to the High Court for an order requiring any person who owns or controls any telecommunication apparatus used for sending or receipt of any data…” 

Rather than making it mandatory to obtain a court order every time the Cabinet Secretary seeks data, the amendment leaves the option to seek a court order at the Cabinet Secretary’s discretion. The use of the word “may” implies that the only safeguards provided for privacy and other rights are optional. 

This amendment is yet another illustration of the government’s utter disregard for the right to privacy. Law enforcement and security agencies have perpetrated both mass and targeted surveillance of ordinary Kenyans, journalists, opposition groups, and others, and these invasions of privacy are rampant and take place mostly unregulated. Spying by security services has supported “Death Squad” campaigns that have claimed lives with impunity, and as media reports and civil society organizations have revealed, the digital surveillance that telecom service providers facilitate is at the center of this problem. According to Privacy International, the National Intelligence Services (NIS) have “direct access to Kenya’s telecommunications networks, which allows for the interception of both communications data and content.” Rather than regulating these dangerous practices and protecting privacy, the government has amended the law in a clear attempt to laminate over these illegal practices.   

Moreover, while these surveillance powers are supposed to be used only to protect  “national security,” the wording of the law is vague enough to give the government and authorities plenty of leeway regarding how and when to use them. The threshold for use of these powers is much too unreliable to serve as the sole basis for upending Kenyans’ constitutional rights. The government has previously abused its powers and the lack of definitive parameters in applying this amendment will force telecom service providers and others in possession of personal data to leave the front and back doors permanently open to law enforcement agencies and security services. 

Hefty penalties for failure to comply  

The amendment introduces penalties for anyone who fails to comply with orders to turn over their data.  If you don’t do what the government asks, you face a one million shilling fine (approximately $9,150), a one-year imprisonment term, or both — more than enough to bully anyone into compliance. 

“Any person who fails to comply with a request made under sub-section shall be guilty of an offence and liable to a fine not exceeding one million shillings or to imprisonment for a term not exceeding one year, or to both.”

Lack of adequate public participation for amending the law 

There is the growing and worrying trend of lack of adequate public participation in Kenya’s government, and the discussion regarding this amendment was no exception. Yet the need for meaningful public participation is embedded as a value in Kenya’s constitution, and it is especially important when it comes to crafting policy that affects the fundamental rights of citizens.  

This is not the first time Kenya has used an omnibus bill to sneak in amendments and bypass the  normally required public consultation and adequate legislative processes. In December 2018, Kenya introduced its national identity legislation this way. The National Integrated Identity Management System (NIMS) was passed under  Executive Order No. 1 2018 and the Statute Law (Miscellaneous Amendments) Act, 2018 Sec 9A. The passage of NIMS via an omnibus bill was challenged in court. and the government was subsequently forced to enact the Data Protection Act 2019 and other regulations to streamline NIMS.  

The amendment to change the Official Secrets Act was advertised in only two newspapers as a means of opening it to public participation. For a law of this importance, that is not enough to get sufficient participation.

What should happen now: National Assembly must protect privacy rights by amending the Official Secrets Act

Given the government’s previous illegal surveillance practices and the deadly impact they have had, the National Assembly must amend the Official Secrets Act to provide the necessary checks and balances and protect Kenyans’ right to privacy. Any government request for access to an individual’s private information should take place only under a proper court order.

Access Now further calls on the National Assembly to strengthen Kenya’s existing frameworks and laws — such as the Data Protection Act — instead of passing new laws to weaken them.