BANKELELE: New EU rules may make us more alert about personal data use

Wednesday March 18 2020

If you use free or paid services, apps, and websites, you have probably seen a few emails from companies about changes to the privacy and user policies. And if you are like many people, you have clicked through to okay them without reading them at all. No one wants to read 10,000 words of fine print when they can simply click a box and proceed on - and that is the point of the fine print.

My friend @Roomthinker notably says that Kenyans don’t like to read terms and conditions of products and services they use, even though they may have some serious implications. Some recent examples he cites include these: Evernote employees have been reading your notes; Facebook has scraped call and text message data for years from your Android phones; and using Eventbrite grants that company the right to enter your premises where an event is happening and photograph or film it.


But now, virtually all companies whose online products you use — Google, Facebook, Grammarly, Pinterest and Kickstarter, to name a few — are all updating their terms and conditions. The reasons for this are in the European Union’s new General Data Protection Regulation (GDPR that go live on Mat 25 2018, which protect the personal data of EU citizens, and with some impact for other countries as well.

With GDPR, Europe is taking steps to protect its citizens. It rules that companies and websites are not to collect excessive and unnecessary information from users. They have to state why they need the data, how they will use it and who they will share it with. Users’ accounts are, by default, private, not public, and users have the right to delete their data if they close their accounts.

Companies are called upon to take control of their data, and to notify users about any breaches of data. The rules give Europeans the right to opt out of Google’s powerful analytics, data harvesting, and having behaviour-based advertising targeted to them. Will this mean the end of free services?


The GDPR was one of the new rules highlighted a few weeks ago when Anne Clayton, head of public policy at the Johannesburg Stock Exchange, spoke at the seventh Building African Financial Markets seminar in Nairobi. Clayton pointed out that laws convey certain rights including “the right to be forgotten” and this may conflict with “know your customer” and “anti-money laundering” laws that require that firms retain data on their customers for several years. For any Kenyan companies handling data of European citizens, a local privacy expert cautions that they have to be very careful as they can be sued in European jurisdictions.

Data has a lot of value and Kenya has made great steps in harnessing it, both by the government through the KRA’s iTax and eCitizen portals, and by private companies. After reading this article, you can download an app to your phone and get Sh20,000 sent to your M-Pesa account. See how reading pays! Companies like Tala and Branch, and banks like Barclays, Equity and KCB can pull your identity data and loan repayment history and send a new loan to your phone, all in less than a minute. That is the power of data.


That said, issues raised by GDPR might make some Kenyans more conscious about the collection and use of their data. It is now a frequent lament by many on Twitter that “just because I paid for a meal or product using M-Pesa does not give a restaurant, hospital or battery company the right to send me text messages every month.”

Finally, last week the government gazetted a task force to develop the policy and regulatory framework for privacy and data protection, and last month, the National Assembly passed the Computer and Cybercrimes Bill.

Twitter: @bankelele