- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
Sabina Frizell is a global public policy manager at Visa, Inc., focused on technology policy in emerging markets. Views are the author’s own, and do not reflect Visa enterprise views. You can follow her @SabinaFrizell.
Amid a global tide of privacy scandals and ensuing privacy regulation, Kenya has a new data protection bill awaiting review in Parliament. The bill sets out much needed market-wide safeguards in a rapidly digitizing nation. But in its current form, the bill extends beyond necessary data protections—and may go so far as to choke data flows that sustain Kenya’s information and technology (ICT) sector. The government should adjust its approach to privacy, to protect its citizens and their information without crimping the still-developing digital economy.
Over the past decade or so, Kenya’s technology sector has exploded, earning the country its reputation as ‘Silicon Savannah.’ Several wildly innovative and successful homegrown companies have attracted international attention and investment—and brought millions of Kenyans online. Internet penetration in Kenya surged from under 1 percent in 2000 to 26 percent in 2017.
Kenya’s government played an important role in enabling the rise in tech. It invested heavily in information technology (IT) infrastructure and research, and established incubators for tech startups. It launched an open government data platform, allowing companies to tap in at no cost and leverage the data to build their business. And a restrained policy approach that holds off before regulating still-evolving technologies has allowed new companies to flourish, while lifting Kenya’s ranking in the World Bank’s Ease of Doing Business report.
Kenya’s rapid tech rise brought a wave of citizens’ information, from credit history to internet searches, into the digital ecosystem. But the country lacks a comprehensive data protection framework. Its business-friendly, light-touch regulatory approach has served the economy well thus far. Now, the government is grappling with how to craft legislation that keeps up with the pace of the technology sector’s evolution and growth.
The Kenyan government published the bill this summer on the heels of several election-related privacy scandals. Kenya is not unique in this regard. Many countries’ recent data laws come in the fallout of scandal, in some cases revolving around elections. But in a nation whose recent elections have been beset by antagonism and even violence, privacy transgressions that threaten integrity and credibility at the ballot box trigger particular unease.
First, the good. Kenya’s draft data protection bill requires companies and government authorities to inform users of the personal data they are collecting, why they’re using it, and how long they’re storing it. It also gives consumers the right to request that their data be deleted, corrected, or not collected in the first place, and establishes security standards for data storage. Many of the requirements, and the focus on individuals’ control of their personal data, echo Europe’s new General Data Protection Regulation (GDPR). And the law moves toward fulfilling the African Union Convention on Cyber Security and Personal Data Protection, which calls for member states to adopt legal frameworks for data privacy and cybersecurity.
Even these baseline safeguards are controversial; some businesses argue that compliance with such safeguards is inordinately expensive—perhaps manageable for multinationals and large local incumbents, but potentially insuperable for new, small businesses.
Now, the bad. The draft bill includes a data localization provision, making it illegal to send Kenyans’ ‘sensitive’ personal data—loosely defined—outside the country. If implemented, it risks crimping the economic gains that cross-border data flows confer.
Nearly every sector collects, processes, and analyzes data. If companies aren’t transferring it across borders to export and reach a new consumer base, they’re likely using data infrastructure such as cloud computing—which at its core relies on data not being relegated to a country’s borders. For small and medium-sized businesses (SMB), the opportunity to plug into global value chains and reach customers across the globe is especially powerful. SMBs are also able to leverage cloud infrastructure to better secure data by outsourcing it to security experts, instead of investing scarce resources in managing their own, local data centers.
The restrictions in Kenya’s new bill will undercut these benefits. Although it outlines a number of scenarios where data transfers outside the country will be allowed, small companies will lack the teams of legal and policy experts necessary to comply. That is likely to favor incumbents and choke Kenyan tech start-ups. And even if large companies have the staff to comply, the overly narrow and at times unclear exceptions will not provide for the truly open data flows that their business operations require.
Early research suggests that data localization laws can hinder economic growth in developing economies. While there hasn’t been research on Kenya specifically, its digitization is still relatively nascent, with internet penetration lagging as much as twenty percent behind the studied markets. By some estimates, a ten percent increase in broadband penetration in low- and middle-income countries can produce a 1.38 percent increase in economic growth. But data restrictions like those in the Kenya’s bill can be a drag on its growth potential.
The privacy bill is still in draft form, with the Ministry of ICT reviewing public comments. In this bill, or any new legislation, Kenya should be careful not to stifle the benefits of the hard-won technology sector just as it’s showing so much potential. Otherwise, the government risks undoing its own efforts to grow Silicon Savannah’s success.