Apathy or Unawareness?

Unsolicited marketing via text messages from brands is the latest nuisance for Kenyans who pay for their services by M-Pesa. In a conversation started by @fkariuki  on Twitter, numerous users of the M-Pesa payment platform complained of receiving unsolicited marketing messages post-payment despite opting out using the USSD service prescribed by Safaricom. This is a prime example of misusing personal data for other purposes other than the one relevant to the purpose of collection, which is illegal according to the Data Protection Act signed into law late last year.

In a report published by Ajua, Kenyans signed on to mobile lending apps are raising concerns about the intrusive measures lending firms are taking to recover their money. Such measures include engaging with the customers’ contacts to encourage them to meet their late payments, a blatant invasion of customers’ privacy and another case of misusing personal data. One of the survey respondents mentions that they would use a digital mobile lending platform that has, “reasonable rates, they do not call or text everyone on your contact list to tell you to pay the loan if defaulted for sometime…”. 

Given these two cases in an ever-growing consumer-data-intrusive culture, it is clear to see the lack of urgency by service providers in rectifying the situation as seen by the generic responses given to the Lipa na M-Pesa issue aforementioned. Which begs the question, are service providers and brands being lethargic in complying with the Kenya Data Protection Law or are they simply unaware on how they should be complying? An important conversation we can begin having with telecommunications and other service providers is about the secure methods of collecting personal data that they can employ to ensure the purpose for collection is achieved and that citizens are still protected. However, it is also important to dig a little deeper into how ordinary citizens come into play.

In 2019, Ipsos conducted a survey that revealed that about 44% of Kenyans are at least somewhat concerned about their online privacy, less than half of the total population. It is difficult to tell from this report whether this could be civilian unawareness or apathy with regards to personal data protection and whether either of these two factors feeds into and enables Kenyan business brands to turn a blind eye to the law. In the aforementioned Twitter conversation, several Kenyans noted with what could be termed hopelessness, that it is using M-Pesa that subjects them to this invasiveness. Yet, this extraction of personal information post-payment for marketing purposes is impermissible by law. This is the same case with the exposing of loan defaulters by lenders by reaching out to the lendees’ contacts, it is an invasion of privacy and using of personal data for purposes other than the relevant and permitted ones. 

However, not all hope is lost. With the operationalization of the  Data Protection Law expected to begin soon, citizens already have the power to dictate and control how their personal data is handled and stored. For companies,  it is about time they updated their privacy policies and have a human rights centered data protection outlook by default and by design. 

This law is applicable to all handlers of customers’ personal information; from online vendors with only one employee and relatively small portions of data to huge companies with hundreds of employees and huge chunks of customer data in their systems, to event organizers who have to register their attendees, to digital lending apps, etc.  As such, we must be wary and more vigilant during this grace period that we are uninformally allowed to review our privacy policies. 

If you are wondering how to navigate around issues pertaining to data protection and privacy either as a concerned citizen and consumer or even within your company or firm. Don’t worry, the iHub is here to help. We have several offerings on understanding of the law and how you can practically comply with the law including reviewing internal privacy policies in line with the Data Protection Act. For data handlers with no privacy policies, this would also mean, as a first step, drafting what a privacy policy for your services would look like. Our first session with the external community will be on 26th March 2020, from 4.30pm to 6.30 pm at the iHub’s 6th Floor Events Space. 

If you are interested in enrolling for this session, kindly fill this form out. If you are interested in working with us to curate a session for your company, kindly send an email to nyakwaka@ihub.co.ke with the email subject “Data Protection Compliance Session” and we will get back to you as soon as possible.

For any questions, or inquiries please reach out to nyakwaka@ihub.co.ke