Want to collaborate or support access to justice?
Contact UsWant to collaborate or support access to justice?
Contact Us
Read this story on Esheria.
Data protection and regulation is a fairly recent matter in Kenya. Before 2019, people (both natural and juristic), public authorities, agents and other bodies were handling and processing data without specific statute to regulate the same in Kenya. There had been many kinds of constitutional violations before the enactment of the Data Protection Act (the Act). This was generally because of the lack of a proper regulatory framework. The first Data Protection Bill was published way back in 2009 and it only took a decade before the Act was … enacted. Before the Act, the increasing globalization, cross-border transactions, internet penetration and the use of social media and digital platforms among citizens, governments and the private institutions raised several data security and privacy concerns. For example, that breaches may amount to loss of reputation, identity and other safety concerns.
The right to be forgotten emanates from the right to privacy. The Constitution, through Article 31, regulates data and privacy concerns. The Article provides that every person has a right to privacy which includes the right not to have, among others, information relating to their family or private affairs unnecessarily required or revealed. The right to privacy finds its origins in individualism where the individual has a right of self-determination which means they have the right to decide which parts of their personal lives to share and which parts to keep to themselves. Warren and Brandeis argue that it is necessary for the legal system to recognize the right to privacy because, when information about an individual's private life is made available to others, it tends to influence and even to injure the very core of an individual's personality--"his estimate of himself." Privacy is a fundamental human right, enshrined in numerous international human rights instruments. The right to privacy embodies the presumption that individuals should have an area of autonomous development, interaction and liberty, a “private sphere” with or without interaction with others, free from arbitrary State intervention and from excessive unsolicited intervention by other uninvited individuals. Activities that restrict the right to privacy, such as surveillance and censorship, can only be justified when they are prescribed by law, necessary to achieve a legitimate aim, and proportionate to the aim pursued.
What is the right to be forgotten? The Act provides for the right of rectification and erasure. Section 40 states that a data subject may request a data controller or data processor to rectify without undue delay personal data in its possession or under its control that is inaccurate, out-dated, incomplete or misleading; or to erase or destroy without undue delay personal data that the data controller or data processor is no longer authorised to retain, irrelevant, excessive or obtained unlawfully. It is important to keep in mind that the data protection laws in Kenya emanate from the European Union General Data Protection Regulations (GDPR). Article 17 of the GDPR states that the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where;
Drawing from the provisions of the Act and the guidance of the GDPR, personal data must be erased immediately where the data is no longer needed for its original processing purpose, or the data subject has withdrawn his consent and there is no other legal ground for processing, the data subject has objected and there are no overriding legitimate grounds for the processing. In addition, data must naturally be erased if the processing itself was against the law in the first place.The controller is therefore on the one hand automatically subject to statutory erasure obligations, and must, on the other hand, comply with the data subject’s right to erasure. The law does not describe how the data must be erased in individual cases. It is sufficient if the data media has been physically destroyed, or if the data is permanently over-written using special software.
Section 40 (2) of the DPA and Article 17(2) of the GDPR further provide that if the controller has shared the data with a third party or made the personal data public, and if one of the above reasons for erasure exists, he must take reasonable measures, considering the circumstances, to inform all other controllers in data processing that all links to this personal data, as well as copies or replicates of the personal data, must be erased. An erasure request is not subject to any particular form, and the controller may not require any specific form. However, the identity of the data subject must be proven in a suitable way. If the identity has not been proven, the controller can request additional information or refuse to erase the data.
The right to be forgotten is not just a right because the statute makes it so. It has its importance especially in this day and age where all of people`s actions are in the open to be recorded and stored throughout history. Some things and situations do not need to be remembered throughout history. When information has outlived its usefulness, it should be erased. The idea that every act of an individual has permanence limits a person's freedom to express themselves out of fear of being affected by those acts in the future therefore, limiting the democratic citizens' development. For example, is it necessary to hold information that is damaging to the reputation of a person where it is no longer relevant? In the case of Les Alfacs, a company that owned a campground filed a lawsuit against Google Spain because the search engine would not stop placing in its top results news about a horrific tragedy that took place on their campsite in 1978, when a truck transporting propylene exploded, leaving 243 dead. The company wanted Google to filter the search results and differentiate between those who were looking for information on the tragedy and those who merely sought information about the campground. The fact that the incident appeared in Google's search results was causing damage to the company 10 to 15 years on. Despite the fact that Les AIfacs case involved a company and not an individual is a good example of how irrelevant information can still be damaging yet it is not important.
In conclusion, the right to be forgotten is an essential right as far as the right to privacy is concerned. There are benefits to letting go of information from the past about individuals that has no bearing whatsoever on the future. It is not enough though, that the DPA guarantees this right. Most of the data subjects in Kenya are not aware of this provision and therefore do not know that they have such a right. The Office of the Data Protection Commissioner should take the initiative to make the public aware of this right and ensure that the data processors/controllers adhere to the provisions of the DPA by complying with the requests of the data subjects.
