[kictanet] Day 4: Policy and Regulatory Framework on Privacy and Data Protection- Data Controllers and Processors

Michael Pedersen michael at pluspeople.dk
Tue Aug 28 00:57:55 EAT 2018


Regarding part IV of the draft I have noted the following points.

*1. Transfers outside Kenya.*

Very many (if not most) Kenyan websites/systems are hosted 
internationally, AWS, Rackspace, and all the usual suspects are widely 
used. As a result very often personal data is currently transfered 

My issue here is what constitutes "proff" that a foreign nation have 
"adequate" data protection laws? My first thought on this issue is that 
Europe due to GDPR would be considered "adequate", whereas United States 
would NOT be considered having "adequate" laws.

If this is the case/correct interpretation then this law will have a 
significant cost (money and time) for all the ones currently hosting in 
US who have to migrate their setup.

*2. Platform as a service*

In situations where your system is build on a global company's "platform 
as a service" (Google being the prime example) you have very little 
control of "where" the personal data is "transfered" - as Google have 
caching servers almost everywhere, essentially the data would/could be 
copied all over the globe.

The limitation on international transfers - does it in-effect kill 
innovations that utilize global infrastructure such as this ?

*3. Lack of incentive for notification*

As I have mentioned elsewhere I think it is great that any breach that 
should happen requires that the affected person(s) be notified. However 
I feel that the draft very much creates no incentive for data-processors 
to actually full-fill this requirement - In-fact the way I read it it is 
very very tempting for processors who are subject to a breach to keep 
very quiet (i.e. they are committing an offence if they are subject to a 
breach - so better make sure no-one ever finds out that you lost some data).

Kind regards
Michael Pedersen

On 27/08/2018 08:30, Grace Bomu via kictanet wrote:
> General obligations for controllers and processors are listed in part 
> IV and they include upholding the principles of data protection, 
> protecting the rights of the data subject, duty to notify the subject 
> about processing and breaches, acquisition of consent and security 
> safeguards as regards personal data. It would be interesting to hear 
> from data controllers and processors, views on:
> Welcome to the discussion. Please point out any issues in the bill 
> that are either very good and should be retained or problematic and 
> should be improved. Tujadiliane.
> -- 
> Grace Mutung'u
> Skype: gracebomu
> @Bomu
> PGP ID : 0x33A3450F
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
> Domain Registration sponsored by www.eacdirectory.co.ke
> Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/michael%40pluspeople.dk
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
> KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20180828/77f72e9c/attachment.htm>

More information about the KICTANet mailing list