[kictanet] Data Protection Bill: Portability section

Rafe Mazer rafe.mazer at gmail.com
Fri Jul 5 17:39:23 EAT 2019


Hi KICTA Net members. I'm Rafe Mazer, a consumer protection in digital
financial services specialist working in Kenya the past 5 years (and
globally on this toic for 10+ years.)

I just saw the new Data Protection Bill within the National Assembly (
http://parliament.go.ke/sites/default/files/2019-07/The%20Data%20Protection%20Bill%2C%202019.pdf)
and wanted to raise a discussion internally about Section 38 on Data
Portability to see if KICTA Net may want to engage further on the topic.
Specifically there are two aspects that were concerning:

1. The allowance for 30 days to honor a data subject's request for
information held on them.
In a digital economy, this is an excessively long period, and also quite a
blunt instrument to apply across the entire economy, where health records
are different from government records are different from financial records,
etc. This would also kill the utility of portability in spaces like
FinTech. Imagine I want to use my economic history with data controllers to
get competing mobile loan offers. It could take up to 30 days to share that
information, which is not aligned with the near-instant nature of these
products and consumers' expectations on timing. Already the Bill rightly
notes portability should only apply where "technically feasible" to exempt
low-tech industries or providers, so there is no sense is saying that those
who are deemed to be able to comply technically with portability should
have up to 30 days to do so. If this language is kept in it will be used to
delay--and defacto deny--consumer use of their data for increased choice in
digital segments of the economy.

Further, since access to information is included in the same section as
portability, and they are not explicitly differentiated, you could argue
data controllers have not just 30 days to honor a portability request, but
to even tell you what data they hold on you the data subject. This is far
too long a time to permit for a basic consumer data right. Right now some
providers offer financial statements to the data subject much faster than
that--in minutes or seconds--but allowing 30 days could encourage setting
practices to that standard going forward, reducing consumer access to their
own data not improving it.

2. The allowance of a "reasonable fee" to be charged for a portability
request could lead to anti-competitive and excessive pricing. "Reasonable"
is highly subjective, and we have seen Competition Authority already had to
intervene to stop anti-competitive use of wholesale USSD rates in mobile
financial services (
https://techweez.com/2017/03/17/cak-wants-safaricom-lower-ussd-charges-mobile-banking/).
It is highly likely a "reasonable fee" window would be deployed similarly
where beneficial to firms and require ex-post intervention. The original
language from the 2018 Bill where this was free of charge seems a much
better approach.

Curious to hear others' thoughts or context on this section, and how
KICTANet could help to fix this section for the final version of the Bill
so we don't create an anti-innovation and anti-consumer portability regime
that will be the law of the land.

Thanks for the chance to share and discuss on this platform,

Rafe Mazer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20190705/9770ec47/attachment.htm>


More information about the KICTANet mailing list