<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Listers,</p>
<p>Regarding part IV of the draft I have noted the following points.</p>
<p><b>1. Transfers outside Kenya.</b></p>
<p>Very many (if not most) Kenyan websites/systems are hosted
internationally, AWS, Rackspace, and all the usual suspects are
widely used. As a result very often personal data is currently
transfered internationally.</p>
<p>My issue here is what constitutes "proff" that a foreign nation
have "adequate" data protection laws? My first thought on this
issue is that Europe due to GDPR would be considered "adequate",
whereas United States would NOT be considered having "adequate"
laws.<br>
</p>
<p> If this is the case/correct interpretation then this law will
have a significant cost (money and time) for all the ones
currently hosting in US who have to migrate their setup.</p>
<p><br>
</p>
<p><b>2. Platform as a service</b></p>
<p>In situations where your system is build on a global company's
"platform as a service" (Google being the prime example) you have
very little control of "where" the personal data is "transfered" -
as Google have caching servers almost everywhere, essentially the
data would/could be copied all over the globe.</p>
<p>The limitation on international transfers - does it in-effect
kill innovations that utilize global infrastructure such as this ?<br>
</p>
<p><br>
</p>
<p><b>3. Lack of incentive for notification</b></p>
<p>As I have mentioned elsewhere I think it is great that any breach
that should happen requires that the affected person(s) be
notified. However I feel that the draft very much creates no
incentive for data-processors to actually full-fill this
requirement - In-fact the way I read it it is very very tempting
for processors who are subject to a breach to keep very quiet
(i.e. they are committing an offence if they are subject to a
breach - so better make sure no-one ever finds out that you lost
some data).<br>
<b></b></p>
<p><br>
</p>
<p>Kind regards<br>
Michael Pedersen</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 27/08/2018 08:30, Grace Bomu via
kictanet wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMwG4pyA_sKXJD6Vaoq9Fk0Dny5J6evZ2FDMemDEe_BHWJ+vpw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div dir="ltr"><br>
<div class="gmail_default"
style="font-family:verdana,sans-serif">General obligations for
controllers and processors are listed in part IV and they
include upholding the principles of data protection,
protecting the rights of the data subject, duty to notify the
subject about processing and breaches, acquisition of consent
and security safeguards as regards personal data. It would be
interesting to hear from data controllers and processors,
views on: </div>
<br>
<div class="gmail_default"
style="font-family:verdana,sans-serif">Welcome to the
discussion. Please point out any issues in the bill that are
either very good and should be retained or problematic and
should be improved. Tujadiliane. <br>
</div>
<div class="gmail_default"
style="font-family:verdana,sans-serif"><br>
<br clear="all">
</div>
<br>
-- <br>
<div dir="ltr"
class="gmail-m_2365108637350245690gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Grace Mutung'u <br>
Skype: gracebomu<br>
@Bomu<br>
<span style="font-size:12.8px">PGP ID : 0x33A3450F</span><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
kictanet mailing list
<a class="moz-txt-link-abbreviated" href="mailto:kictanet@lists.kictanet.or.ke">kictanet@lists.kictanet.or.ke</a>
<a class="moz-txt-link-freetext" href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet">https://lists.kictanet.or.ke/mailman/listinfo/kictanet</a>
Twitter: <a class="moz-txt-link-freetext" href="http://twitter.com/kictanet">http://twitter.com/kictanet</a>
Facebook: <a class="moz-txt-link-freetext" href="https://www.facebook.com/KICTANet/">https://www.facebook.com/KICTANet/</a>
Domain Registration sponsored by <a class="moz-txt-link-abbreviated" href="http://www.eacdirectory.co.ke">www.eacdirectory.co.ke</a>
Unsubscribe or change your options at <a class="moz-txt-link-freetext" href="https://lists.kictanet.or.ke/mailman/options/kictanet/michael%40pluspeople.dk">https://lists.kictanet.or.ke/mailman/options/kictanet/michael%40pluspeople.dk</a>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
</pre>
</blockquote>
<br>
</body>
</html>