The legals on phone tapping and personal data

Last Friday media reports suggested that the Communications Authority of Kenya(“the CA”) intended to roll out an application called the Device Management System (DMS) capable of tapping into a mobile phone carrier’s network enabling the CA to access personal information from people using that carrier’s network. The CA clarified that it intends to curb the proliferation of counterfeit devices by identifying and isolating those devices and denying them access to services and not collecting a subscriber’s personal information. Despite this, questions as to data protection for the rest of the users of the network have arisen.

Current position

It is well known that phone tapping, surveillance and interception of communications violates the right to privacy (see Kennedy vs Ireland (1987) I.R 587 and Coalition for Reforms and Democracy (CORD) v Attorney General Petition No.630 of 2014.)

There are two bases to challenge this phone tapping.  Firstly, the Constitution provides that every person has the right to privacy – which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed.

The Constitution grants every person the right to institute court proceedings when his/her fundamental right or freedom, such as the right to privacy as described above, has been denied, violated, infringed or is threatened.

The Kenya Information and Communications Act (Act no. 2 of 1998 (as amended)) (“KICA”), provides that the Cabinet Secretary in charge of  Information and Communication has the power to make regulations in relation to a telecommunication service and specifically, to make regulations on the privacy of telecommunication.

Pursuant thereto, the KICA Consumer Protection Regulations require that a Customer has a right to personal privacy and protection against unauthorized use of personal information and specifically restricts a telecommunication licensee from allowing any person to monitor or disclose the content flowing through their system.

Further,  the KICA (Registration of Subscribers of Telecommunication Services) Regulations bars the sharing of subscriber data by mobile providers without the express authority of the affected subscriber.

Conclusion

The current legal position in Kenya is that any person, including a public entity, collecting personal information has to abide by the Constitutional provisions of the Right to Privacy and the KICA regulations on consumer/customer protection.

Consequently, it appears that there would be good grounds to challenge the tapping of the carrier networks by the CA. For now the High Court has granted orders stopping the implementation of the CA directive ordering that it be heard on March 6 2017.

 

Your password may be required if you’re visiting the US

password image.pngIf you come from Iraq, Iran, Syria, Yemen, Somalia, Sudan and Libya, your social media passwords may soon be required to enter the USA according to Security Secretary John Kelly. According to news reports this was one of several issues considered as additional screening measures to vet refugees and visa applicants from those countries during talks around Trump’s embattled executive order on immigration.  While this was not an official policy decision, to suggest it on the record indicates the Government’s intention.

Using social media as part of the verification process is not new. The Obama administration had proposed a Social media identification policy however requiring passwords ended up not being a part of it.

Should this pass, there will be challenges. Noting how easy it is to create fake social media accounts, one may wonder why this was on the agenda.

I shall not touch on the obvious privacy issues arising with one volunteering their password.

Let’s wait and see how this pans out.

Cyber Security – What if Yahoo was a Kenyan Company?

Background

On 22nd September 2016, Yahoo confirmed a cyber-attack in which over 500 million personal accounts were compromised. This was arguably the largest cyber security breach in history. The information obtained by the hackers includes names, email addresses, telephone numbers, dates of birth and in some cases, security questions and answers.  This comes in the wake of the on-going merger with Verizon Communications in which Yahoo is selling its core business (search, email and messenger assets as well as advertising technology tools) for USD 4.8 Billion.

While not as embarrassing to its members as the Ashley Madison hack from 2015, this recent event raises a good prompt to question whether Kenyan law is relevant to the internet. What if Yahoo was a Kenyan company?  What would be the legal outcome of this breach?

Kenyan context 

Kenya’s legislature is attempting to keep up with evolving cyber security issues.  Existing law does not impose any sanction or penalty on to the Kenyan equivalent of Yahoo however there are three bills which would change this.

The Data Protection Bill 2013, the Computer and Cyber Crimes Bill 2016 (CCC) and the Cyber Security and Protection Bill 2016 (CSP) are based on the equivalent laws in South Africa and the UK and aim to incentivize companies to increase their internet security and to prohibit certain acts in the use of the internet. It is unclear if, or when, they will become law.

The Data Protection Bill aims to regulate the collection, retrieval, processing, storing, use and disclosure of personal data. The Bill proposes that all companies will be required to put in measures to protect data against loss, destruction and manipulation. Failure to put in adequate security measures will attract a penalty of 100,000 Kenya Shillings or to imprisonment of 2 years or both.

The CSP and the CCC share the same vision of regulating cyber crimes but adopt competing methods to try and deal with this issue. The CCC is a Government Bill whereas the CSP is privately sponsored, so there is currently no clarity on when or if these bills will be progressed.

The CSP aims to establish a Response Unit in the ICT Ministry to receive and investigate reports on cyber threats. The CCC proposes additional investigative procedures for police officers.

The CSP proposes an information sharing mechanism between public and private companies (and with each other) whereas the CCC is seeking to improve international co-operation for prosecuting cyber crimes.  Broadly, the goal of both bills is to hasten investigations and prosecution of cyber crimes.

Relevantly for corporations, the CSP would require a company suffering a cyber-breach to report it to the Response Unit within 7 days of it occurring. Failure to do so will be an offence.  Worryingly, for corporations, there is no element of knowledge to trigger the 7 day reporting requirement.  A company could be in breach of this provision if it were hacked and did not discover this fact for a significant period of time.  As mentioned above, the CSP bill does not currently have government support and so its chance of becoming law is not high.  However, its existence, and the Government’s CCC bill shows that the Kenyan legislature is moving towards regulating and imposing penalties in this area.  It is only a matter of time before one of these bills is enacted.

Separate to the legal outcomes, from a commercial perspective, a cyber-attack is bad for business. Yahoo not only faces potential class action suits, and reputational damage but the likelihood of the hack being a deal breaker on the merger with Verizon is high. With the potential for new legislative penalties in Kenya on the horizon, companies should place data protection and cyber-security on their risk management agenda sooner rather than later and before a cyber-breach occurs, not as a result of one.

Below is a clip on simple cyber security tips  we can all embrace from the Herjavec Group a cyber security firm.