Day 4: Policy and Regulatory Framework on Privacy and Data Protection- Data Controllers and Processors


Regarding part IV of the draft I have noted the following points.

*1. Transfers outside Kenya.*

Very many (if not most) Kenyan websites/systems are hosted
internationally, AWS, Rackspace, and all the usual suspects are widely
used. As a result very often personal data is currently transfered

My issue here is what constitutes “proff” that a foreign nation have
“adequate” data protection laws? My first thought on this issue is that
Europe due to GDPR would be considered “adequate”, whereas United States
would NOT be considered having “adequate” laws.

If this is the case/correct interpretation then this law will have a
significant cost (money and time) for all the ones currently hosting in
US who have to migrate their setup.

*2. Platform as a service*

In situations where your system is build on a global company’s “platform
as a service” (Google being the prime example) you have very little
control of “where” the personal data is “transfered” – as Google have
caching servers almost everywhere, essentially the data would/could be
copied all over the globe.

The limitation on international transfers – does it in-effect kill
innovations that utilize global infrastructure such as this ?

*3. Lack of incentive for notification*

As I have mentioned elsewhere I think it is great that any breach that
should happen requires that the affected person(s) be notified. However
I feel that the draft very much creates no incentive for data-processors
to actually full-fill this requirement – In-fact the way I read it it is
very very tempting for processors who are subject to a breach to keep
very quiet (i.e. they are committing an offence if they are subject to a
breach – so better make sure no-one ever finds out that you lost some data).

Kind regards
Michael Pedersen

On 27/08/2018 08:30, Grace Bomu via kictanet wrote:
> General obligations for controllers and processors are listed in part
> IV and they include upholding the principles of data protection,
> protecting the rights of the data subject, duty to notify the subject
> about processing and breaches, acquisition of consent and security
> safeguards as regards personal data. It would be interesting to hear
> from data controllers and processors, views on:
> Welcome to the discussion. Please point out any issues in the bill
> that are either very good and should be retained or problematic and
> should be improved. Tujadiliane.
> —
> Grace Mutung’u
> Skype: gracebomu
> @Bomu
> PGP ID : 0x33A3450F
> _______________________________________________
> kictanet mailing list
> Twitter:
> Facebook:
> Domain Registration sponsored by
> Unsubscribe or change your options at
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
> KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people’s times and bandwidth, share knowledge, don’t flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

kictanet mailing list

KICTANet Admin information

Related Posts

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.