Data Protection Bill: Portability section
Hi KICTA Net members. I'm Rafe Mazer, a consumer protection in digital financial services specialist working in Kenya the past 5 years (and globally on this toic for 10+ years.) I just saw the new Data Protection Bill within the National Assembly ( http://parliament.go.ke/sites/default/files/2019-07/The%20Data%20Protection%...) and wanted to raise a discussion internally about Section 38 on Data Portability to see if KICTA Net may want to engage further on the topic. Specifically there are two aspects that were concerning: 1. The allowance for 30 days to honor a data subject's request for information held on them. In a digital economy, this is an excessively long period, and also quite a blunt instrument to apply across the entire economy, where health records are different from government records are different from financial records, etc. This would also kill the utility of portability in spaces like FinTech. Imagine I want to use my economic history with data controllers to get competing mobile loan offers. It could take up to 30 days to share that information, which is not aligned with the near-instant nature of these products and consumers' expectations on timing. Already the Bill rightly notes portability should only apply where "technically feasible" to exempt low-tech industries or providers, so there is no sense is saying that those who are deemed to be able to comply technically with portability should have up to 30 days to do so. If this language is kept in it will be used to delay--and defacto deny--consumer use of their data for increased choice in digital segments of the economy. Further, since access to information is included in the same section as portability, and they are not explicitly differentiated, you could argue data controllers have not just 30 days to honor a portability request, but to even tell you what data they hold on you the data subject. This is far too long a time to permit for a basic consumer data right. Right now some providers offer financial statements to the data subject much faster than that--in minutes or seconds--but allowing 30 days could encourage setting practices to that standard going forward, reducing consumer access to their own data not improving it. 2. The allowance of a "reasonable fee" to be charged for a portability request could lead to anti-competitive and excessive pricing. "Reasonable" is highly subjective, and we have seen Competition Authority already had to intervene to stop anti-competitive use of wholesale USSD rates in mobile financial services ( https://techweez.com/2017/03/17/cak-wants-safaricom-lower-ussd-charges-mobil...). It is highly likely a "reasonable fee" window would be deployed similarly where beneficial to firms and require ex-post intervention. The original language from the 2018 Bill where this was free of charge seems a much better approach. Curious to hear others' thoughts or context on this section, and how KICTANet could help to fix this section for the final version of the Bill so we don't create an anti-innovation and anti-consumer portability regime that will be the law of the land. Thanks for the chance to share and discuss on this platform, Rafe Mazer
Thank you for starting this discussion Rafe, I agree 30 days to honor consumer data request could be too long compared to Access to Information Act that gives 21 days. Perhaps we should leave it for the data protection authorities to set guidelines for different industries and probably encourage automated retrieval of personal data by the end users. I am also of the view that data portability cannot be free of charge in all circumstances. I get the point that the term 'reasonable' may be subject to abuse (perfect demonstration is in the presidential elections petition), but there is also a cost element to collecting data. Why would a company want to transfer it for free to another company? Of course would love to hear others opinion on this. On Fri, Jul 5, 2019 at 5:40 PM Rafe Mazer via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Hi KICTA Net members. I'm Rafe Mazer, a consumer protection in digital financial services specialist working in Kenya the past 5 years (and globally on this toic for 10+ years.)
I just saw the new Data Protection Bill within the National Assembly ( http://parliament.go.ke/sites/default/files/2019-07/The%20Data%20Protection%...) and wanted to raise a discussion internally about Section 38 on Data Portability to see if KICTA Net may want to engage further on the topic. Specifically there are two aspects that were concerning:
1. The allowance for 30 days to honor a data subject's request for information held on them. In a digital economy, this is an excessively long period, and also quite a blunt instrument to apply across the entire economy, where health records are different from government records are different from financial records, etc. This would also kill the utility of portability in spaces like FinTech. Imagine I want to use my economic history with data controllers to get competing mobile loan offers. It could take up to 30 days to share that information, which is not aligned with the near-instant nature of these products and consumers' expectations on timing. Already the Bill rightly notes portability should only apply where "technically feasible" to exempt low-tech industries or providers, so there is no sense is saying that those who are deemed to be able to comply technically with portability should have up to 30 days to do so. If this language is kept in it will be used to delay--and defacto deny--consumer use of their data for increased choice in digital segments of the economy.
Further, since access to information is included in the same section as portability, and they are not explicitly differentiated, you could argue data controllers have not just 30 days to honor a portability request, but to even tell you what data they hold on you the data subject. This is far too long a time to permit for a basic consumer data right. Right now some providers offer financial statements to the data subject much faster than that--in minutes or seconds--but allowing 30 days could encourage setting practices to that standard going forward, reducing consumer access to their own data not improving it.
2. The allowance of a "reasonable fee" to be charged for a portability request could lead to anti-competitive and excessive pricing. "Reasonable" is highly subjective, and we have seen Competition Authority already had to intervene to stop anti-competitive use of wholesale USSD rates in mobile financial services ( https://techweez.com/2017/03/17/cak-wants-safaricom-lower-ussd-charges-mobil...). It is highly likely a "reasonable fee" window would be deployed similarly where beneficial to firms and require ex-post intervention. The original language from the 2018 Bill where this was free of charge seems a much better approach.
Curious to hear others' thoughts or context on this section, and how KICTANet could help to fix this section for the final version of the Bill so we don't create an anti-innovation and anti-consumer portability regime that will be the law of the land.
Thanks for the chance to share and discuss on this platform,
Rafe Mazer _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/lizorembo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
-- Best regards. Liz. PGP ID: 0x1F3488BF
I imagine no company wants to transfer for free, but I would argue that we also have to consider the competition and consumer welfare aspects of data rights alongside firms interests. I would argue the prevention of pricing as a barrier to consumer benefit of their own data outweighs cost aspects for firms. If the “technically feasible” criteria is applied properly then the incremental cost per user should be minimal. Rafe Mazer Consumer Protection and Behavioral Research Consultant Nairobi, Kenya +254 723950645 @rkmazer
On 5 Jul 2019, at 11:23 AM, Liz Orembo <lizorembo@gmail.com> wrote:
Thank you for starting this discussion Rafe,
I agree 30 days to honor consumer data request could be too long compared to Access to Information Act that gives 21 days. Perhaps we should leave it for the data protection authorities to set guidelines for different industries and probably encourage automated retrieval of personal data by the end users.
I am also of the view that data portability cannot be free of charge in all circumstances. I get the point that the term 'reasonable' may be subject to abuse (perfect demonstration is in the presidential elections petition), but there is also a cost element to collecting data. Why would a company want to transfer it for free to another company? Of course would love to hear others opinion on this.
On Fri, Jul 5, 2019 at 5:40 PM Rafe Mazer via kictanet <kictanet@lists.kictanet.or.ke> wrote: Hi KICTA Net members. I'm Rafe Mazer, a consumer protection in digital financial services specialist working in Kenya the past 5 years (and globally on this toic for 10+ years.)
I just saw the new Data Protection Bill within the National Assembly (http://parliament.go.ke/sites/default/files/2019-07/The%20Data%20Protection%...) and wanted to raise a discussion internally about Section 38 on Data Portability to see if KICTA Net may want to engage further on the topic. Specifically there are two aspects that were concerning:
1. The allowance for 30 days to honor a data subject's request for information held on them. In a digital economy, this is an excessively long period, and also quite a blunt instrument to apply across the entire economy, where health records are different from government records are different from financial records, etc. This would also kill the utility of portability in spaces like FinTech. Imagine I want to use my economic history with data controllers to get competing mobile loan offers. It could take up to 30 days to share that information, which is not aligned with the near-instant nature of these products and consumers' expectations on timing. Already the Bill rightly notes portability should only apply where "technically feasible" to exempt low-tech industries or providers, so there is no sense is saying that those who are deemed to be able to comply technically with portability should have up to 30 days to do so. If this language is kept in it will be used to delay--and defacto deny--consumer use of their data for increased choice in digital segments of the economy.
Further, since access to information is included in the same section as portability, and they are not explicitly differentiated, you could argue data controllers have not just 30 days to honor a portability request, but to even tell you what data they hold on you the data subject. This is far too long a time to permit for a basic consumer data right. Right now some providers offer financial statements to the data subject much faster than that--in minutes or seconds--but allowing 30 days could encourage setting practices to that standard going forward, reducing consumer access to their own data not improving it.
2. The allowance of a "reasonable fee" to be charged for a portability request could lead to anti-competitive and excessive pricing. "Reasonable" is highly subjective, and we have seen Competition Authority already had to intervene to stop anti-competitive use of wholesale USSD rates in mobile financial services (https://techweez.com/2017/03/17/cak-wants-safaricom-lower-ussd-charges-mobil...). It is highly likely a "reasonable fee" window would be deployed similarly where beneficial to firms and require ex-post intervention. The original language from the 2018 Bill where this was free of charge seems a much better approach.
Curious to hear others' thoughts or context on this section, and how KICTANet could help to fix this section for the final version of the Bill so we don't create an anti-innovation and anti-consumer portability regime that will be the law of the land.
Thanks for the chance to share and discuss on this platform,
Rafe Mazer _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/lizorembo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
--
Best regards. Liz.
PGP ID: 0x1F3488BF
Also like the point on leaving flexibility in the Law not saying 30 days across the entire economy. Rafe Mazer Consumer Protection and Behavioral Research Consultant Nairobi, Kenya +254 723950645 @rkmazer
On 5 Jul 2019, at 11:23 AM, Liz Orembo <lizorembo@gmail.com> wrote:
Thank you for starting this discussion Rafe,
I agree 30 days to honor consumer data request could be too long compared to Access to Information Act that gives 21 days. Perhaps we should leave it for the data protection authorities to set guidelines for different industries and probably encourage automated retrieval of personal data by the end users.
I am also of the view that data portability cannot be free of charge in all circumstances. I get the point that the term 'reasonable' may be subject to abuse (perfect demonstration is in the presidential elections petition), but there is also a cost element to collecting data. Why would a company want to transfer it for free to another company? Of course would love to hear others opinion on this.
On Fri, Jul 5, 2019 at 5:40 PM Rafe Mazer via kictanet <kictanet@lists.kictanet.or.ke> wrote: Hi KICTA Net members. I'm Rafe Mazer, a consumer protection in digital financial services specialist working in Kenya the past 5 years (and globally on this toic for 10+ years.)
I just saw the new Data Protection Bill within the National Assembly (http://parliament.go.ke/sites/default/files/2019-07/The%20Data%20Protection%...) and wanted to raise a discussion internally about Section 38 on Data Portability to see if KICTA Net may want to engage further on the topic. Specifically there are two aspects that were concerning:
1. The allowance for 30 days to honor a data subject's request for information held on them. In a digital economy, this is an excessively long period, and also quite a blunt instrument to apply across the entire economy, where health records are different from government records are different from financial records, etc. This would also kill the utility of portability in spaces like FinTech. Imagine I want to use my economic history with data controllers to get competing mobile loan offers. It could take up to 30 days to share that information, which is not aligned with the near-instant nature of these products and consumers' expectations on timing. Already the Bill rightly notes portability should only apply where "technically feasible" to exempt low-tech industries or providers, so there is no sense is saying that those who are deemed to be able to comply technically with portability should have up to 30 days to do so. If this language is kept in it will be used to delay--and defacto deny--consumer use of their data for increased choice in digital segments of the economy.
Further, since access to information is included in the same section as portability, and they are not explicitly differentiated, you could argue data controllers have not just 30 days to honor a portability request, but to even tell you what data they hold on you the data subject. This is far too long a time to permit for a basic consumer data right. Right now some providers offer financial statements to the data subject much faster than that--in minutes or seconds--but allowing 30 days could encourage setting practices to that standard going forward, reducing consumer access to their own data not improving it.
2. The allowance of a "reasonable fee" to be charged for a portability request could lead to anti-competitive and excessive pricing. "Reasonable" is highly subjective, and we have seen Competition Authority already had to intervene to stop anti-competitive use of wholesale USSD rates in mobile financial services (https://techweez.com/2017/03/17/cak-wants-safaricom-lower-ussd-charges-mobil...). It is highly likely a "reasonable fee" window would be deployed similarly where beneficial to firms and require ex-post intervention. The original language from the 2018 Bill where this was free of charge seems a much better approach.
Curious to hear others' thoughts or context on this section, and how KICTANet could help to fix this section for the final version of the Bill so we don't create an anti-innovation and anti-consumer portability regime that will be the law of the land.
Thanks for the chance to share and discuss on this platform,
Rafe Mazer _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/lizorembo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
--
Best regards. Liz.
PGP ID: 0x1F3488BF
KICTANet produced the Memorandum on policy regulatory framework for privacy and data protection submitted to the task force on Privacy and Data protection 2018. Check on the submission section here: https://www.kictanet.or.ke/?page_id=40115 When you look at the reporting issue as a business entity, is 30 days good enough? When creating laws, we must be able to balance interests of different stakeholders. How many extra resources would a company need to produce reports in a week? Two weeks? A month? Probably 30 days is a reasonable period. On Fri, Jul 5, 2019, 18:39 Rafe Mazer via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Also like the point on leaving flexibility in the Law not saying 30 days across the entire economy.
Rafe Mazer Consumer Protection and Behavioral Research Consultant Nairobi, Kenya +254 723950645 @rkmazer
On 5 Jul 2019, at 11:23 AM, Liz Orembo <lizorembo@gmail.com> wrote:
Thank you for starting this discussion Rafe,
I agree 30 days to honor consumer data request could be too long compared to Access to Information Act that gives 21 days. Perhaps we should leave it for the data protection authorities to set guidelines for different industries and probably encourage automated retrieval of personal data by the end users.
I am also of the view that data portability cannot be free of charge in all circumstances. I get the point that the term 'reasonable' may be subject to abuse (perfect demonstration is in the presidential elections petition), but there is also a cost element to collecting data. Why would a company want to transfer it for free to another company? Of course would love to hear others opinion on this.
On Fri, Jul 5, 2019 at 5:40 PM Rafe Mazer via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Hi KICTA Net members. I'm Rafe Mazer, a consumer protection in digital financial services specialist working in Kenya the past 5 years (and globally on this toic for 10+ years.)
I just saw the new Data Protection Bill within the National Assembly ( http://parliament.go.ke/sites/default/files/2019-07/The%20Data%20Protection%...) and wanted to raise a discussion internally about Section 38 on Data Portability to see if KICTA Net may want to engage further on the topic. Specifically there are two aspects that were concerning:
1. The allowance for 30 days to honor a data subject's request for information held on them. In a digital economy, this is an excessively long period, and also quite a blunt instrument to apply across the entire economy, where health records are different from government records are different from financial records, etc. This would also kill the utility of portability in spaces like FinTech. Imagine I want to use my economic history with data controllers to get competing mobile loan offers. It could take up to 30 days to share that information, which is not aligned with the near-instant nature of these products and consumers' expectations on timing. Already the Bill rightly notes portability should only apply where "technically feasible" to exempt low-tech industries or providers, so there is no sense is saying that those who are deemed to be able to comply technically with portability should have up to 30 days to do so. If this language is kept in it will be used to delay--and defacto deny--consumer use of their data for increased choice in digital segments of the economy.
Further, since access to information is included in the same section as portability, and they are not explicitly differentiated, you could argue data controllers have not just 30 days to honor a portability request, but to even tell you what data they hold on you the data subject. This is far too long a time to permit for a basic consumer data right. Right now some providers offer financial statements to the data subject much faster than that--in minutes or seconds--but allowing 30 days could encourage setting practices to that standard going forward, reducing consumer access to their own data not improving it.
2. The allowance of a "reasonable fee" to be charged for a portability request could lead to anti-competitive and excessive pricing. "Reasonable" is highly subjective, and we have seen Competition Authority already had to intervene to stop anti-competitive use of wholesale USSD rates in mobile financial services ( https://techweez.com/2017/03/17/cak-wants-safaricom-lower-ussd-charges-mobil...). It is highly likely a "reasonable fee" window would be deployed similarly where beneficial to firms and require ex-post intervention. The original language from the 2018 Bill where this was free of charge seems a much better approach.
Curious to hear others' thoughts or context on this section, and how KICTANet could help to fix this section for the final version of the Bill so we don't create an anti-innovation and anti-consumer portability regime that will be the law of the land.
Thanks for the chance to share and discuss on this platform,
Rafe Mazer _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/lizorembo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
--
Best regards. Liz.
PGP ID: 0x1F3488BF
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafr...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
For banking, tech and telcoms it can, and in some cases is already done, in nearly instant fashion. Think about account statements via web or USSD/email combo, and the sharing of account data in commercial partnerships like MNO/Bank tie-ups (which is portability minus the consumer control over it.) The technically feasible exemption could make sure firms that can't comply (like maybe a small SACCO in the case of finance), don't have to. We have also already seen how the 30 days time period in credit bureaus has made that data not useful to mobile lenders, so I imagine a 30 day lag would be similarly problematic in a portability model. I am glad Ali mentioned Open Banking models. I have been studying them intensively across the globe for 2 years now. While I would say in Kenya it's more Open Finance than just open banking, it is a useful concept for Kenya. Generally those models are real-time for participants. So imagine if CBK or others wanted to implement such a model here for banks and FinTechs, they would then be in conflict with the 30 days standard in the Data Protection Bill. 30 days seems both too long based on global practices and also perhaps too prescriptive, when that should be worked out in later regulations or guidelines. On Fri, Jul 5, 2019 at 7:16 PM Mwendwa Kivuva <Kivuva@transworldafrica.com> wrote:
KICTANet produced the Memorandum on policy regulatory framework for privacy and data protection submitted to the task force on Privacy and Data protection 2018.
Check on the submission section here: https://www.kictanet.or.ke/?page_id=40115
When you look at the reporting issue as a business entity, is 30 days good enough? When creating laws, we must be able to balance interests of different stakeholders. How many extra resources would a company need to produce reports in a week? Two weeks? A month? Probably 30 days is a reasonable period.
On Fri, Jul 5, 2019, 18:39 Rafe Mazer via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Also like the point on leaving flexibility in the Law not saying 30 days across the entire economy.
Rafe Mazer Consumer Protection and Behavioral Research Consultant Nairobi, Kenya +254 723950645 @rkmazer
On 5 Jul 2019, at 11:23 AM, Liz Orembo <lizorembo@gmail.com> wrote:
Thank you for starting this discussion Rafe,
I agree 30 days to honor consumer data request could be too long compared to Access to Information Act that gives 21 days. Perhaps we should leave it for the data protection authorities to set guidelines for different industries and probably encourage automated retrieval of personal data by the end users.
I am also of the view that data portability cannot be free of charge in all circumstances. I get the point that the term 'reasonable' may be subject to abuse (perfect demonstration is in the presidential elections petition), but there is also a cost element to collecting data. Why would a company want to transfer it for free to another company? Of course would love to hear others opinion on this.
On Fri, Jul 5, 2019 at 5:40 PM Rafe Mazer via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Hi KICTA Net members. I'm Rafe Mazer, a consumer protection in digital financial services specialist working in Kenya the past 5 years (and globally on this toic for 10+ years.)
I just saw the new Data Protection Bill within the National Assembly ( http://parliament.go.ke/sites/default/files/2019-07/The%20Data%20Protection%...) and wanted to raise a discussion internally about Section 38 on Data Portability to see if KICTA Net may want to engage further on the topic. Specifically there are two aspects that were concerning:
1. The allowance for 30 days to honor a data subject's request for information held on them. In a digital economy, this is an excessively long period, and also quite a blunt instrument to apply across the entire economy, where health records are different from government records are different from financial records, etc. This would also kill the utility of portability in spaces like FinTech. Imagine I want to use my economic history with data controllers to get competing mobile loan offers. It could take up to 30 days to share that information, which is not aligned with the near-instant nature of these products and consumers' expectations on timing. Already the Bill rightly notes portability should only apply where "technically feasible" to exempt low-tech industries or providers, so there is no sense is saying that those who are deemed to be able to comply technically with portability should have up to 30 days to do so. If this language is kept in it will be used to delay--and defacto deny--consumer use of their data for increased choice in digital segments of the economy.
Further, since access to information is included in the same section as portability, and they are not explicitly differentiated, you could argue data controllers have not just 30 days to honor a portability request, but to even tell you what data they hold on you the data subject. This is far too long a time to permit for a basic consumer data right. Right now some providers offer financial statements to the data subject much faster than that--in minutes or seconds--but allowing 30 days could encourage setting practices to that standard going forward, reducing consumer access to their own data not improving it.
2. The allowance of a "reasonable fee" to be charged for a portability request could lead to anti-competitive and excessive pricing. "Reasonable" is highly subjective, and we have seen Competition Authority already had to intervene to stop anti-competitive use of wholesale USSD rates in mobile financial services ( https://techweez.com/2017/03/17/cak-wants-safaricom-lower-ussd-charges-mobil...). It is highly likely a "reasonable fee" window would be deployed similarly where beneficial to firms and require ex-post intervention. The original language from the 2018 Bill where this was free of charge seems a much better approach.
Curious to hear others' thoughts or context on this section, and how KICTANet could help to fix this section for the final version of the Bill so we don't create an anti-innovation and anti-consumer portability regime that will be the law of the land.
Thanks for the chance to share and discuss on this platform,
Rafe Mazer _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/lizorembo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
--
Best regards. Liz.
PGP ID: 0x1F3488BF
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafr...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
Rafe Yes. Indeed. The work you are doing in Financial Inclusion is a great pointer in how to address some of these issues. This could perhaps be a topic of discussion in the upcoming Kenya IGF end of this month? We could also possibly have the folks from FSD (Financial Sector Deepening) and PAK (Payments Association of Kenya)? Happy to take this conversation offline. Regards *Ali Hussein* *Principal* *AHK & Associates* Tel: +254 713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/alihkassim <http://ke.linkedin.com/in/alihkassim> 13th Floor , Delta Towers, Oracle Wing, Chiromo Road, Westlands, Nairobi, Kenya. Any information of a personal nature expressed in this email are purely mine and do not necessarily reflect the official positions of the organizations that I work with. On Fri, Jul 5, 2019 at 7:34 PM Rafe Mazer via kictanet < kictanet@lists.kictanet.or.ke> wrote:
For banking, tech and telcoms it can, and in some cases is already done, in nearly instant fashion. Think about account statements via web or USSD/email combo, and the sharing of account data in commercial partnerships like MNO/Bank tie-ups (which is portability minus the consumer control over it.) The technically feasible exemption could make sure firms that can't comply (like maybe a small SACCO in the case of finance), don't have to. We have also already seen how the 30 days time period in credit bureaus has made that data not useful to mobile lenders, so I imagine a 30 day lag would be similarly problematic in a portability model.
I am glad Ali mentioned Open Banking models. I have been studying them intensively across the globe for 2 years now. While I would say in Kenya it's more Open Finance than just open banking, it is a useful concept for Kenya. Generally those models are real-time for participants. So imagine if CBK or others wanted to implement such a model here for banks and FinTechs, they would then be in conflict with the 30 days standard in the Data Protection Bill. 30 days seems both too long based on global practices and also perhaps too prescriptive, when that should be worked out in later regulations or guidelines.
On Fri, Jul 5, 2019 at 7:16 PM Mwendwa Kivuva <Kivuva@transworldafrica.com> wrote:
KICTANet produced the Memorandum on policy regulatory framework for privacy and data protection submitted to the task force on Privacy and Data protection 2018.
Check on the submission section here: https://www.kictanet.or.ke/?page_id=40115
When you look at the reporting issue as a business entity, is 30 days good enough? When creating laws, we must be able to balance interests of different stakeholders. How many extra resources would a company need to produce reports in a week? Two weeks? A month? Probably 30 days is a reasonable period.
On Fri, Jul 5, 2019, 18:39 Rafe Mazer via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Also like the point on leaving flexibility in the Law not saying 30 days across the entire economy.
Rafe Mazer Consumer Protection and Behavioral Research Consultant Nairobi, Kenya +254 723950645 @rkmazer
On 5 Jul 2019, at 11:23 AM, Liz Orembo <lizorembo@gmail.com> wrote:
Thank you for starting this discussion Rafe,
I agree 30 days to honor consumer data request could be too long compared to Access to Information Act that gives 21 days. Perhaps we should leave it for the data protection authorities to set guidelines for different industries and probably encourage automated retrieval of personal data by the end users.
I am also of the view that data portability cannot be free of charge in all circumstances. I get the point that the term 'reasonable' may be subject to abuse (perfect demonstration is in the presidential elections petition), but there is also a cost element to collecting data. Why would a company want to transfer it for free to another company? Of course would love to hear others opinion on this.
On Fri, Jul 5, 2019 at 5:40 PM Rafe Mazer via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Hi KICTA Net members. I'm Rafe Mazer, a consumer protection in digital financial services specialist working in Kenya the past 5 years (and globally on this toic for 10+ years.)
I just saw the new Data Protection Bill within the National Assembly ( http://parliament.go.ke/sites/default/files/2019-07/The%20Data%20Protection%...) and wanted to raise a discussion internally about Section 38 on Data Portability to see if KICTA Net may want to engage further on the topic. Specifically there are two aspects that were concerning:
1. The allowance for 30 days to honor a data subject's request for information held on them. In a digital economy, this is an excessively long period, and also quite a blunt instrument to apply across the entire economy, where health records are different from government records are different from financial records, etc. This would also kill the utility of portability in spaces like FinTech. Imagine I want to use my economic history with data controllers to get competing mobile loan offers. It could take up to 30 days to share that information, which is not aligned with the near-instant nature of these products and consumers' expectations on timing. Already the Bill rightly notes portability should only apply where "technically feasible" to exempt low-tech industries or providers, so there is no sense is saying that those who are deemed to be able to comply technically with portability should have up to 30 days to do so. If this language is kept in it will be used to delay--and defacto deny--consumer use of their data for increased choice in digital segments of the economy.
Further, since access to information is included in the same section as portability, and they are not explicitly differentiated, you could argue data controllers have not just 30 days to honor a portability request, but to even tell you what data they hold on you the data subject. This is far too long a time to permit for a basic consumer data right. Right now some providers offer financial statements to the data subject much faster than that--in minutes or seconds--but allowing 30 days could encourage setting practices to that standard going forward, reducing consumer access to their own data not improving it.
2. The allowance of a "reasonable fee" to be charged for a portability request could lead to anti-competitive and excessive pricing. "Reasonable" is highly subjective, and we have seen Competition Authority already had to intervene to stop anti-competitive use of wholesale USSD rates in mobile financial services ( https://techweez.com/2017/03/17/cak-wants-safaricom-lower-ussd-charges-mobil...). It is highly likely a "reasonable fee" window would be deployed similarly where beneficial to firms and require ex-post intervention. The original language from the 2018 Bill where this was free of charge seems a much better approach.
Curious to hear others' thoughts or context on this section, and how KICTANet could help to fix this section for the final version of the Bill so we don't create an anti-innovation and anti-consumer portability regime that will be the law of the land.
Thanks for the chance to share and discuss on this platform,
Rafe Mazer _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/lizorembo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
--
Best regards. Liz.
PGP ID: 0x1F3488BF
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafr...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
We need to further define "Data Portability". There are various use cases. Haven't read the portability component yet however my immediate thoughts:- 1. From a financial services perspective, this brings out the potential for Open Banking. The use of APIs (which in some cases is already in use) to share information). 2. In Healthcare the immense potential to serve patients better through Health Care Information Portability from one service provider to another provider. 3. Other use cases could be Government to Citizen Services and vice versa. Underlying all this should be the consent of the user. And in cases where security services need to use such information clearly laid down procedures to be followed. Regards *Ali Hussein* *Principal* *AHK & Associates* Tel: +254 713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/alihkassim <http://ke.linkedin.com/in/alihkassim> 13th Floor , Delta Towers, Oracle Wing, Chiromo Road, Westlands, Nairobi, Kenya. Any information of a personal nature expressed in this email are purely mine and do not necessarily reflect the official positions of the organizations that I work with. On Fri, Jul 5, 2019 at 6:24 PM Liz Orembo via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Thank you for starting this discussion Rafe,
I agree 30 days to honor consumer data request could be too long compared to Access to Information Act that gives 21 days. Perhaps we should leave it for the data protection authorities to set guidelines for different industries and probably encourage automated retrieval of personal data by the end users.
I am also of the view that data portability cannot be free of charge in all circumstances. I get the point that the term 'reasonable' may be subject to abuse (perfect demonstration is in the presidential elections petition), but there is also a cost element to collecting data. Why would a company want to transfer it for free to another company? Of course would love to hear others opinion on this.
On Fri, Jul 5, 2019 at 5:40 PM Rafe Mazer via kictanet < kictanet@lists.kictanet.or.ke> wrote:
Hi KICTA Net members. I'm Rafe Mazer, a consumer protection in digital financial services specialist working in Kenya the past 5 years (and globally on this toic for 10+ years.)
I just saw the new Data Protection Bill within the National Assembly ( http://parliament.go.ke/sites/default/files/2019-07/The%20Data%20Protection%...) and wanted to raise a discussion internally about Section 38 on Data Portability to see if KICTA Net may want to engage further on the topic. Specifically there are two aspects that were concerning:
1. The allowance for 30 days to honor a data subject's request for information held on them. In a digital economy, this is an excessively long period, and also quite a blunt instrument to apply across the entire economy, where health records are different from government records are different from financial records, etc. This would also kill the utility of portability in spaces like FinTech. Imagine I want to use my economic history with data controllers to get competing mobile loan offers. It could take up to 30 days to share that information, which is not aligned with the near-instant nature of these products and consumers' expectations on timing. Already the Bill rightly notes portability should only apply where "technically feasible" to exempt low-tech industries or providers, so there is no sense is saying that those who are deemed to be able to comply technically with portability should have up to 30 days to do so. If this language is kept in it will be used to delay--and defacto deny--consumer use of their data for increased choice in digital segments of the economy.
Further, since access to information is included in the same section as portability, and they are not explicitly differentiated, you could argue data controllers have not just 30 days to honor a portability request, but to even tell you what data they hold on you the data subject. This is far too long a time to permit for a basic consumer data right. Right now some providers offer financial statements to the data subject much faster than that--in minutes or seconds--but allowing 30 days could encourage setting practices to that standard going forward, reducing consumer access to their own data not improving it.
2. The allowance of a "reasonable fee" to be charged for a portability request could lead to anti-competitive and excessive pricing. "Reasonable" is highly subjective, and we have seen Competition Authority already had to intervene to stop anti-competitive use of wholesale USSD rates in mobile financial services ( https://techweez.com/2017/03/17/cak-wants-safaricom-lower-ussd-charges-mobil...). It is highly likely a "reasonable fee" window would be deployed similarly where beneficial to firms and require ex-post intervention. The original language from the 2018 Bill where this was free of charge seems a much better approach.
Curious to hear others' thoughts or context on this section, and how KICTANet could help to fix this section for the final version of the Bill so we don't create an anti-innovation and anti-consumer portability regime that will be the law of the land.
Thanks for the chance to share and discuss on this platform,
Rafe Mazer _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/lizorembo%40gmail.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
--
Best regards. Liz.
PGP ID: 0x1F3488BF _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
participants (4)
-
Ali Hussein -
Liz Orembo -
Mwendwa Kivuva -
Rafe Mazer