Elections 2022: The ODPC should tame political parties on data privacy breach

  • 19 Nov 2021
  • 2 Mins Read
  • 〜 by Amrit Labhuram

On June 18th 2021, the Registrar of Political Parties Anne Nderitu shared a link through which members of the public could verify their political party membership status. Many Kenyans took to e-Citizen to confirm this and what followed was an uproar by people who claimed that they were registered by parties that they were not affiliated to. 

Some Kenyans wrote to the Office of the Data Protection Commissioner (ODPC) who released a statement on Twitter stating that they had received over 200 complaints from individuals. It also stated that it met with the Office of the Registrar of Political Parties (ORPP’) and resolved that the complainants should be deregistered by the political parties.

By meeting with the ORPP and resolving the issue by deregistering the complainants, the ODPC simply played ‘Bird Box’ with the main issue at hand.

The issue was the unconsented registration of people by political parties. Section 30 of the Data Protection Act states that personal data shall only be processed if at least one of eight legal grounds listed in that Section apply. The applicable legal ground in the case of political party membership registration is consent. Consent as defined in Section 2 of the Act, details the minimum criteria; that it must be:

  • Any manifestation of express, unequivocal, free, specific;
  • Informed indication of the data subject’s wishes; and
  • By a statement or by a clear affirmative action, signifying agreement.

Political parties disregarded this and some of the complainants were expecting action from the ODPC on the political parties. Even if it wanted to be non-confrontational, it should have met up with the political parties and maybe have capacity building sessions to bring them up to speed with the provisions of the Data Protection Act. But that was not done and it ignites the fear that when political actors engage in actions that may breach the Data Protection Act, the ODPC will take no action. 

On November 10, 2021, ORPP launched access to political party membership services on e-Citizen. This will make it easier for people to register in a political party of their choice, to check their membership status and to resign from political parties. The ODPC on the other end has published a Guidance Notes for Electoral Purposes. These moves are steps towards the right direction. However, based on trends from the 2017 electoral period where political aspirants sent unsolicited targeted campaign messages to voters, the ODPC has its work cut out for them. Politicians have proved time and again that they will breach data protection law. The unsolicited registration of voters into political parties is a taste of what is ahead. As we head to party nominations and voter mobilisation, ODPC should be fully alert. They should not sit and watch while privacy rights are trampled upon. It will set a bad precedent and hinder the country’s journey to data protection compliance. It should not be afraid to bite.