Born in Kenya, and raised in Australia, Office of the Data Protection Commissioner of Kenya Deputy Data Commissioner for Compliance Rose Mosero Maina, CIPP/E, CIPM, FIP, broke into privacy as an associate litigator with several Australian law firms just as the EU General Data Protection Regulation was entering into force.
As jurisdictions worldwide sought to conform with the new EU data protection laws, Mosero Maina was drawn back to her native Kenya, originally as a consultant with SevenSeas Technologies Group to advise its nascent data protection authority. While consulting, she found her calling and agreed to join the Office of the Data Protection Commissioner as a regulator.
In this Member Spotlight, Mosero Maina spoke with IAPP Staff Writer Alex LaCasse about transitioning from privacy litigator to regulator, helping establish Kenya's new data protection authority and advising entities on how to comply with the relatively new Data Protection Act. She also touched on Kenya's contributions to the Network of African Data Protection Authorities, and how DPAs across the continent are collaborating and growing their privacy regulatory regimes through the sharing of best practices.
Editor's note: This conversation has been edited for length and clarity.
The Privacy Advisor: How did you get your start in privacy? And what interests you most about this field?
Mosero Maina: I started as a litigation lawyer in Australia toward the start of the GDPR entering into force and worked on privacy matters. I decided to take IAPP courses to boost my knowledge because I was entering into privacy litigation. Once I was established, I began getting into consultancy work in Kenya when they proposed their Data Protection Act and worked on some regulatory developments for private sector clients, as well as on the government side. I advised on drafting the Data Protection Act in Kenya, and my work has focused on privacy since then.
The Privacy Advisor: Can you provide a 30,000-foot view of where you see Kenya's privacy and data protection landscape today?
Mosero Maina: It's still nascent and extremely novel. The Data Protection Act just came into effect in November 2019, and before then, we didn't have a data protection regime. While there were data protection provisions in different laws, specifically in telecommunications, banking and finance because those areas naturally have privacy aspects, there was no specific data protection law to speak of. In terms of the ecosystem, there were a lot of issues when it came to privacy because Kenyan citizens (willfully) providing their information wasn't seen as an invasion of privacy. Instead, it was a common practice.
Before the Data Protection Act came into place, we saw about six iterations of data protection bills since 2012, so there was a need for legislation. Parliament and the executive branch saw the need for privacy legislation, but neither passed a law because they weren't comprehensive enough. By 2018, just having the prior frameworks resulted in people taking an interest in data protection, and, at the same time, a digital identity framework was coming into place that would see the government collect different sets of personal information, including biometric data. This led to people actively pushing policymakers to pass the Data Protection Act.
The Privacy Advisor: As a native Kenyan, what was it like to come home, after your work as a privacy litigator in Australia, to help lead Kenya's effort to build its data protection legal regime?
Mosero Maina: My original plan was not to be here as long as I have been. It started as a sabbatical for a few months to assist with the regulatory development, but I saw a need in the data protection space, specifically because of the GDPR coming into effect. The GDPR framework gave Kenya and a lot of African countries the push to pass data protection acts. I started as an advisor doing a lot of data protection work and then assisted in operationalizing the Office of the Data Protection Commissioner. I was one of two staff members with technical expertise, and my role was to draft guidance notes.
It was a huge undertaking, but also extremely satisfying and enriching because I know our work is reaching a lot of people. In Kenya, we do have a right to privacy enshrined in our constitution, and having people recognize data protection as a subset of the right to privacy, which is something that people might not understand, shows there is still so much work to be done. We are a very tech-savvy nation even though there is a digital divide between urban and rural areas, still 60-70% of mobile money transactions globally happen in Kenya.
The Privacy Advisor: Speaking of Kenyans' use of mobile payment platforms, can you give an overview of where the country stands in rolling out its digital identification program and its effort to digitize some 5,000 government services?
Mosero Maina: There is something known as the bottom-up economic transformation agenda, part of the National Strategy for Kenya, which prioritizes digital services, digital government and something known as a digital superhighway. Two of those components are a digital government, where all the services you need are on the platform eCitizen, and digital ID system. In terms of digital services, as a regulator we have to understand what that means for the different ministries, departments or agencies in terms of data protection, and give advice on that basis.
On the flip side, there's also the digital ID system. There's a need for data protection impact assessments to be conducted, and we look at those from a regulator's perspective. We also advise on the safety aspects that need to be incorporated into the digital ID system. We're involved through that process as a regulator, to understand what the government is doing from a data protection perspective, so it doesn't come to a space where the citizenry thinks the government is not protecting their information.
The Privacy Advisor: Could you walk me through what your day-to-day looks like at the Kenya Data Protection Authority?
Mosero Maina: I head the Compliance Directorate, so I deal with all matters that are not complaints. This can entail processing (data protection impact assessments) and breaches. We have a requirement where data controllers and processors have to register, and, unfortunately, we only have 14 days within the language of the law to verify the documentation. I'm tasked with proving these are accurate, so I have to set aside an hour every two days to catch up on applications. I also assist in areas like capacity building in different government and private sector entities. On any given day I'll do virtual trainings for two hours in the morning with different institutions. I also issue advisories for different data protection items that benefit organizations and the public. We also do audits. At the moment we're auditing a number of organizations, and these are mostly paper-based. We're moving toward doing more technology-based audits, as well as in-person audits beginning in the next financial year.
The Privacy Advisor: You mentioned a digital divide within Kenya. Acknowledging that businesses throughout the economy are in varying states of compliance with the Data Protection Act, are there common issues organizations are coming to you with to facilitate better compliance?
Mosero Maina: The thing I find a lot of people come to us for is specifically not knowing how to follow the law. That's what we release the advisories for. For example, in Kenya, we have a nonexclusive data localization provision, which requires certain sectors, specifically government and private sector entities deemed critical infrastructure, to localize their information here. There is always a misunderstanding about what that actually means.
The Privacy Advisor: Kenya is a member of the Network of African Data Protection Authorities. What has your experience collaborating with other data protection authorities around the continent been like, and what are some of the best practices you've learned from other regulators?
Mosero Maina: In Africa, we are all learning together, and some countries are further along. North African countries have made great strides in data protection. Morocco has had data protection laws for a while. Mauritius has data protection laws and Ghana does as well. The importance of the Network of African Data Protection Authorities is the knowledge-sharing among regulators. There are currently about 36 African states with data protection laws, so a lot of new knowledge-sharing capacity is being built within those individual data protection authorities.
For some of us, when we set up our DPAs, there could sometimes be a reliance on more advanced jurisdiction, usually the EU, as some of its member states have long-established data protection authorities. It's very difficult sometimes to appreciate or reconcile what's being done in the EU vis-a-vis the cultures of some African states. The positive note is that the Network of African Data Protection Authorities actually provides the space where we can talk about our individual cultures, discuss some of the things we're struggling with and see how our colleagues in other countries are dealing with similar issues.