By Margaret Ndonji
In the year 2017, the Supreme Court of Kenya in the case, Raila Amolo Odinga & another -vs- Independent Electoral and Boundaries Commission & 2 others  eKLR, ordered the Independent, Electoral and Boundaries Commission (IEBC) to avail the digital votes data contained in the election servers, hosted in France by a technology firm by the name OT-Morpho, which was contracted by the IEBC, to the court for the investigation into the authenticity of the election results. This was after the Petitioners, NASA coalition, instituted an election petition at the Supreme Court, and pleaded with the court for access to the servers where election data was stored, in order to determine transparency of the election results.
However, the IEBC declined to avail the said data contained in their servers or access to it, contravening the said court orders. As a result, the Supreme Court nullified the 8th August, 2017 presidential election results, as it could not verify the transparency and accountability of the elections conducted by the IEBC. In subsequent court proceedings, the IEBC was pressured to facilitate the opening of the servers and allow the petitioners access to data on the election exercise, however, it is yet to comply with the Supreme Court’s orders to date.
The Proposed Data Protection Regulations.
There are three (3) sets of Regulations which have been formulated to actualize the Data Protection Act,2019, by the Ministry of ICT, Innovation and Youth Affairs. They include:
i. Data Protection (General) Regulations, 2021.
ii. Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.
iii. Data Protection (Compliance and Enforcement) Regulations, 2021.
This article will specifically cover the Data Protection (General) Regulations, 2021 because they set out the procedures for enforcement of the rights of the data subjects as well as elaborating on the duties and obligations of the data controllers and data processors.
The future implications of the provisions of the proposed Data Protection Regulations, 2021 on elections stakeholders.
The proposed Data Protection (General) Regulations, 2021, which is currently undergoing public participation, seeks to remedy the current challenges of inaccessibility of digital votes collected by IEBC servers currently located in France, and the level of power over the access and control over the servers exercised by the technology firms contracted by IEBC.
a) Accessibility of the electoral servers and data centre.
The proposed regulations require that, any company (a data controller or data processor) handling election data must host the servers and data centers in Kenya; and that, at least one serving copy of the concerned personal data is stored in a data center located in Kenya, as stipulated under Section 25 (1) (a) and (b)respectively, of the proposed Data Protection (General) Regulations, 2021. All these requirements are required for the purpose of the conduct of elections in the country as clearly indicated under Section 2 (d) of the proposed regulations.
Under the Data Protection Act, 2019, IEBC is both a data controller because it has the custody of the voter register, and a data processor because it uses the voter register when conducting elections. In addition, the law indicates that a voter register is a form of personal data.
If the Bill passes into law in the near future, the IEBC shall be required to set up its election data and transmission servers and data centers in the country, in preparation for the management of the upcoming 2022 elections, and store the voter registers in their data centers within the country. This will increase the government’s power over the access and control of the IEBC election servers and data and limit the data controller/processor’s power over the same. Furthermore, the Supreme Court and other courts in general, shall be able to easily access election data contained in the servers upon issuance of orders, without hinderances by the IEBC or its contracted parties, as was the case in the 2017 Election Petition.
b) Limitation of powers exercised over the servers exercised by technology firms contracted by IEBC
Section 24 of the proposed Data Protection (General) Regulations, 2021 restricts the data processor from engaging the services of a third party without the prior authorization of the data controller. In addition, the terms of the agreement are to provide for similar parameters of protection of personal data, as specified in the agreement between the data controller and data processor. Furthermore, the data processor shall remain liable to the data controller for the compliance of any third party that they engage.
Further, Section 23(2)(e) of the proposed Data Protection (General) Regulations, 2021 instructs that the written agreement between a data controller and data processor, must contain a provision stipulating that all personal data must be deleted or returned on termination or lapse of the agreement, as decided by the data controller.
This provision shall increase the government’s (through the IEBC- which is the data controller in this case) influence over the management and handling of electronic data, while reducing the powers of third-parties contracted by IEBC.
The enactment of the proposed Data Protection (General) Regulations, 2021 shall increase the aspect of transparency and accountability in the conduct of elections in Kenya. This is because the IEBC election servers and data centers shall be hosted within the country. Hence, if any grievances arise as to the authenticity of any elections, the courts shall have easy access to the digital election data contained in the servers locally accessible and data centers, for purposes of investigation, without hinderances from the IEBC or any of its future contracted parties.