BY Nimo Kering
The EU General Data Protection Regulation (GDPR) takes effect this month on the 25th. It mainly provides for the protection of personal data of EU citizens (also called data subjects) residing in the European Union. Companies which are not established in the EU but process personal data of data subjects who are in the EU are subject to the GDPR. A Kenyan entity either offering goods and services or monitoring the behaviour of an EU citizen residing within the EU would be subject to the GDPR. A key issue addressed by the GDPR is pseudonymisation – defined in the GDPR as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. It reduces the risk of data subjects being identified by inculcating various techniques such as using different forms of codes and randomly generating values (pseudonyms) in place of the identifiable data. Pseudonymisation is not a permanent operation and can be reversed (re-identification).
Entities that handle private data of natural persons can consider using pseudonymisation systems as the risks involved in processing such data are reduced. This, of course, should be considered by data processing entities regardless of whether the GDPR is applicable to them or not. A feature that innovators may pursue is pseudonymisation of personal data on blockchain. The guarantee of security of personal data (due to the immutable and transparent nature of blockchain) makes a great business model for data processing entities. Consequently, blockchain developers should be incentivised to create data protection systems attractive to such entities.
It’s arguable, given the key fundamentals of how blockchain operates, that it may be a challenge to efficiently deliver pseudonymisation of personal data on blockchain. One, blockchains are decentralised. Centralised systems ensure that the public is aware of who is processing the personal data (often a third party). On the contrary, with decentralised systems, that information is not readily available. Another challenge that defeats some of the principles espoused in the GDPR is that of non-erasure. Natural persons in essence (as provided in the GDPR) have the right to have their data forgotten or rectified. Blockchain technology anchors itself on the fact that it is impossible to delete or rectify information. Seemingly, some aspects of blockchain are likely incompatible with the GDPR.
As earlier mentioned, data inscribed on blockchain may be difficult to erase or edit. Much as this can be considered an attractive feature, personal data that cannot be erased or rectified may defeat the protection of a data subject’s right. Whereas pseudonymisation is not an anonymity feature, implementing such a system on blockchain (which makes personal data accessible to everyone and non-editable) may be onerous. Moreover, reverse pseudonymisation (re-identification) may not be a concept that can be easily developed on blockchain. The non-editable concept of blockchain makes this a difficult venture. Given that the current mode of data handling in the country requires provision of personal data to third parties, private data is at high risk of portability and leakage without the knowledge of data subjects. With blockchain as a transparent feature, and one which can have pseudonymisation developed on it, natural persons are in better control of their information. Nonetheless, pseudonyms may still be generated without blockchain.
Presently, there is no overarching law exclusively dedicated to data protection in Kenya. The Data Protection Bill, 2013, is yet to become law. Nevertheless, there are laws and regulations that augment the lack of exclusive data protection laws. Article 31 (c) and (d) of the Constitution, 2010 provides that every person has the right to privacy which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed, or the privacy of their communications infringed upon. The Kenya Information and Communications (Consumer Protection) Regulations Act of 2010 provides for the right to personal privacy and protection against unauthorised use of personal information. The Central Bank of Kenya Prudential Guidelines also requires protection of customer information and transactions. If, perhaps, it is the intention of legislators to model our data protection laws efficiently, pseudonymisation should be a key highlight in the Data Protection Bill, 2013. (
Whether we must contour our data protection laws as per the GDPR is a question for regulators, (informed) policy makers, legislators and the public through public participation. What is of importance, however, is that whatever laws are legislated, they should not stifle innovation. Needless to say, efficient data protection laws can steer innovation and economic growth. (