Data Privacy And Protection

Data Privacy And Protection

Did you know that cookies recognize your electronic gadget as it travels between web pages? You also need them for critical tasks like logging into a website, buying something from a store among others.

In a famous case, Vidal-Hall v Google Inc [2015] EWCA Civ 311, three individuals objected to the collection of information from their browsers by Google without their consent. The three used Apple’s “Safari” browser to access the internet between Summer 2011 and 17^th February 2012. They claimed that Google collected their private information (namely their browser-usage) without their knowledge or consent by means of ‘cookies’ and used this information to offer commercial services to advertisers.

The three successfully argued before the English Court of Appeal that even if Google did not know who was using the device at any particular point in time, third party users of the device were likely to access this information by deducing information about their browsing habits from the targeted ads which appeared.

The opposing argument from many web browser service providers in the past was that cookies are linked to a specific device rather than to a specific user, and since a device can have multiple users, the information collected from cookies cannot be linked to a specific individual and so may not be personal data.

Following the three individuals win against Google Inc., the enactment of the European Union General Data Protection Regulation (GDPR) and the embrace of data privacy laws across the globe, many website operators and third party entities have developed policies to regulate the use of cookies. It is now a notable trend that many websites have cookies policies and visitors must accept or reject the use of cookies in the process of accessing web pages. It is important for users to understand cookies and how they are used to determine whether to issue consent.

Cookies Defined^[1]

A cookie is a small text file that is placed onto a user’s device when they visit a website, either by the website operator or by a third party with whom the website operator has a relationship. A cookie stores information that is not personally identifiable about the user’s visit. This includes content viewed, language prefered, time and duration of each visit and advertisements accessed. When the website is revisited by the device, the website can retrieve the information stored on the cookie and react accordingly (e.g., by displaying preferred language). However, cookies are limited in that they can only be read by the application which set them and therefore, website operators cannot track users across different mobile applications.

Information collected by cookies may be used for example, to develop websites by identifying popular and unpopular web pages, to track and create profiles of users’ online movements, and to serve online advertising. Because cookies identify a unique computer via its browser, the user’s data can be used to track the online movements of their computer and to form a profile of browsing habits linked to that specific computer and, in most cases, the individual using the computer. As a result, cookies may collect personal data and this brings them under the purview of data privacy laws.

There are first party and third-party cookies. First party cookies are placed by the operator of the website visited and enable the operator to advertise its own products or tailor its website based on the information gathered by its own cookies. The website operator is thus deemed the data controller. On the other hand, third party cookies are sent by a third-party entity separate from the website operator. The third-party entity makes the decision on processing of the personal data and is therefore deemed the data controller. The third-party entity must comply with data privacy laws.

Cookies and Kenyan law

Kenya now has specific laws on data privacy and protection. The Data Protection Act No. 24 of 2019 is the substantive law and is supplemented by the Data Protection (General) Regulations, 2021, the Data Protection (Compliance and Enforcement) Regulations, 2021 and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. The Office of the Data Protection Commissioner is established as the regulatory body responsible for oversight on data privacy and protection matters in Kenya and the implementation of these laws among other functions.

Due to the novelty of these pieces of legislation and the regulator, case law and interpretation by Kenyan courts is yet to take place and the regulator is still making strides to establish itself properly. Cookies are a widely known and accepted concept in the Kenyan information technology landscape but the engagement with the legal system on this concept remains unchartered.

However, it is noteworthy that the creation of a robust data privacy and protection legal and regulatory framework is a step forward, as Kenya is a key player and leader in the technological revolution in East Africa and the African continent at large. This sets a great stage for Kenya to develop its own jurisprudence on cookies among other aspects of data privacy and protection.

For for information on this subject, please do not hesitate to contact the lawyers whose details are set out below: