A Data Privacy Analysis of the Kenyan Finance Bill 2024

Introduction

“Data is the new gold and you are the mine”, Dmytriiev Petro. This quote from Petro’s analysis of the vast landscape of the digital realm has never hit home, to the Kenyan public, as it does now.

On May 9, 2024, the Finance Bill 2024 was released, and Kenyans had their first peek at the raft of proposals submitted by the Cabinet Secretary for the National Treasury and Economic Planning.¹ This would go on to raise many concerns, mainly the inclusion of a 2.5% motor vehicle tax², reclassification of bread’s VAT status to being vatable at 16% from zero rated³ and, core to this analysis, KRA’s increased latitude over personal data for tax purposes.

In approaching this proposed amendment, this analysis adopts a data governance approach over a tax law perspective in assessing the provision’s cogency in line with the Constitution of Kenya. This means that the analysis will appraise the cogency of the proposed inclusion based on the data processing principles, mainly data privacy. Importantly, this analysis argues against the inclusion of this proposal as it undeniably violates the right to privacy as envisaged in Article 31 of the Constitution of Kenya.⁴

To realise this objective, the analysis will subsequently introduce the proposed amendment to the Data Protection Act (DPA) of 2019 and its possible effects. Thereafter, the analysis will canvass the amendment’s reconciliation with the Constitution of Kenya and the present approach to data used in Tax. The analysis then concludes with a summary.

The proposed changes and their effect

Clause 63 of the Finance Bill 2024 proposes to amend Section 51 (2) of the Data Protection Act by inserting the following paragraph after Subsection (b)⁵:

(ba) disclosure is necessary for the assessment, enforcement or collection of any tax or duty under written law.

To better understand the impact of this proposed amendment, it is prudent first to note that the Bill’s Memorandum of Objects and Reasons provides that this amendment encompasses personal data that relates to the assessment, enforcement or collection of any tax or duty from the provisions of the Data Protection Act.⁶ Given that this is an additional exemption, it is then necessary to canvass Section 51 (2) of the Kenyan DPA, which entails the general exemptions to the compliance of data protection principles.

Presently, Section 51 (2) of the DPA dispels the application of data protection principles in 3 main instances.⁷ These are where 1.) data is processed by an individual during personal or household activities, 2.) it is necessary for national security or public interest and 3.) disclosure is required by law or a court order. These tripartite exemptions thus override the principles of data protection as set out in Section 25, which include confidentiality, legitimate purpose limitation, transparency, storage limitation and cross-border data transfers.⁸

Section 2 of the DPA defines personal data as any information pertaining to an identified or identifiable natural person.⁹ There are 2 main takeaways from this definition. First is the undefined latitude sought by KRA when it comes to processing a person’s data. Second, the main target of the amendment is the Kenyan citizens themselves, as opposed to organisations such as companies or partnerships. Summatively, any information pertaining to any person can be processed by KRA to assess and enforce one’s tax obligations. This specific issue is further delved into in the succeeding part.

Should the Finance Bill sail through Kenya’s Parliament and receive presidential assent as is, the Kenyan public will be exposed to diminished protection over their personal data where such may be deemed necessary for the enforcement of a person’s tax obligations.¹⁰ This part summarises the present exemptions and the proposed addition to the already existing exemptions in the Data Protection Act.

Reconciliation with Kenya’s Supreme Law

As captured above, the proposed amendment entailed in Clause 63 of the Finance Bill 2024 falls squarely within the realm of privacy and, more specifically, personal data privacy. Any exemption to this principle, as canvassed in Section 25 of the DPA and Article 31 of the Constitution of Kenya (2010)¹¹, amounts to a limitation of this fundamental human right. This position is also shared by human rights advocacy groups such as Amnesty International (Kenya) and Article 19 in their memorandum expressing their reservations to the proposed amendment to the Kenyan DPA.¹²

The guiding beacon in terms of limitation of fundamental human rights, such as the right to privacy, is Article 24 of the Constitution of Kenya. The undefined latitude that KRA seeks contravenes Sub-article (2)(b), more so on the basis that limitations ought to be clear and specific on the very nature and extent of the limitation. Tax assessment, enforcement or collection necessitates KRA to handle voluminous amounts of data, let alone personal data, as canvassed in the succeeding part. All in all, this proposed amendment waives KRA’s accountability obligations as a data controller, and this contravenes the right to privacy given the undefined scope of applicability sought.¹³

Tax enforcement, presently

Tax assessment and tax enforcement, are key drivers of tax law compliance. Before any tax obligations are calculated, it is imperative to canvass the different groups of data at play as succinctly grouped into 3 main categories by KPMG.

These structured data encompass data from enterprise resource planning (ERP) systems, procurement systems and master consumer data. The second category is semi-structured data, which entails e-mails and Excel workbooks that capture an organisation’s audit documents, such as working papers. The last category is unstructured data. As the name implies, this information is not captured in traditional row-column databases and includes commercial invoices, scanned reports agreements, internet logs and messages.¹⁴ Recalling the DPA’s definition of personal data earlier, KRA would have unilateral access to the above categories of data in so far as they pertain to an individual and are necessary for tax assessment, enforcement or collection.

Kenya’s Judiciary has played an important part thus far in the various checks and balances of the Kenyan Executive fiat. The courts have been known to halt the implementation of various laws, such as the Finance Act of 2023. Closely related to the present argument, the courts have been the taxman’s first point of call to access a taxpayer’s personal data.

KRA can only access personal data upon the grant of a court order. This flows from Section 51 (2) (c) of the DPA¹⁵ and Section 60 of the Tax Procedures Act.¹⁶ This provision has presented the courts with an opportunity to canvass the veracity of the claims presented by KRA and balance the interests at play before pronouncing itself on the limits to the right to privacy in a particular instance. With the present (proposed) amendment, KRA will have an undefined latitude over a person’s personal data, dispensing with the need to balance the limitation of rights as envisaged in Article 24 of the Constitution of Kenya.

Conclusion

As Kenyans reflect on the advent of new tax measures, it is prudent to take keen note of an amendment that inarguably drives the implementation of the Finance Bill 2024. KRA’s unilateral and broad access to one’s personal data exposes the Kenyan public to diminished enjoyment of their right to privacy. This equally dispels the need for judicial input to ensure continued checks and balances as KRA executes its tax assessment, enforcement, and collection mandates. As this analysis concludes at this part, it sets the stage for continued discussions both within Kenyan and across the Global South on the new gold. These further discussions are on balancing the benefits of data-driven tax enforcement with the need to protect individual rights and promote democratic ideals as espoused by Kenya’s transformative Constitution.