data and privacy

The state of group rights and data privacy laws in Kenya


The concept of group privacy and group rights in data protection has been an interesting topic of discussion among scholars for some time now. Several scholars have argued the importance of analysing groups and the possibility of such groups having rights distinct from those of the individuals forming the groups.1 A perusal of the Kenyan Data Protection Act, 2019, reveals that there is no recognition of groups as autonomous entities capable of owning rights capable of being protected by the Act. Instead, the Act establishes the legal basis for protecting data subjects’ rights through strict adherence to provisions for data collection, processing, storage, and dissemination. This definition defines both data subjects and personal data excluding groups and group rights. This article reviews the Kenyan legal framework on data protection, assessing if it adequately addresses group rights and their rights in light of advancements in information technology, and recommends changes if necessary.


Group and group rights

 “Data privacy is not like a consumer good, where you click “I accept” and all is well. Data privacy is more like air quality or safe drinking water, a public good that cannot be effectively regulated by trusting in the wisdom of millions of individual choices. A more collective response is needed.”2

 Group privacy, in this age of targeted advertising and algorithmic decision- making, remains an unexplored discourse, as individual data privacy discourse continues to dominate, as most data violations target individuals in their capacity.3 The digital age and growing data processing of big and open data necessitate expanding the privacy scope to include group rights. Group rights arise from human shared existence, which can be exploited for data analytics, leading to vulnerabilities in various life spheres. Despite the challenges of dynamics and formations of the said groups, the growing threats to privacy necessitate a way to protect these rights by examining their group aspects.

Group privacy is integral to preserving the autonomy, identity, and rights of collective entities. Moreover, group privacy fosters diversity, enabling individuals to freely associate and express themselves within their respective communities without fear of surveillance or manipulation. In the context of big data, where algorithms can infer sensitive information about groups based on aggregated data, safeguarding group privacy becomes imperative for upholding democratic principles and societal cohesion.

So, can the current data protection laws extend their reach beyond individuals to encompass collective entities and groups?

 The General Data Protection Regulation (GDPR) focuses on safeguarding individuals’ rights. The GDPR takes an atomistic analogy of data protection where the assumption is that if the individual right is taken care of the group will automatically be fine too which is not always the case.4 Similarly, the Kenyan Data Protection Act, 2019, lacks provisions for group rights due to challenges such as unclear definitions, fluid group settings, and the challenge of balancing individual interests against collective interests. What this flawed assumption of protection of a data subject’s rights through strict adherence to the established legal guidelines fails to recognise is that it is possible to collect data belonging to a third party from information garnered from a consenting data subject. Whereas it is possible to point out a breach of your right to privacy in small scale occurrence, say where your photo is published by an advertising website without your consent, it becomes quite impossible to show what harm you have suffered where your web/browser activity is monitored and the data collected therefrom by non-identifiable individuals is sold to say producers of consumable goods and the same is used to profile you for the advertisements you receive. To take this even a step further, the tracking of your browser history or your communication patterns and those of individuals within your locality can be used as a means of surveillance which can then lead to profiling of the individuals subject to this surveillance.

data and privacy

This ability to analyse individuals’ behaviours through an automated system can lead to an increase in the risk of discrimination of the individuals who are the subject of such analysis or spillover to individuals, though not part of the analysis program, who share similar identifiable data attributes with the subjects above referred. This is likely to occur say in a school set-up that utilises automated systems to analyse the performance of individual students. This can lead to grouping and implicit discrimination of a set of students who are categorised as non- performers academically. There is a need to shift our current legal framework from solely the protection of a data subject to the inclusion of the recognition and protection of a group’s right to privacy.


 We are constantly leaving behind a trail of data which can be recorded, monitored, processed and used for social, political or commercial purposes and thus the idea of group rights should be open to debate as most ICTs treat most people as groups and not individuals. Addressing the challenges posed to group privacy will require a multifaceted approach encompassing legal, technological and societal interventions. There is a need to expand the current legal framework to comprehensive data privacy legislation that explicitly recognises and safeguards group privacy rights.