0

LEGAL UPDATE ON THE CENTRAL BANK OF KENYA (AMENDMENT) BILL 2020

Introduction

On 30th November 2020, the Central Bank of Kenya (Amendment) Bill, 2020 (‘the Bill’) was published in the Kenya Gazette and seeks to have the Central Bank of Kenya (‘CBK’) regulate providers of digital money lending services.

Contents of the Bill

The Bill describes digital money lenders as any entity that offers credit facilities in the form of mobile money lending applications. Should the Bill pass into law, such persons will be required to apply for and obtain an annual license from CBK. The Bill also grants CBK the power to impose on the license any conditions it considers fit. A list of all licensed digital lenders shall then be published in the Kenya Gazette.

Some notable features of the Bill include the requirement for a digital money lending institution to be managed by at least two Directors, one of whom must be a Kenyan citizen. Digital lenders are also required to expressly announce their interest rates in any advertisements they publish.

Implications of the Bill

The Bill aims to address the concerns of low income earning borrowers who apply for quick digital loans and end up paying exorbitant interest rates or being bound by unfair and unfavourable loan terms due to the lack of regulation of the digital money lending industry.

The Bill would also aid in curbing money laundering and terrorism financing as lenders would be required to disclose to the CBK the source of their funds.

The CBK may also impose restrictions on the misuse of borrowers’ information to pester relatives and friends of defaulters which has become common practice for some digital lenders.

Conclusion

The Bill sponsored by Hon. Gideon Keter is one among several previous efforts to regulate the business of the ever growing Kenyan digital credit market. It is now in the hands of our legislators to ensure consumer protection in digital lending.

For more details and professional advice on the information in this legal update, please do not hesitate to contact

Benson Ngugi (benson.ngugi@attorneysafrica.com) ,

Ken Rutere (ken.rutere@attorneysafrica.com)

Martin Moturi (martin.moturi@attorneysafrica.com)

0

The Obligation to Explain vs. the Obligation to Protect: Disclosure Post-Schrems II

Introduction: The Obligation to Report and Explain

The obligation not only to ensure the privacy of stored data but also to disclose and explain the steps taken to safeguard that data is becoming increasingly costly to companies.

Government regulators, customers, shareholders and individuals routinely now demand explanations of both security protocols and also responses to data incidents and the steps taken to remediate the damage from such incidents.

To the extent that these disclosures can be made without compromising a company’s network, they are effectively involuntary at this point. This is true from the regulatory, legal and public relations standpoints.

The protection of data measures and the disclosure and reporting requirements related to the protection of that data is now a primary cost for any organization aggregating data.

More importantly, reporting needs are also bumping up against data privacy protection requirements, posing yet another legal challenge for companies aiming to do the right thing.

SCCs and the Privacy Shield Framework: Prior Efforts at Easing the Compliance Process

In 2016, the concern for the protection of personal data resulted in the U.S.-E.U. Privacy Shield framework.

This framework was enacted by the United States, the European Union and Switzerland in order to establish guidelines for companies’ compliance with data protection requirements when transferring personal information between them.

The Privacy Shield framework is administered by the International Trade Association (“ITA”) within the U.S. Department of Commerce.

Previously, U.S.-based organizations were able to apply to obtain Privacy Shield certification from the ITA. Privacy Shield certification, for approved U.S. organizations, meant compliance with E.U. data privacy laws.

This process was approved in 2016 by the European Commission.

In addition to the Privacy Shield, an alternative system of privacy compliance has also been utilized by companies conducting business between the U.S., the E.U. and Switzerland.

The Standard Contractual Clauses (“SCCs”) system allowed companies trading personal data cross-border to utilize contractual clauses approved by the European Union to ensure data compliance.

A number of large data companies, including Facebook, took advantage of the SCC system to conduct cross-border business.

However, in July, 2020, both of these compliance systems changed when an Austrian data privacy activist named Max Schrems filed a suit in Europe to contest Facebook’s use of SCCs.

The Schrems II Decision: Goodbye, Yellow Brick Road …

Max Schrems filed a suit in Ireland seeking a ruling that Facebook’s cross-border transfers of E.U. personal data utilizing the SCCs was invalid, on the basis that the SCCs did not offer sufficient privacy protection for E.U. nationals.

Ultimately, the Court of Justice of the European Union (“CJEU”) agreed that this was the case —sort of.

In a surprise ruling, the CJEU ruled that the U.S.-E.U.-Switzerland Privacy Shield framework was invalid for that very reason. The CJEU ruled that U.S. law failed to grant E.U. individuals a cause of action for a breach of data privacy rights equivalent to that guaranteed under E.U. law.

As to the SCCs, the Court held that organizations can continue to utilize these contractual provisions — but only where case-specific risks have been properly assessed. The SCCs, the Court said, “… cannot amount to a tick box exercise.”

Conclusion: Where to Go With This?

The takeaway here is that, while, domestically, U.S. businesses and other organizations face a rising demand for disclosure regarding damage-mitigation efforts around data events, any disclosure made will face tough scrutiny in the E.U. if personal data arising from the E.U. is overly revealed in the process.

Likewise, the risk of governmental sanction exists if disclosures reveal that personal data with an E.U. origin has been compromised.

Neither the Privacy Shield framework (which the ITA continues to operate) nor the SCCs will safeguard a company from litigation or sanction if the level of governmental access to personal data is overly generous.

Going forward, companies will need to assess on a case-by-case basis whether the SCCs may be relied upon.

For More Information Please Contact:

benson.ngugi@attorneysafrica.com

Jillian.ndirangu@attorneysafrica.com

0

The Conversion of Land Reference Numbers in Nairobi

Pursuant to the Land Registration Act, 2012 (“the LRA”) and the Land Registration (Registration Units) Order, 2017, the Ministry of Lands and Physical Planning (“the Ministry”) has begun the process of conversion of various Land Reference Numbers in order to consolidate the land registration regimes in the repealed legislations to create one amalgamated registration process and curtail fraud and delays in delivery of services.

A special issue of the Kenya Gazette published on the 31st of December 2020 announced the conversion of various parcels of land in Nairobi. This shall affect land owners and parties with an interest in the Land Reference Numbers that are listed. A copy of the Gazette can be accessed at http://kenyalaw.org/kenya_gazette/gazette/volume/MjI2OA–/Vol.CXXII-No.242/. We advise those who are affected to take the following steps:

  1. Take note of the old and new registration numbers and ensure that the corresponding acreage details of the affected parcel are correct;
  2. Inspect the cadastral maps of the land; and
  3. Once the Ministry invites registered owners to apply for replacement of title documents, registered owners should apply for the same and surrender their title documents under the old repealed regime in order to receive their new title under the LRA.

If there are any inconsistencies in the details of the old Land Reference Numbers and new Parcel Numbers, interested parties may lodge a complaint with the Registrar of Lands, and pending its resolution, register a caution on the affected land.

Please note that all documents pertaining to the parcels specified in the Gazette shall be transferred and maintained in the new registration units on the 1st of April 2021 (“the commencement date”). We therefore advise all interested parties to inspect the details in the Gazette and in the case of grievances, take all necessary action before the commencement date.

Igeria & Ngugi Advocates are ready and willing to provide further assistance to any interested party relating to the steps detailed above and the entire conversion of title process.

For any further queries, please send an email to

conveyancing@attorneysafrica.com or benson.ngugi@attorneysafrica.com.