Leveraging tech-novation for financial empowerment

Insights for regulating a rapidly growing and dynamic digital economy in Kenya


A digital economy is one based on digital technologies or, more broadly, as the entirety of sectors that operate using digitally enabled communications and networks leveraging internet, mobile and other technologies. When, in 2019, Kenya launched the Digital Economy Blueprint, President Uhuru Kenyatta held the opinion that the current and growing digital world presents a future of immense possibilities.

He asserted that with every passing year, new technologies and services are emerging and as digital technologies become the cornerstone of our daily activities, governments, businesses and individuals must adapt to this new reality.

In the end, it is evident that to harness the benefits of a truly digital economy, there is need to build ecosystems that facilitate digital transactions nationally, regionally and globally.

A quick situational analysis of the market environment reveals that digital technologies have become the cornerstone of our daily activities. It is even accurate to assert that going digital is inevitable and there is great need to adapt, in all aspects of life. There is need to ensure that even the learning curriculum in institutions aligns to this reality. Failing to prepare our minds to conceptualize the benefits of a tech savvy environment is akin to preparing to fail economically.

Digital businesses brand protection

With proliferation of technology and innovation, businesses are adopting dynamic forms in a bid to compete and adapt with the changing nature of the market industry. Offline businesses are now migrating online even as they maintain offline addresses and adopt complimentary online platforms. Finally, we now have purely online-run businesses.

Due to the dynamic nature of the digital economy, various challenges arise, first in protecting the look and feel of these businesses. This architecture refers to brand names and outlook of digital businesses. In fact, a quick search online reveals more than one result for different people, offering same services under similar names.

The danger with unregistered online businesses is that upon one registering a trademark at the registry of trademarks, the initial unregistered owners of the online business become potentially liable for infringement of intellectual property rights of the now –newly – registered trademark owners. There is need to cushion against such eventualities with the rise in the number of businesses that operate digitally.

Kenya has enacted several legislations in a bid to curb unfair competition. However, most of these legislations fail to address competition online, especially with regard to unfair use of business brand names. The net effect is that consumers end up short-changed, as a result of confusion caused by shadow-naming and imitation of brand character.

There are many advantages of effecting registration of trademark for digital businesses. Importantly, it precludes other users of the digital economy from unfairly utilising the registered brand. Furthermore, for businesses originally operating online, then later seeking offline market presence, it is essential to protect the brand through registration.

Section 5 of the Trademarks Act precludes persons from instituting proceedings to prevent, or to recover damages for, the infringement of an unregistered trademark. Registration confers exclusive rights to the use of the trademark in relation to those goods or in connection with the provision of any services. Kenya operates under the model of first to register, first to own system of trademark registration.

Therefore, unless it is a claim of passing off, there is no protection for online brand names that are not registered. Trademark registration in the digital economy is a live debate that takes different turns with each innovation and technological advancement. The scope of protection online is another growing aspect of the digital economy.

Going by the conversations around taxation of the digital economy, there is therefore need for registration of trademarks. Upon such registration, digital business owners can then seek to enforce other intellectual property rights associated with trademarks, gaining both economic and moral benefits. The digital economy is a product of creative application of technological knowledge to bridge some kind of industrial gaps.

Market trends, depending on the online reach of the business, also expose businesses to associated legal risks that can be averted through registration of their online brand. Issues of fraud, false pretences and misrepresentations are such legal risks that official recognition through registration can avoid.

Effective digital lending matrices

For venture capitalists, “fintech” is a relatable and perhaps, important term. However, for ordinary Kenyans, this is just but a combination of words. There is therefore need to break this down into edible pellets for public consumption. In lay terms, fintech refers to computer programs and other technology used to support or enable banking and financial services.

In Kenya, the impact of technology has affected the market economy greatly. The rate at which innovations relating to the use of technology to enable access to finances is rising remains unparalleled. In 2007, Vodafone, through Safaricom, launched MPESA mobile money transfer. The obvious gap that Vodafone sought to fill was that of financial access and inclusion, especially amongst low and middle income earners. MPESA has since metamorphosed into several other services. Kenya is currently facing an influx of lending platforms. It is therefore important to conduct an audit of the legal framework governing this sector to determine its efficiency in the dynamic market economy.

One emerging concern related to digital lending is harassment of borrowers upon default of payment of the loans from lending applications. The Central Bank of Kenya (“CBK”), established under the Central Bank of Kenya Act, (“CBK Act”), is the lead regulator in the financial sector. However, the texture and architecture of the CBK Act anticipated regulation of operations typical financial institutions such as banks.

The provisions of the National Payment Systems Act could be utilised by the CBK, for reason that these digital lending apps operate within its framework. Since 2018, the CBK has hinted at a digital lending charter to regulate digital lending. The charter should contain clauses that will tame lenders from harassing borrowers. To also address concerns of extortion and hidden unconscionable profits on the part of digital lenders, there is need for a provision requiring borrowers to be supplied content on financial literacy. This will help inculcate policies on transparency and disclosure in this sector.

One other concern that must be addressed in this sector is that of infringement of privacy, seeing as borrowers and their acquaintances have their privacy violated in several ways. Privacy includes treating all borrowers with the utmost respect and dignity as they use the digital lending applications.

In 2019, Google established requirements for digital lenders in their metadata, including: a minimum and maximum period of repayment; maximum annual percentage rate including interest rate plus fees and other costs for a year, or similar other rate calculated consistently with local law; and an example of the total cost of the loan, including all applicable fees.

Google will also not allow apps that trade binary options or apps that mine cryptocurrency on devices. However, it permits apps that remotely manage mining of cryptocurrency. These policies will impact a lot of fintech companies. In the long-term, the rapid growth in this sector, perhaps will call for a substantive legislative intervention, for reason that guidelines and regulations may fail to address complex consequences of the use of the digital lending applications.

The Data Protection Act 2019 (” DPA”) and digital lending

The DPA defines “Processing” as: Collection, organization, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other means, alignment, combination, blocking, deletion or destruction of information or data. Therefore, collection of details such as contacts of persons, qualifies as processing of data. Digital lending applications are equipped with technological permissions that scan and upload the contact list of the borrower to the digital lending application companies for their use, abuse and disabuse.

Consent to data processing

Consent of the data subject is an overarching focus of the DPA. Data may not be processed without the consent of the data subject and it shall be the responsibility of the data controller or processor to prove that consent for a specific purpose was granted.

Personal data means any information relating to an identified or identifiable natural person. Sensitive personal data refers to data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject.

In order to use the digital lending online platforms such as applications, at the point of installation, automatic access permissions are granted by the prospective borrower. The application then has access to contacts and relevant data such as social media sites of the borrower. The question that stands out is whether these automatic permissions, negate the requirement of consent. This is in light of the fact that without allowing such access, the prospective borrower is locked out of the use of the application

The DPA sets a very high standard for consent, making it difficult to obtain. If not done correctly, it is definite that it will lead to serious lawsuits in the future, considering that the DPA seeks to enforce a fundamental right to privacy under the Constitution of Kenya 2010. It is trite law that consent of a borrower should not form the sole legal basis for action on the part of the digital lending applications. Where a digital lender seeks to enforce against a borrower, it is this paper’s standpoint that consent should be complemented with other forms of legal basis such as the law of contract. This may lead to the need for use of smart contracts, with requisite clauses to cushion against breach.

In the current market practice, upon default of loan repayment, some random persons in the contact list of the borrower are contacted in the guise of enforcing repayment. This is used as a form of default guarantor to the digital loan. In reality, contacting random persons about a loan taken by another without their knowledge subjects the borrower to shame and unintended disrepute. In Indonesia, digital loan applications have been reported to form WhatsApp groups using the contact details of the borrower and an automatic message sent to the chat asking the members to tell the defaulted borrower to repay the loans.  

The DPA provides that consent for data processing must be express and anyone claiming the consent of a data subject to the processing of their personal data bears the burden of proof. This calls for structures to ensure that there is no doubt as to consent obtained from a data subject.

Therefore, at the point of installation of the digital lending applications, there is need to ensure that the consent pop up notices give the borrowers options as to the levels of access that they consent to. It is also significant to ensure that failure to consent to use of data does not deny borrowers a chance to utilise the credit facility as this amounts to coerced or constructive consent.

There is also need to disclose the data obtained and the purpose of obtaining such data. During use of the digital lending application, when personal information changes, the digital lending applications need to put in place measures to facilitate rectification of such information. Additional data sought from the data subject, should be done properly, following strict guidelines as to consent.

Use of data for commercial purposes

Section 37 of the DPA provides that a person shall not use, for commercial purposes, personal data obtained pursuant to the provisions of the Act unless the person has sought and obtained express consent from a data subject; or is authorised to do so under any written law and the data subject has been informed of such use when collecting the data from the data subject.

A data controller or data processor that uses personal data for commercial purposes shall, where possible, anonymise the data in such a manner as to ensure that the data subject is no longer identifiable. Section 37 (3) anticipates practice guidelines to be developed for commercial use of personal data. Therefore, this provision will become effective upon these guidelines, including definition of commercial use.

The net effect of Section 37 of the DPA therefore is that data collected in the digital economy, obviously for commercial purposes, must be used within the framework of the DPA and the regulations thereto. All principles of data protection espoused in various legal instruments including the European Union’s General Data Protection Regulations must be enforced, if we are to reap the benefits of a fast growing digital economy.

Indeed, there is a continuous need for synergy between law and technology to ensure a regulated environment that facilitates innovation. There lies great potential in the future of the digital economy.

Sign Up