Data Protection and Huduma Namba – Unlawful surveillance?
A first comparative review has been published by the Institute of Development Studies in October 2021 on privacy protections in six African countries – Egypt, Kenya, Nigeria, Senegal, South Africa and Sudan. The Report extensively elaborates that Governments are seen to be ignoring privacy laws completely in order to carry out illegal digital surveillance of their citizens. The research paper could not come at a more appropriate moment when the Kenya Government is struggling to explain the lawfulness of rollout of the Huduma Namba.- Kenya’s new national identity card.
In early May 2019 Kenyans countrywide were seen queuing, after travelling long distances on foot braving the intense long rainy season, with small babies clinging to mothers backs for a whole day. This was not out of excitement or promises of improvement in their family’s future or livelihood. It was out of sheer frustration, fear and panic as the State had set a hard deadline for registration of the Huduma Namba for 18 May 2019.
On 14 May 2019 it was reported that 31 million Kenyans personal data for the Huduma Namba card was captured on National Integrated Identity Management System (NIIMS) system. The target was to reach 40 million. The NIIMS also aimed to capture the details data of foreigners registered as residing in Kenya, irrespective of their citizenship.
In run up to the deadline, Kenyans were sharing on various social media outlets that failure to register for Huduma Namba may result in disconnected mobile numbers, deactivation of KRA PIN numbers and the danger of the system leaving millions without access to vital services. The Government also announced that current national ID number will cease being in operation by 12 December 2021. This added fuel to the frustration and pressure Kenyans were undergoing.
The Data Protection Act 2019 was signed into law on 25th November 2019, 11 months after commencement of Huduma Namba exercise.
In January 2020 the High Court in Constitutional petitions filed by the Nubian Rights Forum, Kenya Human Rights Commission and the Kenya National Commission on Human Rights declared unconstitutional and in violation of Article 31 of the Constitution of Kenya for the Government to collect GPS co-ordinates and DNA of individuals under the NIIMS system. The court ruled that the registration under the NIIMS system can continue “only on conditions that an appropriate and comprehensive regulatory framework on the implementation of NIIMS that is compliant with the applicable constitutional requirements”.
On 14th October 2021 the High Court of Kenya in Judicial Review Application No. E1138 of 2020 filed by Katiba Institute and Yash Pal Ghai (“Katiba Institute Petition”) ruled that the roll out of Huduma card under the NIIMS system was ultra vires (that is acting unlawfully or beyond one’s legal power or authority) section 31 of The Data Protection Act 2019.
The Data Protection Act 2019 (“DPA”)
The Preamble of The Data Protection Act 2019 states it is “An Act of Parliament to give effect to Article 31 (c) and (d) of the Constitution; to establish the Office of the Data Protection Commissioner; to make provision for the regulation of the processing of personal data; to provide for the rights of the data subjects and obligations of data controllers and processors; and for connected purposes”.
Section 31(1) of the DPA requires that where processing of personal data is likely to result in high risk to the rights and freedoms of any individual a Data Protection Impact Assessment (DPIA) must be conducted. It was this omission by the Government to conduct a DPIA which rendered the roll out of Huduma card ultra vires by the High Court.
Regulation 42 (c) of the draft Data Protection General Regulations explicitly mandates requirement for a DPIA where the personal data to be processed includes processing of biometric or genetic data. As the Regulations are still in draft form, it remains to be seen whether Parliament will sign it into law.
The Government’s argument in the Katiba Institute Petition did not deny that is not required to conduct a Data Protection Impact Assessment. It argued that the Data Protection Act came into force after launch of the NIIMS registration exercise, and therefore the Data Protection Act cannot act retrospectively. After extensive deliberations by all sides the High Court rejected the Government’s argument and ruled that the Data Protection Act, specifically section 31 requiring the Government to conduct a DPIA, together with Article 31 of the Constitution are squarely applicable.
In some of the largest countries globally data protection is either a fundamental Constitutional right or Constitutions are amended to include data protection as a basic human right. Brazil, which is the world’s fifth-largest country by area and the sixth most populous on the planet, on 20th October 2021 proposed Amendment to its Constitution to make protection of personal data a fundamental constitutional right. On the other hand, Kenya’s Constitution makes privacy a fundamental right and this is enshrined in the preamble of Data Protection Act 2019.
What is a Data Protection Impact Assessment?
A DPIA is like conducting due diligence before embarking on an unknown journey for the first time. You need know the route, state of the road, any hurdles and dangers passengers may encounter on the journey. Any uncertainties and perils should be mitigated or eliminated before embarking on the travels. Any passenger travelling on the journey must be informed of the risks from the onset, and not kept in the dark, so they may make an informed decision whether go on the journey.
Some of the key elements when conducting a DPIA is how personal data will be used, where it will be stored and what security measures will be deployed to identify and categorise each risk level, so that hackers do not breach and steal personal data. On 20th October 2021, a hacker in Argentina stole Government ID database for the country’s entire population including for football superstars like Lionel Messi and Sergio Aguero.
Conducting a DPIA goes to the core of accountability, transparency, and integrity under any Data Protection legislation globally. Data protection legal practitioners in Kenya have widely advocated for more transparency and wide public participation similar to what has been conducted in other countries like Australia prior to rollout of the Huduma Namba.
How does failure to conduct a DPIA impact an individual?
Biometric data are any metrics related to human features like eyes, face characteristics and fingerprints. Under the National Integrated Identity Management System (NIIMS) system, fingerprint and face characteristics are used to collect biometric data of individuals.
In Kenya biometric recognition system is widely used in banking apps, office blocks and shopping malls. Use of biometric data is increasing at a rapid pace globally. Therefore any associated risks with collection and processing of biometric data are to be identified and mitigated before it can be processed by a Data Controller or Data Processor.
The grave risks associated with the misuse, and the benefits of identifying an individual via their biometric data, cannot be overstated. Detectives often identify and solve criminal cases using fingerprints and DNA technology. In May 2021, a drug dealer in Liverpool was successfully convicted after he was identified via social media analysis of the photos of his fingerprints sharing Stilton cheese!
Biometrics are Sensitive Personal Data
The High Court in the Katiba Institute or Nubian Rights Forum case did not deliberate on the issue of sensitive personal data. Sensitive personal data under the DPA includes biometric data and genetic data.
Under section 45 of the DPA, sensitive personal data is permitted for processing on only specific grounds, with appropriate safeguards. Under Regulation 5(2)(d) of the draft Data Protection General Regulations sensitive personal data must be collected directly from an individual. Although the Government collected data directly from individuals, the permitted grounds for processing of sensitive personal data under section 45 do not permit the Government to process sensitive personal data in the current circumstances.
Consent, Lawful Basis and Sensitive Personal Data
Section 32 of the DPA sets out the lawful basis under which personal data can be collected and processed. A commonly used lawful basis for processing most personal data is legitimate interest. However legitimate interest for processing sensitive personal data is not available to the Government since the risk to individual’s fundamental rights and freedoms outweigh the legitimate interest of the Government for processing biometric data.
Public authorities can rely on the lawful basis of official authority and performance of public task to process personal data, and there can be more than one lawful basis for processing personal data. The key in deciding lawful basis is to ensure that any processing of personal data does not override individual’s interest, fundamental rights and freedoms. Therefore the main lawful basis for processing sensitive personal data under the NIIMS system is express and specific consent of the individual.
Any consent from an individual must be given freely and voluntarily. Information regarding nature of processing must be given to the individual in a simple, understandable and clear language and the individual must have the capacity to understand and communicate the express consent. When collecting consent for processing of personal data individuals must be informed of the use of personal data, if any third party will have access, where the data will be stored, whether it will be transferred to another country and how long the personal data will be retained. These are fundamental principles of fairness and transparency.
Considerable, indirect and psychological pressure was mounted on individuals to register for Huduma Namba before the first registration deadline of 18 May 2019. It is highly doubtful whether consent, if any, obtained from approximately 40 million individuals in respect of their sensitive personal biometric data was freely and voluntarily given, and whether individuals had the awareness or were given an opportunity to make an informed decision.
Individual’s rights in respect of personal data
Individuals have a right under the DPA to be informed of how their personal data will be used and to access their personal data, without hinderance, from the data controller or data processor. Individuals also have a right to object and restrict how their personal data will be processed.
Under section 40(1)(b) of the DPA individuals can request a data controller or data processor to erase or destroy, without undue delay, personal data obtained if that data was obtained unlawfully.
What are the Governments options now?
There are a number of options available to the Government. The Attorney General’s office has filed a notice of appeal against the judgement in the Katiba Institute case. The merits of the same are for the appellate courts to decide. At the time of writing this article, there is no stay order from a court of competent jurisdiction of individuals rights enshrined under the Data Protection Act. It is highly doubtful if any stay of Constitutional rights will be granted by any appellate court.
The second option, as ordered by the High Court in the Katiba Institute case, is to conduct a DPIA in accordance with section 31 of the Data Protection Act. This would seem to be a more sensible option given that Kenyans must be given an opportunity to make an informed decision on whether they wish to continue down the unknown, unnecessary journey. It may be time to rethink the entire Huduma Namba project and continue with the good old ID card which does the job and has been working perfectly well for decades.
Amit Gadhia
- Advocate of the High Court of Kenya
- Solicitor of the Senior Courts of England and Wales (practicing freelance)
- Certified International Privacy Professional-Europe (CIPP/E)
- OneTrust Fellow of Privacy Technology
- Corporate Governance Professional (ICSA – UK)
- Certified Company Secretary (Kenya)
This post is intended to be of general use only and should not be relied upon without seeking expert legal advice.
