Kenyan government put the ‘cart before the house’ on data protection and must live with the consequences, says court

The high court in Kenya has taken a strong line on protection of personal data related to the government’s new ‘huduma’ identity cards. The cards are meant to do away with the need for many cards related to various government services – ID, passport, clinic cards, driving licences and others. Collection and collation of the data needed for the new, all-encompassing cards has already taken place and the cards are now available for collection. However, a court challenge to the government’s failure to put in place any screen that would protect the privacy of the individual, has just been finalised in the high court, Nairobi. The presiding judge, Ngaah Jairus, has held that the government put the cart before the horse and that it was unconstitutional to have collected data without first ensuring the constitutional right to privacy would be protected.

Read judgment

Top government officials in Kenya have acted with anger to a high court decision throwing doubt on the validity of the country’s new all-encompassing huduma (“service”) identity cards.

The rollout of data collection began in December 2020, and millions of the new cards have already been collected. The government has, however, expressed concern that people are taking so long to collect the balance of the cards.

Now, though, in the wake of the high court’s decision, and the government’s determination to appeal against it as soon as possible, the validity of the cards that have been collected is uncertain.

‘Misguided’

Fred Matiangi, interior affairs and coordination of national government cabinet secretary, was particularly colourful in his response to the decision. The judge who heard the case, Ngaah Jairus, was ‘grossly misguided’ in his findings. Matiangi said all the different sources of data held by government were being brought together ‘so that you are one person’, and so that ‘you use one card and one number to access services’.

‘We cannot be the only country where you need a handbag to carry your cards,’ he said.

The new system had been challenged indirectly in what has come to be called the Nubian Rights Forum case. That earlier case led to a high court judgment declaring that the collection of DNA and GPS co-ordinates for the purposes of identification was ‘intrusive and unnecessary’ and where it was not specifically ‘anchored in the empowering legislation’ it would be unconstitutional.

Comprehensive

The court in that case also held that the government could go ahead with implementing the planned national integrated identity management system (NIIMS) and use the data it collected for that purpose, but could do so only if an appropriate and comprehensive regulatory framework for NIIMS that complied with the constitutional requirements identified in the judgment, was first enacted.

In the meantime, while that case was being finalised, parliament enacted the Data Protection Act and the court in the Nubian Rights Forum case directed that the processing of data collected for the Registration of Persons Act should wait until the Data Protection Act started working.

The government did not wait, however, and began collecting data and issuing cards before the Data Protection Act began full operation.

Defiance

Another group of petitioners then went to court asking to set aside the government’s decision to roll out the huduma cards without first carrying out a data protection assessment under the Data Protection Act. They argued that, in doing so, the government had acted in defiance of the court orders in the Nubian Rights Forum case.

Government, and the new data commissioner under the Data Protection Act, Immaculate Kasait, objected to the application.

They said it was true that the law required a data protection impact assessment to be carried out where processing of personal data was likely to result in ‘high risk to rights and freedoms of the data subject’. However, at the time that personal data was being collected for NIIMs, that impact assessment was not a requirement (because the law had not yet become operational).

Privacy

The new data law imposed a new duty but did not apply retrospectively, they said.

On this issue, Judge Jairus said the constitution gave a right to privacy and from the preamble and purpose of the new law it was clear that the Act was intended to be retrospective to cover any action taken by the state that might affect the right to privacy.

He added that the government should have had the new law in place before it began collecting and processing personal data. ‘But since the state chose to put the cart before the horse, so to speak, it has to live with the reality (that) there now exists legislation against which its actions must be weighed’, regardless of when the actions were taken, if these actions affected an individual’s right to privacy.

Scale

‘To put it straight, there is no other scale upon which to weigh the actions of the state to collect and process personal data except that provided by the Data Protection Act, at least to the extent that it is an Act meant to put into effect the constitutional right to privacy’.

Commenting on argument by the state, he said that an individual’s constitutional rights were under threat ‘by the excesses of the state in collecting and processing data without prior legal framework to ensure that even as the state embraces a new system of identification, the right to privacy is protected.’

Because of this, said the judge, the new law ‘is more of a bulwark against the excesses of the state than a tool imposing new obligations or duties on the state.’

Fairness

Where did fairness lie in terms of protection of the individual right to privacy?

Was it in the retrospective application of the Data Protection Act or in the rule against such application? ‘I would stand with the individual or the citizen against the might of the state and hold that fairness is in interpreting section 31 as being retrospective in its application.’

In addition, there was no suggestion that the judgment in the Nubian Rights Forum case had been overturned. Therefore, the government parties could not deny that they were bound by that judgment.

Data impact assessment

The judge found that a case had been made for judicial review of the government’s roll-out decision, mostly on the ground of illegality.

If the government had appreciated the importance and extent of the application of the Data Protection Act when it came to collecting and processing date collected under NIIMs, it would have conducted a data impact assessment before getting hold of personal data and using it in the rollout of the Huduma cards.

Judge Jairus added, ‘It has been a while since the rollout or the launch of the Huduma Card and it is not clear whether it is still on or has been concluded.’

He concluded that because this case was ‘of substantial public interest’, he would not make any order on costs.

* 'A matter of justice', Legalbrief, 19 October 2021