“Avoid disconnection, update your SIM registration details.” This is the message that Kenyans have been seeing for months. Kenyan telcos have been threatening to disconnect people from mobile phone and internet services if they do not provide new data, including facial images — part of their personal, unchangeable biometrics. The companies claimed it was required under the Kenya Information and Communications (Registration of SIM-Cards) Regulations, 2015. In fact, that’s a gross misrepresentation of the law. Collecting biometric data for a SIM card puts people at risk of privacy violations, data breaches and abuse, and even identity theft. Kenyans must say no, and oppose any new regulations to authorize it.
Privacy violations are not new in Kenya. As Access Now has previously highlighted, companies like Safaricom have not only failed to protect subscribers’ personal information, but also refused to take accountability for data breaches. Here’s a look at what’s happened so far in Kenya, details on the push to authorize biometric data collection, and what Kenyans can do now to oppose it.
What’s happened so far
If you can’t see the highlights below, please check your privacy-enhancing browser extensions. Open in desktop view for the best experience.
What the law says
Regulation 5 (1) of The Kenya Information and Communications(Registration of SIM-Cards) Regulations, 2015 provides for the requirements of SIM registration. It does not require collection of biometric data. This means that the mandatory collection of photographs for SIM card re-registration exercise has no legal basis. It is a breach of people’s privacy, which is protected under Article 31 of the Constitution of Kenya, as well as the Kenya Information and Communications (Consumer Protection) Regulations, 2010, which specifically addresses privacy in the context of communications.
The CAK which originally directed the collection eventually rectified its wrongful interpretation. But the damage was already done. Many customers, fearing disconnection, have already disclosed their biometric information to the telcos.
The Kenya Data Protection Act, 2019 defines biometric data as sensitive personal data, and requires the data protection principles to be applied when processing it. The collection of facial biometrics goes against these principles. Yet the Office of the Data Protection Commissioner (ODPC) has been noticeably silent and seemingly uninterested in the breach of data subject rights throughout this process.
What’s happening now, and why it puts privacy and human rights at risk
The Ministry of ICT now plans to replace and revoke the Kenya Information and Communications (Registration of SlM-cards) Regulations, 2015 with new regulations that would authorize the collection of biometric data, the draft Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2022.
There is no logical and legal basis for the collection of biometric data as a prerequisite of SIM card registration. The claims telcos are making that facial biometrics will enhance security and prevent the commission of crimes are false. Indeed, as the United Nations High Commissioner for Human Rights has explained, the fact that biometrics are inextricably linked to a person’s identity makes it more difficult to recover in cases of data breach and identity theft. You can change a password, but you cannot change your face.
Biometric databases also increase the risk of state surveillance, as the Clearview AI scandal demonstrates. In Kenya, law enforcement surveillance of people’s communications is already putting human rights defenders and others at risk. Authorizing mass biometric data collection makes it more likely it will fall into the wrong hands.
How Kenyans can fight biometric data collection and defend their rights
Kenya has data protection under the law. Kenya now needs data protection in practice. That means the Office of the Data Protection Commissioner must immediately take action to investigate the telcos’ breach of privacy and data subject rights, advise the Ministry of ICT against making the collection of biometric data a prerequisite of SIM card registration, and and offer remedy to the subscribers whose data have already been unlawfully collected. These data should be deleted.
Access Now and the Kenyan civil society are already pushing back:
- ARTICLE 19 Eastern Africa sent an Access to Information request to telcos to confirm the biometric data in their possession. Safaricom has so far failed to respond.
- Katiba Institute has filed a judicial review application at the High Court of Kenya seeking a number of legal requests, including an order compelling Safaricom to delete the unlawfully collected biometrics.
- Civil society and academia have submitted a joint memorandum to the Ministry of ICT calling for the deletion of the requirement for collection of biometric data from the draft subscriber registration regulations.
Now it’s your turn:
Here is what you can do to fight for your rights:
- Step 1: Submit an access to information request – Section 26 (a) and (b) of the Data protection Act, 2019 gives you the right to access your data. (See Regulation 9 of the Data Protection (General) Regulations, 2021 for submission requirements.)
- Step 2: Submit an erasure request – Section 40 (1) (b) of the Data Protection Act, 2019 gives you the right to demand that your data be deleted if it was collected illegally. (See Regulation 12 of the Data Protection (General) Regulations, 2021 for submission requirements.)
- Step 3: Demand the ODPC to act – Join our call demanding the Office of the Data Protection Commissioner to fulfill its mandate and protect the privacy of Kenyans.