India’s Digital Personal Data Protection Bill

Stop SIM data-syphoning: Safaricom must protect privacy in Kenya

People in Kenya have both the right to mobile telecommunications and to privacy — prominent telecommunications provider Safaricom must delete all biometric data collected via its dangerous, manipulative data-harvesting SIM registration process. Read Access Now’s open letter to the company.

“Safaricom demanding excessive personal information — including private biometric data — for people to use its services is nothing less than unconscionable,” said Jaimee Kokonya, Africa Campaigner at Access Now. “As one of the nation’s leading internet providers, the company wields the power to control the communication of millions of people, and must put human rights above all. Safaricom should be setting the privacy gold standard, not dragging the industry through the mud.”

In November 2021, Safaricom began sending messages to people subscribed to mobile services informing them they were required to update their SIM card registration details by bringing their identification documents to outlets. Under the threat of disconnecting those who did not comply, this directive included a demand for invasive facial biometrics. The company alleged this requirement was in line with new regulations from the Communications Authority of Kenya (CA) — it was not, and the collection of this data is illegal

“When we see private companies manipulate laws and regulations with unclear motives, governments must intervene,” said Bridget Andere, Africa Policy Analyst at Access Now. “Safaricom must be held responsible for its illegal acquisition of private information — information it now controls, and is ripe for exploitation and manipulation.”

Tech companies are not acting alone in this breach of rights. The Communications Authority originally directed the collection of biometrics, but rectified its wrongful interpretation of the law. SIM card registration in Kenya has been regulated by law since 2015, and only requires operators to collect basic information such as names, dates of birth, addresses, and copies of identification documents. There is no mention of biometric data within the legal frameworks. 

The SIM registration deadline passed on October 15, 2022, and Safaricom has restricted the accounts of some who did not supply extra personal data. Prior to this, Safaricom updated its requirements, striking off biometrics. The company is, however, still requesting their subscribers provide data not required by law. 

Safaricom has provided no guidance on remedies for subscribers whose data was collected as a result of their misrepresentation of the law. This speaks to an alarming trend in the company’s data practices. 

Safaricom has a responsibility to protect people’s privacy and uphold human rights. All breaches of privacy laws and the company’s human rights obligations must be rectified immediately. Access Now recommends:

  1. Deleting all facial biometrics data collected illegally during the SIM re-registration exercise carried out between August 2021 and April 2022, and notify affected subscribers that their data has been deleted; and 
  2. Commissioning, and publishing, independent transparency reporting on the Data Protection Impact Assessment carried out prior to the collection of facial biometrics.

Read the open letter.