How the Kenyan High Court (temporarily) struck down the national digital ID Card: Context and Analysis
The High Court of Kenya, by virtue of a judicial review application, delivered a landmark judgment declaring the proposed national digital ID card (Huduma Card) unconstitutional on October 14, 2021 – a judgment that is now part of the growing data protection and privacy jurisprudence in the country.
Kenya enacted its first Data Protection Act (KDPA) in 2019, as part of a growing wave of privacy and data protection laws being adopted across African jurisdictions. While discussions of data protection and privacy in Africa are still at their infancy stage, they are constantly developing. Cape Verde was the first country to enact a data protection law in 2001. Countries such as Zimbabwe enacted their data protection law as recently as December 2021. This blog analyzes the landmark judgment of the High Court of Kenya in the Huduma Card case, putting it in context with regard to broader privacy and data protection law developments in the country and the continent.
1. Background of the case and brief history
The matter, Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology and others ex parte Katiba Institute and Yash Pal Ghai concerned the process of launching the “Huduma Card”, Kenya’s proposed first national digital ID card. According to the applicants, Katiba Institute, a constitutional research, policy and litigation institute in Kenya, and Yash Pal Ghai, a ‘data subject’ as defined by the KDPA, the process of launching the Huduma Card was done in violation of the KDPA.
Specifically, they argued that the executive order adopted on November 18, 2020 by the country’s Ministry of Interior, the body in charge of rolling out Huduma Cards to registered persons, violated section 31 of the KDPA. Section 31 provides that “where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall, prior to the processing, carry out a data protection impact assessment”. The KDPA describes processing as “any operation or sets of operations which are performed on personal data or on sets of personal data whether or not by automated means”. It includes activities such as:
- collection, recording, organisation, structuring;
- storage, adaptation or alteration;
- retrieval, consultation or use;
- disclosure by transmission, dissemination, or otherwise making available; or
- alignment or combination, restriction, erasure or destruction.
On November 24, 2020, the applicants filed for judicial review of the executive order launching the Huduma Card. In the motion, the applicants asked the court to grant three orders:
- To prohibit the rolling out of Huduma Cards.
- To reverse the decision to roll out Huduma Cards.
- To issue an order compelling the respondents to conduct a data protection impact assessment before processing of data and rolling out Huduma Cards.
The court granted the last two orders.
2. Putting the Huduma Card into Context
For purposes of clarity, it is fundamental to locate Huduma Card in the larger context within which it exists. Huduma Card, akin to India’s Aadhaar Card, is the final step in the process of registration in Kenya’s proposed digital identification system – the National Identity Integrated Management System (NIIMS). NIIMS was introduced through the Statute (Miscellaneous Amendments) Act, No. 18 of 2018 which amended Kenya’s civil registration law, the Registration of Persons Act (RPA) in 2018. The amendment involved introduction of a new section, section 9A that established NIIMS.
On January 18, 2019, the RPA amendment came into force. Pursuant to the introduction of NIIMS, the government began a nationwide exercise of collection of personal data including biometric data on March 15, 2019. Soon after, the legal validity of NIIMS and its subsequent implementation were challenged before the High Court. One of the grounds for challenging the implementation included that, in its original state, NIIMS would pose a threat to rights and freedoms protected under the Constitution. Specific to the right to privacy guaranteed under article 31 of the Constitution, issues raised by the different petitioners included the fact that:
- There was no law to guarantee the privacy provisions under the Constitution. At the time, the KDPA was not yet enacted.
- Collection of GPS coordinates, DNA and other forms of biometric data would violate the privacy rights of registrants. This was a concern since at the time, GPS coordinates and DNA were a registration requirement.
On January 30, 2020, the High Court rendered a decision on this petition. It held that:
- Implementation of NIIMS would proceed. Processing and use of data collected in NIIMS would proceed on the condition that an appropriate and comprehensive regulatory framework on the implementation of NIIMS that is compliant with the applicable Constitution requirements as identified in the judgment is first enacted.
- Collection of DNA and GPS coordinates was found to be intrusive and unnecessary as it violated the right to privacy under the Constitution.
While the above petition was pending determination, the KDPA was enacted and became applicable in November 2019. The court directed that processing of data collected under NIIMS should not happen before the KDPA is operationalized and a regulatory framework put in place. The KDPA is now in operation with the creation of the Office of the Data Protection Commissioner.
In October 2020, the government published two regulations specifically for NIIMS; Registration of Persons (National Integrated Identity Management System) Rules (2020) and the Data Protection (Civil Registration) Regulations. The former recognizes NIIMS as the primary source of identification in Kenya while the latter creates a legitimate basis for processing NIIMS data. The Huduma Bill, a comprehensive national digital ID law was also proposed as another regulation measure to guide the implementation of NIIMS. Therefore, protection of data collected under NIIMS is presently governed by the Constitution of Kenya, the KDPA, the Registration of Persons Act, the Registration of Persons (National Integrated Identity Management System) Rules (2020), and Data Protection (Civil Registration) Regulations. It is under these circumstances that the Ministry of Interior through an executive order announced the rollout of the Huduma Card, which led to the judicial review before the High Court.
3. Understanding Kenya’s Automated Processing of Personal Data Ecosystem
Before delving into the impact of this recent decision, a brief overview of Kenya’s automated processing of personal data ecosystem is necessary. From a consumer perspective, Kenya’s internet connectivity is growing. As of January 2021, it was reported to be at 40%. This has created a market for internet supported applications such as digital finance applications, and social media applications among many others. Most of these applications collect personal data in the course of usage or require personal data to operate. Of particular interest is the proliferation of digital finance applications in Kenya. This has created a market for more sophisticated, personal data reliant digital finance applications. A number of these financial service providers rely on alternative scoring models to provide credit. Many of these models rely on highly personal data to determine loan eligibility. Some applications require constant permission to location data while another requires access to the microphone.
At the government level, the concept of digitization of information systems is close to the heart of the Kenyan government as seen in large scale projects such as NIIMS and the National IT policies. Other government maintained information systems that contain personal data include the biometric voter registration system, electronic voter identification system and health information systems in public health facilities. In a bid to conduct these data processing activities, some data controllers rely on third party data processors to conduct processing activities. A good example is Kenya’s election management body which outsources election kits and the systems used to run them.
All these commercial and government systems hold personal data that now fall within the scope of the KDPA. It is for these reasons that a landmark decision on the enforcement of the KDPA bears relevance.
4. Key Issues for Analysis in the Huduma Card Case
The questions of whether to conduct a data protection impact assessment (DPIA) or not as well as the procedure of handling complaints are key issues in the judgment that have the ability of influencing data protection expectations for both data subjects and data controllers/processors handling personal data that falls under the KDPA’s scope.
4.1 Conducting a DPIA
In the judicial review application, Katiba Institute (the applicant) submitted that the respondents did not conduct a DPIA which was in violation of the KDPA and Order III of the 2020 petition. In rebutting this, the respondents argued that the KDPA was not envisaged to apply to data under NIIMS. The court upheld the applicant’s arguments and ordered for a DPIA to be conducted before any further steps to issue Huduma Cards are undertaken. This decision was upheld, partly due to the fact that some of the parties in the 2020 petition who were also respondents in this matter, submitted to the court that there were legal safeguards underway to ensure protection of data under NIIMS. The legal safeguard, in this case, was the Data Protection Bill, now the KDPA. The court, therefore, did not see why the Bill which is now law should not apply in the present matter.
The question of whether or not to conduct a DPIA remains a subjective one, at least for civil registration entities. The Data Protection (Civil Registration) Regulations, adopted in the implementation of the KDPA but only relating to public bodies with a civil registration function, do not state whether it is mandatory to conduct a DPIA for information systems held by civil registration entities such as NIIMS and its components. Under Regulation 19, it provides that a data protection impact assessment may be conducted on condition it is required in accordance with section 31 of the KDPA. On the other hand, Section 31(6) of KDPA provides that: “The Data Commissioner shall set out guidelines for carrying out an impact assessment under this section”. While indeed the Data Commissioner did develop the Data Protection (General) Regulations, 2021 that attempts to set the criteria of conducting a DPIA by delineating processing activities that would amount to “high risk, the Regulations are not applicable to civil registration entities where NIIMS falls under. Regulation 3 of the General Regulations provides that: “These Regulations shall not apply to civil registration entities specified under the Data Protection (Civil Registration) Regulations, 2020”.
Interestingly, the High Court did not make any findings with regard to what specifically constitutes “high risk” processing of personal data related to the Huduma Card in this judgment. However, when adjudicating on the initial 2020 petition, the Court implied an overall high risk of the entire NIIMS system. For instance, in prohibiting collection of GPS coordinates and DNA data, the Court stated that collection of such data would be intrusive and carries with it the risk of privacy violations and surveillance.
However, there have been attempts elsewhere to make the DPIA triggering criteria objective through denoting situations that amount to “high risk”. Kenya’s KDPA adheres to the “high risk” criteria, similar to EU’s General Data Protection Regulation (GDPR).
Beyond the scope of NIIMS, the fact that the data protection regulations have not yet come into force to provide clarity around the situations that necessitate a DPIA as well as how to proceed with carrying out a DPIA, could negatively affect other data controllers and processors and consequently, the data subjects. The Regulations are currently before the Delegated Legislation Committee in Parliament awaiting comments. These Regulations will be deemed to have been approved after 28 days from the publication date. Nevertheless, the fact that the conditions triggering the obligation to carry out a DPIA have not yet come into force does not diminish the data controllers’ general obligation to implement measures to appropriately manage risks for the rights and freedoms of data subjects. Even without the explicit requirement to conduct a DPIA, controllers must continuously assess the risks created by their processing so as to identify when a processing is likely to result in a high risk to rights and freedoms of data subjects.
In light of the present judgment, it will be interesting to see whether data collected and held in information systems created before the KDPA came into force and after the Constitution was adopted in 2010 will be subjected to DPIAs, if they meet the criteria for conducting a DPIA. This is crucial as the Huduma Card case shows that the KDPA could act retroactively. If the court’s rationale in the Huduma Card case is anything to go by, it is likely that the KDPA could apply retroactively for such information systems. The court in its analysis stated: “it is clear that the Act was intended to be retrospective to such an extent or to such a time as to cover any action taken by the state or any other entity or person that may be deemed to affect, in one way or the other, the right to privacy under Article 31 (c) and (d) of the Constitution”.
4.2 Dispute Resolution in Data Protection Cases
In addition to the issue of conducting a DPIA that formed the main argument, the court also deliberated on the issue of handling complaints under the KDPA that could have persuasive impact on future data protection cases. In deciding whether to give an audience to the applicants, the court dealt with the issue of whether it had jurisdiction to hear the matter. The question of jurisdiction, as presented by the interested party (the Data Protection Commissioner) arose from the fact that one of the applicants, Yash Pal Ghai, described in the matter as an affected data subject, claimed that rolling out Huduma Cards without a DPIA would prejudice his rights as a data subject under the KDPA.
Owing to objections raised by the interested party, the Data Protection Commissioner (DPC), the court found that the applicant could not, in the given circumstances, approach the court directly. To obtain redress, the data subject was required to first exhaust all other available dispute resolution means as stipulated in the KDPA and the Data Protection (Civil Registration) Regulations before seeking court intervention. The Data Protection (Civil Registration) Regulations provides an internal complaint handling procedure. Regulation 23(1) provides that an aggrieved data subject may lodge a complaint with the civil registration entity.
Further, Regulation 23(6) provides that a data subject has a right to appeal to the Data Commissioner if the data subject is dissatisfied with the decision of the civil registration entity. Section 56(1) of the KDPA provides that “A data subject who is aggrieved by a decision of any person under this Act may lodge a complaint with the Data Commissioner in accordance with this Act”. If the data subject wanted to opt out of dispute resolution mechanisms under the KDPA and the Data Protection (Civil Registration) Regulations, they had to make an application to court explaining why such mechanisms are not efficient. The court upheld this objection. Katiba Institute, however, was allowed to bypass the dispute resolution mechanisms provided under the KDPA and the Data Protection Regulations for two reasons:
- They do not fall under the category of a data subject. The KDPA describes a data subject as an identified or identifiable natural person who is the subject of personal data.
- Their application was based on grounds of public interest. Article 22(2)(c) of the Constitution permits instituting court proceedings by a person acting in the public interest.
The court thus found that Katiba Institute had sufficient interest in decisions made by any person under the KDPA despite not being a data subject.
Effective handling of complaints related to data protection is crucial for consumers and businesses. As personal data processing activities in Kenya are now subject to the KDPA unless they fall under exemptions (even then there are minimum requirements of processing) it is important that institutions involved are clear on their respective obligations. This decision is a good starting point on who and when a data protection dispute can be brought to court. With respect to maintaining institutional autonomy, this is a significant move as it indicates the court’s intention to not interfere with nascent administrative bodies with quasi-judicial functions.
While the Office of the Data Protection Commissioner (DPC) and the civil registration entities are being granted independence to oversee enforcement of the KDPA and related regulations, it will be important to further delineate how far such bodies can go with regards to dispute resolution. When can an aggrieved data subject or data controller bypass the DPC and approach the court where their rights and freedoms under the DPA are violated or obligations are under threat respectively? This begs the question, how will the DPC interact with the courts? To explore this, it is crucial to first highlight the role of the court in data protection dispute resolution as per the KDPA:
- Issuing a search warrant to enter a premise for the purpose of discharging any function (including dispute resolution) or power under the KDPA.
- Hearing appeals against administrative actions such as enforcement and penalty notices taken by the DPC.
- Issuing preservation orders to preserve personal data that is vulnerable to loss or modification. This is useful during investigations.
Thus far, the role of the court appears to be secondary in first instance dispute resolution with the DPC having priority to determine the existence of an infringement. This can be justified under the Fair Administration Act (FAA), the legislation that deals with administrative action. On the other hand, the Constitution provides citizens with the right to approach courts where their rights and freedoms are violated. This includes the Constitutionally protected right of privacy from which the KDPA emanates. As for judicial and quasi-judicial decisions, the Constitution provides that “the High Court has supervisory jurisdiction over the subordinate courts and over any person, body or authority exercising a judicial or quasi-judicial function, but not over a superior court”. Based on these court findings, the court appears to recognize the importance of a data protection authority. However, it shall have to balance this against the Constitutionally protected right to institute court proceedings by anyone whose rights and freedoms are affected.
Pursuant to the High Court order for a DPIA to be conducted, the relevant ministry complied and conducted the assessment pointing to an acknowledgment of the importance of accountability with regards to sensitive citizen data. The assessment is not yet public. As the DPIA was the sole requirement to proceed with issuing the Huduma Card, it is expected that the rollout will continue, unless further challenges are successfully made.
Case law is key in providing guidance on interpreting statutes. It is for this reason that this latest judgment is of great significance to both the future of government led digital ID initiatives such as Huduma Namba, data subjects and businesses as it could shape how the implementation of the KDPA proceeds in the future. Given that a key focus in data protection now is initial implementation of the KDPA, clarity in issues such as whether to conduct DPIAs and forum for dispute resolution will be crucial in ensuring that data processing activities are performed in compliance with the law.
 Section 60, Data Protection Act (2019)
 Section 64, Data Protection Act (2019)
 Section 66, Data Protection Act (2019)
 Section 9(2), (3), Fair Administration Act (2015)
 Article 22, Constitution of Kenya (2010)