Key Insights from the Draft Registration of Telecommunication Service Subscribers (Regulations) 2022
- Florence A. Ogonjo |
- June 17, 2022 |
- Data Protection,
- Digital Rights,
- RIght to Privacy
Why create new regulations?
The mandatory registration of SIM cards caused uproar raising key issues on the legality and necessity of the process. It also raised key data protection issues that were discussed in the first series of this blog post. The blog post highlighted pertinent privacy issues sighting provisions of the Data Protection Act and the draft regulations on the registration of sim cards as well as a failure to abide by legal frameworks and the lack of transparency and public trust.
In May, the Ministry of ICT and Youth Affairs announced a public call for public comments on the review of regulations formed under the Kenya Information and Communications Act among which included the Registration of SIM Card Regulations 2015. These regulations would be replaced by the draft Registration of Telecommunications Service Subscribers Regulations 2022. The draft regulations if accented will repeal the existing SIM Card registration guidelines. It is in this context that this second part of the blog series discusses the proposed draft regulations giving a summary of the regulations, salient differences between the proposed draft regulations and the current regulations, and key issues arising from the draft regulations.
The draft Regulations.
Authorization and records the telecommunications operator can keep:
Only the telecommunications operator or a registered agent as defined under KICA will be authorized to facilitate the registration of subscribers. In line with this, the operator will be responsible for keeping updated records of all its registered agents, the registered subscribers, all SIM Cards, sold to the operator’s agents and information on every registered sim card.
Registration Documents required for registration:
Provision is made for documents that are required when registering as a subscriber, the requirements are as follows for the different categories of identified persons,1
-
Kenyan citizen who has attained the age of majority – Identification Document issued by the government of Kenya
-
Children – Birth certificate and identification documents of parent or guardian
-
Foreigners – Passport or foreign nationals certificate
-
Refugees – valid refugee identity card
-
Stateless person – birth certificate or valid identification document issued under the Kenya Citizenship and Immigration Act.
More specific to the registration of children’s’ sim cards, the guardian or parent will be the registered as the subscriber until the child attains the age of majority i.e. 18 years of age. Once identification documents have been obtained, personal identification details shall be registered with the operator replacing those of the guardian, this is to be done within a period of 90 days. Where the 90 day period lapses without change in the registration details the operator will suspend SIM-cards of owners who have not updated their registration details.2 The regulations further highlight that it is an offense to knowingly provide false information to the operator or registration agent at the time of registration.3
In line with this, where it is established that a subscriber has provided false information for registration, a complaint shall be filed with the Authority i.e. KICA, and a request made to deactivate the telecommunications service of the subscriber. The Authority will also notify the operator of the complaint and the intent to deactivate telecommunications services after which the operator will give the subscriber an opportunity to be heard and respond to the complaint before deactivation.4
Data Storage and rectification:
The regulations outline that the operator is required to store registration details of personal identification particulars derived from the registration documents and retain copies of the identification documents. Where there are any changes in the identification information, subscribers will be required to communicate the same with the operator within a period of 30 days after which the operator will update the registration particulars within 7 days.5
Data verification and Authentication:
Verification of personal information particulars given at registration will be made against the official data base of the Kenyan government. The operator and /or the registered agent has the responsibility of verification, the verification process will involve authentication of the documents required for the registration process with existing relevant government database.6 The government database referenced is the Integrated Population Registry System (IPRS) the system is intended to link other systems including the third-Generation ID Card, a new Visa issuing System, the new Births and Deaths Certificate System, the new Biometric Passport System and a new Border Management System. It will also be linked to other national population registration systems, including the Kenya Revenue Authority, National Social Security Fund, National Health Insurance Fund Systems, as well as the National Security Database.
Limit on SIM Card Registration
A person can only register a maximum of 10 SIM – Cards except for where SIM card registration applies to registration for a child. It will be an offence for an operator to registers a subscriber’s SIM card above the noted limit. 7
Suspension of Services, DE-activation and reporting of false registration:
The regulations give authority to the operator to suspend telecommunications services for non – compliant subscribers. The subscriber shall first be notified of the intention to suspend the services. Other than the provision on deactivation by the regulatory authority on grounds of false information, the operator may deactivate telecommunication services where,8
-
Subscribers telecommunication services have been suspended for a period of 90 days
-
Upon request by the subscriber
Transfer of SIM- Card/ Telecommunication Service:
The transfer of SIM card is allowed provided the subscriber notifies the operator of their intention to discontinue use and transfer to another person. In this instance, the benefits, use, and liability will be transferred to the intended person upon notice. The intended person must also fully consent to the transfer. 9
Offences and Sanctions:
Offences highlighted in the regulation included,
-
Knowingly providing false information at the point of registration
-
unauthorized registration of subscribers where the person registering is not a telecommunications operator or a registration agent
-
Failure of the telecommunications operator or registration agent to submit prescribed reports to the authority of its operations and maintenance of records on an annual basis or upon request of the regulatory authority. and failure to submit.
Sanctions and penalties for offenses will be determined by the regulatory authority. Lastly, the telecommunications operators and subscribers will be required to fulfill the requirements of the regulation within six months of the regulations coming into force.10
The Registration of Sim Card Regulations 2015 vs The Registration of Telecommunications Service Subscribers 2022
The Key differences between both regulations relate to the following,
-
Requirements for registration: The 2015 SIM card regulations provide for particularized list of personal identifiable information that will be required and collected at registration. The Information includes, postal address where available, an original and a copy of the national identity card, service card, passport or alien card, an original and a copy of the birth certificate, in respect of registration of minors, subscriber number in respect to existing subscribers, a certified copy of the certificate of registration or incorporation and a copy of the national identity card or passport of at least one director, where relevant; and a letter duly sealed by the chief executive officer or the, person responsible for the day to day management of the statutory body.11 The draft 2022 regulations provide for identification documents required for registration but no other particulars that may be required. It also fails to provide for registration particulars for businesses and/ or corporations.
-
Verification and Authentication: verification and authentication in the 2015 regulation was by looking at the Identification documents for each category of person i.e. citizen- an original identity card, original and valid passport or original service card for a member of the Kenya defense Forces. For Kenyans who were yet to receive their national ID a waiting card or police abstract and certified copy of the ID were sufficient. For East African residents, the documents required were an original national identity card, original national passport, an original East African passport, or any other original and valid registration documents acceptable as national identification documents in the country of domicile. Documents for Foreigners included original passport or alien card. The regulation did not provide for the refugee identification card; it did however make provision for the verification of corporate or statutory bodies. In the 2022 draft regulations, verification and authentication are through the official government database. The regulations do not provide for corporate or statutory bodies or East African residents.
-
Limit on SIM Registration: The 2015 regulations did not provide for a limit on SIM card registration whereas the 2022 draft regulations provide a limit on the registration of SIM – Cards.
-
Legal capacity to Act: The 2015 regulations provide for circumstances where an adult has no legal capacity and the provisions that relate to the registration of a minor apply where registration shall be done on behalf of the adult through a guardian. The 2022 draft regulations do not provide for the registration of an adult without legal capacity.
-
Penalties: The 2015 Regulations give a defined penalty to include, a fine not exceeding 300,000 or imprisonment for a term not exceeding 6 months or both. The 2022 regulations leave the determination of the penalties to the regulatory authority without giving any specified penalty.
The Key Issues
The draft 2022 regulations were developed to replace the existing sim card registration regulations and to primarily address the rise in fraudulent activities through the sim swaps which many Kenyans have fallen victim. In line with this, the regulations are also intended to create a harmonized authentication and verification system which was the intended reason behind the need for mandatory SIM card registration in spite of , subscribers already being registered with their respective telecommunication services.
One of the ways in which the update of sim card registration details was being conducted by one of the largest telecommunications operators was through the use of face biometrics.12 This form of registration is not provided for in the 2015 regulations nor has it been provided in the 2022 SIM card regulations. This questions the legality of the process and whether the same should have been provided for. This also creates a legal void where the creation of a biometric subscriber database is likely to be kept for an indefinite period of time and used for different purposes in the future, as technology, corporate incentives, or governments change which then raises numerous data protection and privacy issues.13 The 2022 draft regulations give provision on security and confidentiality. It requires the operator to ensure all reasonable measures have been taken to ensure confidentiality and security of subscribers’ registration particulars in line with relevant data protection laws. This gives validity to the use of the Data Protection Act (DPA_ and further raises questions on whether it will be necessary for telecommunication operators to carry out DPIA prior to the requirement for a large scale registration update exercise.
Additionally, the 2022 regulations highlight some data protection issues, for instance, the DPA provides for right to rectification and erasure14 Regulation 19 on deactivation gives subscribers a right to be heard and before deactivation by the subscriber This regulation aligns with the provisions of the Data Protection Act and the data protection principle on accuracy giving the subscriber a chance during the hearing to rectify the data given to the operator that is inaccurate, outdated, incomplete or misleading. The regulations also highlight the data protection principle on storage limitation, in part, the regulations give provisions on storage of subscriber’s information which ties with the regulation on security and confidentiality, however, it does not give specifics on limitations to the time period on storage of subscriber’s personal information as anticipated by the data protection principle.
Often, the justification for mandatory SIM card registration is to develop preventive measures for the stopping and mitigating criminal and fraudulent issues. It has been noted time and time again that the registration of SIM cards has not adequate addressed the issue. Encryption and anonymity maybe one of the ways to address this issues which the draft regulations could have incorporated when addressing security and confidentiality.15 The 2022 regulations as drafted give a limit of 10 times for the registration of SIM cards, this is likely to exacerbate the situation more than solve it as the limit is without justification. In circumstances where SIM cards can be illicitly cloned, it might create a situation where it is harder to authenticate and validate the owner of a SIM card.
These are but a few of areas that the 2022 draft regulations ought to have addressed, the adequacy of the regulation in addressing the issues is still under debate as the regulations are yet to be amended in consideration of input received from public participation. The third and final part of this blog post series will further discuss arising issues with respect to criminal activities and fraud, commonly referred to as SIM swap, and how the existing regulations more so data protection laws can be leveraged to mitigate the issues.
The image is from Shutterstock
1 Regulation 7, 12
2 Regulation 8
3 Regulation 10(3)
4 Regulation 19
5 Regulation 9, 10(1) (2)
6 Regulation 11 and 12
7 Regulation 15
8 Regulation 18
9 Regulation 14.
10 Regulation 21, 22
11 Regulation 5
12 Ayang Mcdonald, ‘Kenyan telco requires face biometrics for SIM card re-registration.’ (Biometric Update.com, February 2022) <https://www.biometricupdate.com/202202/kenyan-telco-requires-face-biometrics-for-sim-card-re-registration>
13 SIM Card Registration (Privacy International)<https://privacyinternational.org/learn/sim-card-registration>
14 Section 40
15 SIM Card Registration (Privacy International)<https://privacyinternational.org/learn/sim-card-registration>