MANDATORY SIM CARD REGISTRATION: WHY THIS IS ALARMING FOR DATA PROTECTION AND THE RIGHT TO PRIVACY OF KENYANS
The ongoing SIM card registration by Safaricom has been met with opposition, with many Kenyans doubting the motive behind it. All mobile subscribers have been asked to register their SIM cards failure to which they face the danger of their lines being blocked by Safaricom. According to the Communications Authority of Kenya (CAK), the registration is meant to reduce incidences of digital fraud and cybercrime that have been prevalent in the local telecommunications sector. This blog post will address some of the concerns that have arisen. First, the blog will outline the legal frameworks that regulate Sim Card registration in Kenya and relate the requirement to data. Second, we will discuss major legal issues that arise from this process such as the legality of the process, application of data protection law and lack of transparency. Lastly, the blog will conclude by highlighting the proposed reforms to regulate the registration of SIM-cards in Kenya.
SIM Card registration in Kenya is governed by the Kenya Information and Communications Act of 1998, which under Section 27D grants the Cabinet Secretary (CS) the ability to adopt SIM Card rules in conjunction with the Communications Authority of Kenya (CAK). As a result, the Kenya Information and Communications (Registration of SlM-cards) Regulations, 2015 were enacted. Regulation 5 of the Registration of Sim-Cards provides that a person intending to register a SIM-card must supply the telecommunications operator or agent with specified information, including but not limited to complete names, identification cards (copy and original), date of birth (original birth certificate). This type of data is protected under the Data Protection Act No. 24 of 2019 (the DPA).
The type of data collected for registration is protected under the DPA provides for ‘Sensitive personal data” which refers to information about a natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details (including names of the person’s children, parents, spouse or spouses), sex or sexual orientation. Therefore, the necessary data that is required for the registration of sim cards falls under data that is protected by the DPA.
The first issue is to determine the legality of registration. Regulation number 5 of Kenya Information and Communications (Registration of SlM-cards) Regulations lists the necessary details. This list, however, does not provide for the requirement of biometric data. Biometric data as per section 2 of DPA means personal data resulting from specific technical processing based on physical, physiological or behavioral characterisation including blood typing, fingerprinting, deoxyribonucleic acid analysis, earlobe geometry, retinal scanning and voice recognition. Safaricom, one of Kenya’s top mobile telephone network providers, is reportedly requesting subscribers to bring their IDs to the nearest Safaricom shop or any partner agency to update their SIM details, a process that will also necessitate the submission of face biometrics. This requirement in itself is not provided for in law and therefore illegal. The Kenya Human Rights Commission (KHRC) expressed their concerns on their official Twitter handle that the decision to make Kenyans submit to having their images taken and retained is “illegal and promotes intrusive data collecting.” The Communication Authority of Kenya CEO, Ezra Chiloba, stated that the process was actually the verification of Sim Card holders’ information. He also stated that individuals were not required to submit their photos in order to be compliant with the process.
The second issue arises from the failure to abide by the legal frameworks provided for data regulation in Kenya. The DPA regulates the following when it comes to data: data collection; type of data to be collected; data security; data disclosure; data retention; data quality; data deletion; and data update. Biometric data is sensitive data and its exposure provides distinct data privacy concerns and repercussions on numerous levels. For example, once your biometric data has been hacked or exposed, you are vulnerable to identity-based attacks indefinitely. One of the steps that should be taken before the collection of biometric data is to get the consent of subjects. Consent of the data subject to processing for one or more stated purposes is one of the legal bases for processing personal data under Section 30(1)(a) the DPA. In this case, Kenyan Citizens did not consent to give their biometric data, that is images of them being taken for the purpose of their SIM-Card registration.
A great concern is a lack of transparency. Several civil society organizations, for example, have opposed Mandatory SIM card registration as. During Kenya’s 2019 universal periodic review by UN mechanisms, mandatory SIM registrations were linked to surveillance of human rights advocates. While national security is cited as a reason for requiring SIM card registration, registration has also been alleged to provide law enforcement with direct access to telecommunications networks. The State of Mobile Internet Connectivity 2020 report by GSMA, an industry association that represents the diverse interests of mobile operators around the world, just 59 per cent of nations that need SIM card registration to have strong data protection regulations. In the absence of such safeguards, the information stored on SIM cards could be easily accessed and shared with other databases and third parties. The Kenya Human Rights Commission (KHRC) has warned that the government’s decision to require Kenyans to register their SIM cards jeopardises Kenyans’ privacy rights since the government had yet to implement necessary safeguards for Kenyans’ data protection.
In conclusion, this process has left important questions such as what happens to the biometric data that was already collected? and who is to be held accountable for any data breaches? unanswered. The Kenya Information And Communications (Registration of Telecommunications Service Subscribers) Regulations, 2022 (draft) has been proposed to reform the Kenya Information and Communications (Registration of SlM-cards) Regulations, 2015. The draft seeks to clarify issues such as the requirement of registration as well as address emerging issues such as the protection of minors and vulnerable groups.
The second part of this three part series blog post on the SIM card registration wil further elaborate the provisions proposed in The Kenya Information And Communications (Registration of Telecommunications Service Subscribers) Regulations, 2022.
Image is from www.gettyimages.com