Case Summary and Outcome

The High Court of Kenya ruled that the decision by the Communications Authority of Kenya (CAK) to integrate a system that would give it potential access to mobile phone subscriber information was unconstitutional and invalid. The case was taken by the Kenya Human Rights Commission (KHRC) around the same time as Okoiti v. Communications Authority of Kenya, a case that dealt with the constitutionality of the same system. As in the latter case, the High Court of Kenya found that the system amounted to a violation of the right to privacy. In its judgment, the High Court of Kenya drew on international, regional and domestic standards, including from the jurisprudence of the European Court of Human Rights, to reach its conclusion that the system was unlawful, unreasonable and disproportionate. In particular, the High Court noted that less restrictive avenues were open to a number of statutory bodies to deal with the purpose behind the system, which was purported to be the combatting of counterfeit devices. The High Court Judge noted the emerging threats that exist in the digital era, in which people’s lives are increasingly being conducted online, and remarked on the importance of the internet for individuals to express themselves, conduct their business, and explore their sexuality. The High Court ordered that the CAK refrain from implementing the system.

Facts

On January 20, 2016, mobile service providers received an invitation from the Communications Authority of Kenya (CAK) to “discuss the proliferation of counterfeit handsets in the country”. [para. 26] On the same day, the CAK held an international tender for the design, supply, delivery, installation, testing, commissioning and maintenance of a Device Management System (DMS). The DMS was designed to access certain information of the mobile service providers’ subscribers, including international mobile equipment identities and call data records. On October 10, 2016, CAK informed the service providers that the DMS would be installed.

One of the mobile service providers, Safaricom, sent a letter to CAK on October 17 raising concerns about the confidentiality of its subscribers’ information under the new system and security concerns relating to the installation of the system. A couple of meetings were held between CAK and the service providers in which all the invited service providers raised the same concerns. On January 31, 2017, despite repeated requests for further engagement to discuss impact on the networks and consumers, the service providers received a letter informing them that the installation of DMS would commence without any further technical discussions.

Various individuals and institutions expressed concern about the DMS and its impact on the right to privacy of mobile service subscribers. These parties included the Kenya Human Rights Commission (KHRC), which filed a petition against the Communications Authority of Kenya (CAK), the Attorney General and the relevant Kenyan telecommunications companies. At much the same time, Okiya Okoiti, the executive director of the Kenyans for Justice and Development Trust also approached the High Court seeking a declaration of unconstitutionality. That case, Okoiti v. Communications Authority of Kenya (Okoiti), was filed separately to the one brought by the KHRC and as the question of consolidating the two cases came up at a time when the Okoiti case had already progressed the two were heard separately. Nonetheless, given the almost identical subject matter and that the two cases were heard by the same judge, the reasoning in both was very similar.

The KHRC argued that the DMS was introduced to spy on the mobile and communication devices of Kenyans without public consultation or participation. It argued that the DMS would unduly, unreasonably and without justification limit the rights and fundamental freedoms of Kenyans, including the right to privacy under Article 31 of the Kenyan Constitution. It averred, in particular, that “many people including lawyers, doctors, counsellors, religious leaders, journalists hold confidential information relating to their clients in electronic devices and these are threatened with violation.” [para. 10] In addition, the KHRC argued that the stated purpose of DMS– that it would block fake devices – was unnecessary as there were existing system which could ascertain the relevant details of the devices without infringing on Kenyans’ privacy.

The CAK argued, among other things, that the DMS was for the purpose of combatting the circulation of counterfeit or stolen devices (something that CAK had been doing since 2011), that it was necessary to create a centralized equipment identification register, and that the DMS was still at the design stage. The CAK denied the submissions that it had not consulted with the mobile service providers.

Safaricom – one of the mobile service providers cited as a respondent – argued that it had been incorrectly cited as a respondent as “it has no power to install the system complained of”. [para. 25] It submitted, among other things, that it had reached the conclusion that “its subscribers are at risk of having their personal details, telecommunications, short message services, social media messaging and data exchanges being subject to interference by installation of the said DMS device”. [para. 31] Safaricom stated that it was concerned that its “subscribers shall desist from using their devices, in effect reversing the progress made in making communication easier for subscribers”. [para. 32]  

Decision Overview

Judge John M. Mativo delivered the judgment of the High Court in Nairobi (Court). The central issue for the Court’s determination was whether the DMS limited the right to privacy of mobile service subscribers and, if so, whether that limitation met the requirements of being reasonable and justifiable in an open and democratic society.

In the judgment Judge Mativo emphasized the similarities between the present case and the Okoiti case and stated that he would reproduce much of the reasoning he had included in the Okoiti judgment in this judgment.

He began by stating that privacy is a fundamental right guaranteed by numerous human rights instruments. He said that it “supports and reinforces other rights, such as freedom of expression, information, and association” and that it “embodies the presumption that individuals should have an area of autonomous development, interaction and liberty … free from arbitrary state intervention and from excessive unsolicited intervention by other uninvited individuals”. [para. 52] He went on to observe that the right to privacy entails that a person should have control over his personal information and should be able to conduct his personal affairs relatively free from unwanted intrusion. He noted that this case was being determined in “the context of a global information based society” and that “the Court has to be sensitive to the needs of and the opportunities and dangers posed to liberty in a digital world”. [para. 53] In this context, he emphasized the role data protection plays in safeguarding individuals’ right to privacy and identity, and the increased threat posed to personal data by innovations in information technology.

Judge Mativo briefly indicated how the right to privacy is treated under various international instruments, like the Universal Declaration of Human Rights. In Kenya, he noted that Article 31 of the Constitution protects the right to privacy and it states that “[e]very person has the right to privacy, which includes the right not to have their person, home or property searched; their possessions seized; information relating to their family or private affairs unnecessarily required or revealed; or the privacy of their communications infringed”. He also noted that the notion of the right to respect for private life under Article 8 of the the European Convention on Human Rights had been extended to cover email communications. He referred to the European Court of Human Rights (ECtHR) jurisprudence which had recognized the “intrusiveness inherent in government interception of the content of communications”. [para. 58] He quoted at length from the ECtHR case of 10 Human Rights Organisations v. United Kingdom, in which it was said that “[c]ommunications data is the digital equivalent of having a private investigator trailing a targeted individual at all times” and that “[g]iven enough raw data, today’s algorithms and powerful computers can reveal new insights that would previously have remained hidden”. [para. 61]

Judge Mativo observed that many citizens live major portions of their lives online. He went on to state that “[c]itizens use the computers and cell phones to conduct businesses, to communicate, impart ideas, conduct research, explore their sexuality, seek medical advice and treatment, correspond with lawyers, communicate with loved ones and express political and personal views. Citizens also use the internet to conduct many of their daily activities, such as keeping records, arranging travel and conducting financial transactions. Much of this activity is conducted on mobile digital devices, which are seamlessly integrated into the citizens personal and professional lives.” [para. 59] With this in mind, he concluded that “[t]hreats to individual privacy are greater now than ever envisaged” and that a “comprehensive personal dossier can now take minutes to compile electronically”. [para. 62]

Judge Mativo acknowledged that privacy is not an absolute right, and that an interference with the right to privacy may be justified if it can meet the constitutional test for permissible restrictions. Article 24 is the Constitution’s general limitation clause and requires that “[a] right or fundamental freedom in the Bill of Rights shall not be limited except by law, and then only to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom”.

Judge Mativo had little difficulty in finding an interference with the right to privacy in this case, since the purpose of the DMS was to access information of mobile phone subscribers. He noted that such access would only be lawful if it fell within section 27A of the Kenya Information and Communications Act, which set out the circumstances under which mobile operators could legally disclose the information of their subscribers. These situations were (i) for the purpose of facilitating the performance of any statutory functions of the Authority; (b) in connection with the investigation of any criminal offence or for the purpose of any criminal proceedings; or (c) for the purpose of any civil proceedings under the Kenya Information Communications Act. Judge Mativo reasoned that accessing mobile telephone subscriber information in a manner other than provided for by this law would inherently infringe the right to privacy. Later, Judge Mativo determined that there was nothing to demonstrate that the DMS fell within the provision. He would also go on later to find that combatting counterfeit goods was the function of the Anti-Counterfeit Agency, thus the CAK was purporting to perform a statutory function it did not have.

Judge Mativo recognised that although rights may be limited they do “enjoy a prima facie, presumptive inviolability” and so any limitations must meet the rationality, reasonableness and proportionality tests. [para. 68-69] He went on to summarize that a limitation of a constitutional right will be constitutionally permissible if “(i) it is designated for a proper purpose; (ii) the measures undertaken to effectuate such a limitation are rationally connected to the fulfilment of that purpose; (iii) the measures undertaken are necessary in that there are no alternative measures that may similarly achieve that same purpose with a lesser degree of limitation; and finally (iv) there needs to be a proper relation (“proportionality stricto sensu” or “balancing”) between the importance of achieving the proper purpose and the special importance of preventing the limitation on the constitutional right.’” He also referred to the Canadian case of R v. Oakes [1986] which had described the proportionality test as requiring a determination as to whether the measures which limits the right are “carefully designed to achieve the objective in question”, that they impair the right “as little as possible” and that there is “proportionality between the effects of the measures …and the objective”. [para. 73]

As to whether the DMS was the least restrictive means of achieving an objective, Judge Mativo stated that “the illegal devices are not manufactured in Kenya. There are laws governing importation of goods. There are laws governing counterfeit goods. The Kenya Bureau of Standards monitors standards. We have the Kenya Revenue Authority. We have the National Police Service. All the points of entry are manned. These laws and the institutions they create have not been shown to be insufficient. It is also admitted that in the past 1.89 Million illegal devices were switched off. The Mobile Network Owners are able to identity and block black listed devices. This can be used to effectively combat the illegal devices by denying them access as was successfully done in the past. All these are lawful and less restrictive means.” [para. 75] He also noted, as mentioned above, that the access envisaged by the DMS was not in accordance with the law. Therefore, the DMS was unlawful, and an unreasonable and unjustifiable limitation on the right to privacy according to Article 24 of the Kenyan Constitution. [para 79]

In examining whether the DMS system had been implemented after adequate public participation, Judge Mativo noted that “[e]ven though the information under threat belongs to the subscribers, there was no attempt to engage them or the public”. [para. 91] This – along with his findings that the form of the public engagement did not meet the standard required by Kenya’s Constitution – led Judge Mativo to hold that there was “inadequate public participation prior to the attempt to implement the DMS system”. [para. 99]

In one significant difference to the Okoiti case, the KHRC had raised the issue of the DMS infringing mobile service subscribers’ consumer rights. Judge Mativo referred to Article 46(1)(c) of the Constitution which states that consumers have the right to the protection of their “health, safety and economic interests”. Judge Mativo held that not giving mobile subscribers information relating to the DMS system was a breach of their constitutional and statutory rights in this regard. [para. 124]

Judge Mativo held that the decision to implement DMS was inconsistent with the Constitution, the Kenya Information and Communication Act and the Consumer Protection Act, and was therefore null and void. He gave a number of forms of declaratory relief, and ordered a prohibition on the CAK implementing the DMS to access certain information of mobile phone subscribers.