Case Summary and Outcome

The High Court of Kenya held that the collection of DNA and GPS data was an unjustifiable infringement of the right to privacy and therefore unconstitutional, and that the general data protection framework was insufficient. Three non-governmental organizations approached the Court after the enactment of amendments to the Registration of Persons Act creating a central database of biometric information and implementing a system of unique identification numbers. The Court accepted the need for certain biometric information to be collected and held by the State but held that the risks posed by the collection of DNA and GPS data was not outweighed by the benefits and so was not justifiable. Despite the adoption of the Data Protection Act during the proceedings, the Court held that the regulatory framework governing the collection of data was insufficiently comprehensive and so declared that the entire system could only be implemented after a comprehensive data protection regulatory framework was adopted.

---

Facts

On November 20, 2018, Statute Law (Miscellaneous Amendment) Act No. 18 of 2018 was enacted in Kenya. The Act amended the Registration of Persons Act (Cap 107 of the Laws of Kenya) (the Act) and established the National Integrated Identity Management System (NIIMS), a single source of personal information of all the citizens and foreigners resident in Kenya. Section 9A(2) established the functions of the NIIMS:

a) “to create, manage, maintain and operate a national population register as a single source of personal information of all Kenyan citizens and registered foreigners resident in Kenya;

b) to assign a unique national identification number to every person registered in the register;

c) to harmonise, incorporate and collate into the register, information from other databases in Government agencies relating to registration of persons;

d) to support the printing and distribution for collection of all national identification cards, refugee cards, foreigner certificates, birth and death certificates, driving licenses, work permits, passport and foreign travel documentation, student identification cards issued under the Births and Deaths Registration Act, Basic Education Act, Registration of Persons Act, Refugees Act, Traffic Act and the Kenya Citizenship and Immigration Act and all other forms of government issued identification documentation as may be specified by gazette notice by the Cabinet Secretary;

e) to prescribe, in consultation with the various relevant issuing authorities, a format of identification document to capture the various forms of information contained in the identification documents in paragraph (d) for purposes of issuance of a single document where applicable;

f) to verify and authenticate information relating to the registration and identification of persons;

g) to collate information obtained under this Act and reproduce it as may be required, from time to time;

h) to ensure the preservation, protection and security of any information or data collected, obtained, maintained or stored in the register;

i) to correct errors in registration details, if so required by a person or on its own initiative to ensure that the information is accurate, complete, up to date and not misleading; and

j) to perform such other duties which are necessary or expedient for the discharge of functions under this Act”.

“Biometric” was defined in the Act as unique identifiers or attributes including fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves and Deoxyribonucleic Acid in digital form” and “Global Positioning Services” was defined as the “unique identifier of precise geographic location on the earth, expressed in alphanumeric character being a combination of latitude and longitude”.

The Nubian Rights Forum – a human rights organization protecting the rights of Kenya’s Nubian community, – the Kenya Human Rights Commission, and the Kenya National Commission on Human Rights believed that these amendments violated the right to privacy under article 31 of the Constitution. Article 31 of the Constitution states: “Every person has the right to privacy, which includes the right not to have (a) their person, home or property searched; (b) their possessions seized; (c) information relating to their family or private affairs unnecessarily required or revealed; or (d) the privacy of their communications infringed.”

The organizations filed individual petitions in the High Court of Kenya, and the petitions were later consolidated. Other organizations, Muslims for Human Rights, Haki Centre, the Law Society of Kenya, and Inform Action were joined as interested parties supporting the petitioners.

The Respondents were the Attorney General, the Cabinet Secretary and the Permanent Secretary of Interior and Co-ordination of National Government; the Director of National Registration; the Cabinet Secretary for Information, Communication and Technology; the Speaker of the National Assembly; and the Kenya Law Reform Commission. The institutions, the Child Welfare Society of Kenya, Ajibika Society, Bunge La Mwananchi, the International Policy Group and the Terror Victims Support Initiative joined the respondents in opposing the petitions.

Before the case was concluded, the Kenyan Parliament enacted the Data Protection Act, 29 of 2019.

---

Decision Overview

Justice Mumbi Ngugi, Justice Pauline Nyamweya and Justice Weldon Kipyegon Korir delivered the judgment. The central issues for consideration were whether the amendments limited the right to privacy by permitting “excessive, intrusive and disproportionate” collection of data or if there were insufficient safeguards and data protection frameworks, and whether the limitations were justifiable.

The Petitioners emphasized the importance of the right to privacy and argued that it “cannot be lightly diluted, infringed and/or interfered with by the State without proper justification” [para. 709]. They argued that the collection of DNA and GPS data was intrusive and unnecessary as there were no legal restrictions on the retention of data and the Kenyan government had not provided any explanation for why the collection of this data was necessary. The Petitioners submitted that the data was being collected without the subjects’ consent and that there was no clarity in the Act on the purpose for which the data was being collected. In addition, the Petitioners submitted that there was a risk that the personal information stored in NIIMS could be accessed by unauthorized third parties and that without strong safeguards the use of biometric technologies can “facilitate discrimination, profiling and mass surveillance” [para. 712]. In respect of children’s privacy, the Petitioners argued that as the Act stated that its provisions applied to persons over the age of 18 it simply did not apply to children and could not be used to collect children’s biometric data. They added that, in any event, there were no safeguards provided to regulate the use of children’s data and that there was no evidence that the collection of biometric data could prevent crimes against children. The Petitioners argued that there were no data protection laws in place to prevent data falling into unauthorized hands and that “it is imperative that appropriate technical and legal standards be formulated to ensure the security of the proposed digital identification system and the privacy of personal data collected” [para. 829]. The Petitioners submitted that the State had not provided evidence to justify why the purpose of the Act was so important so as to infringe the right to privacy or that the means adopted were the only possible way in which to achieve the legislative purpose, and that there had been no evidence provided on how NIIMS would assist crime prevention – one of the stated purposes of the system – or that less restrictive measures had been considered.

The State respondents argued that it was common global practise to collect biometric data, including GPS data, and that there was no reasonable expectation of privacy in respect of fingerprints and iris scans. The State maintained that the collection of children’s biometric data assisted in protecting children against trafficking and in realizing children’s basic human rights, and that the collection of DNA data was permissible in Kenya and assisted in determining paternity of a child. However, the State argued that, in practise, no DNA or GPS data was being collected in Kenya, but that its collection was, theoretically, important. The State maintained that there was a sufficient data protection legal framework and argued that the constitutionality of a law cannot be determined by the absence of statutory or regulatory frameworks. The State reiterated that the purpose of the Act was to create an integrated national identity management system and that this a legitimate state aim which did not disproportionately infringe the right to privacy.

The Court divided the issues concerning the right to privacy into four sections: (a) whether the information collected was “excessive, intrusive, and disproportionate to the stated objectives of NIIMS”; (b) whether children’s privacy was infringed; (c) “whether there are sufficient legal safeguards and data protection frameworks for the personal information that is collected in NIIMS”; and (d) whether the amendments were an “unreasonable and unjustifiable limitation to the right to privacy” [para. 705].

The Court conducted an analysis of the nature of the right to privacy and how comparative jurisdictions had addressed issues of informational privacy. It noted that article 31 protects the right and “guards against specific infringements of privacy, including unnecessary revelation of information relating to family or private affairs” [para. 742]. The Court referred to the South African Constitutional Court case of Bernstein v. Bester NO which had been followed in the Kenyan cases of  Ebrahim v. Ashleys Kenya, Kenya Legal and Ethical Network on HIV & AIDS (KELIN) v. Cabinet Secretary Ministry of Health and Tom Ojienda t/a Tom Ojienda & Associates Advocates v. Ethics and Anti-Corruption Commission, and to the protection of the right given in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, the European Convention on Human Rights and the African Commission on Human and Peoples’ Rights. It described the scope of the right as “incapable of definition” and as a “bundle or continuum of rights which have a variety of justification” [para. 748]. The aspect of the right in the present case was the right to informational privacy which includes the right to control one’s own information, and the Court adopted the definition in the KELIN case that the right “protects against the unnecessary revelation of information relating to family or private affairs of an individual, … protects the very core of the personal sphere of an individual and basically envisages the right to live one’s own life with minimum interference … [and] restricts the collection, use of and disclosure of private information” [para. 751]. With reference to the South African case of Mistry v. Interim National Medical and Dental Council of South Africa, the Court noted that when informational privacy is at issue the Court must determine whether the collection of the information was intrusive, whether the information was of intimate aspects of the individual’s life, whether the information was being used for a purpose other than the purpose for which it was provided, and whether the information was disseminated widely.

The Court recognized that, as it contains information about a person, the protection of biometric data falls under article 31 and that the data collected under NIIMS constitutes personal information. It noted that this was important as “the qualification of biometric data as personal has important consequences in relation to the protection and processing of such data, and as such invites a risk of violation of the right to privacy in the event of inadequate protection measures” [para. 760]. The Court accepted the categorization of “sensitive data” set out in the European Union’s General Data Protection Regulation (GDPR), the African Union Convention on Cyber Security and Personal Data Protection, and the newly-introduced Data Protection Act, and held that biometric and DNA data “must be protected against unauthorized access, and access to such data should also be limited through sufficient data security practices designed to prevent unauthorized disclosure and data breaches” [para. 762].

The Court held that at the time the NIIMS was introduced there was no obligation for an individual to consent to their biometric data being collected, and so although the Data Protection Act now requires consent and empowers an individual to object to the processing of their data, the amendments allowed the collection of data without consent. The Court referred to the European Union Advisory Body on Data Protection and Privacy’s Working Document on Biometrics in holding that the collection of some of the biometric data permitted under NIIMS was intrusive and gave the example of the collection of DNA information without the subject’s knowledge. In respect of the collection of GPS data, the Court referred to the US Supreme Court case of United States v. Antoine in noting that the amendments required a “more detailed and strict regulation on the use of GPS co-ordinates” to prevent their abuse [para. 771].

Accordingly, the Court held that the collection of biometric and GPS data constituted the collection of personal and sensitive information which required protection and obliged the State to adopt data protection measures.

The Court examined whether the collection of the personal data was necessary. With reference to the Indian case of Puttaswamy v. Union of India (II) and the Article 29 Data Protection Working Party’s Working Document on Biometrics, the Court noted that the purpose of biometrics collection is to verify a person’s identity and that for the collection to be permissible the biometric data collected should be universal, unique and permanent [para. 778]. It held that most of the data collected in terms of NIIMS met these criteria but that the collection of DNA data did not. The Court referred to the European Court of Human Rights case S and Marper v. United Kingdom 30562/04 in holding that the collection of DNA data under NIIMS was a violation of the right to privacy. It also held that the need for the collection of GPS data was not clear – especially given the risks to privacy that the collection of the data poses.

Accordingly, the Court held that the collection of DNA and GPS data was “intrusive and unnecessary” and unconstitutional but that the collection of other biometric data was not a violation of article 31. The Court recognized that the central purpose of NIIMS was the authorization and verification of individuals which required the creation of a central database and held that the benefits of NIIMS “are in the public interest and not unconstitutional” [para. 790].

In its next examination, the Court assessed whether the NIIMS processes violated children’s right to privacy. The Court held that the reasons given by the State for why children should be registered under NIIMS – the ability to combat terrorism, child trafficking and child labour as well as to protect children’s constitutional rights to, inter alia, education, nutrition, shelter and healthcare and against abuse – were “reasonable and laudable” [para. 809]. Accordingly, the Court held that collection of biometric data of children was constitutional. However, the Court held that the wording and the structure of the Act was such that NIIMS did not apply to children.

The third leg of the Court’s inquiry concerned the assessment of whether the legal safeguards and data protection frameworks were sufficient. The Court accepted Privacy International’s arguments on the risks of exclusion, data breaches and “mission creep” (the collection of data for one purpose used for another) posed by biometric identity systems, and noted that unauthorized access and misuse can risk “discrimination, profiling, surveillance of the data subjects and identity theft” and that central storage means that subjects have no control over the use of their data [para. 880]. With reference to the report on data privacy from the UN High Commissioner for Human Rights, the Court stated that “all biometric systems, whether centralised or decentralised, and whether using closed or open source technology, require a strong security policy and detailed procedures on its protection and security which comply with international standards” [para. 883]. The Court considered the GDPR, the UN Principles on Personal Data Protection and Privacy, the OECD Privacy Principles, and the African Union Convention on Cyber Security and Personal Data Protection. The Court found that the Data Protection Act had incorporated “most of the applicable data protection principles” but that it did not apply to the Registration of Persons Act – the relevant legislation in the present case – and that necessary regulations to the Data Protection Act had not been issued.

The Court also examined whether the protection regime was sufficient to protect children’s informational data, and held that there was no protection within the Act itself and that although the Data Protection Act did introduce some protection the lack of children-specific protection provisions rendered the legislative framework inadequate in respect of the protection of children’s data.

Accordingly, the Court held that “the legal framework on the operations of NIIMS is inadequate and poses a risk to the security of data that will be collected in NIIMS” [para. 885].

Finally, the Court examined whether the limitations on the right to privacy – through the collection of DNA and GPS data and because of the inadequacies in the data protection framework – were unnecessary, unreasonable and unjustifiable. Under the Kenyan Constitution a right can only be limited in terms of article 24, which requires that the limitation be in accordance with the law and “only to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom, taking into account the nature of the right or fundamental freedom” [para. 912]. The Court stressed that courts must assess the purpose and importance of the limitation and whether there are less restrictive means through which to achieve that purpose.

The Court held that the collection of DNA and GPS data without appropriate safeguards and procedures was unjustifiable. It also held that the framework set out within the Act was incomplete and so did not create a comprehensive framework for the collection of personal data and was therefore was not clear and unambiguous. Accordingly, the Court held that the process was unjustifiable and unconstitutional.

The Court declared the sections requiring the collection of DNA and GPS data unconstitutional, and held that the State could implement the NIIMS system “on condition that an appropriate and comprehensive regulatory framework on the implementation of NIIMS that is compliant with the applicable constitutional requirements” [para. 1047].

---