Privacy, Data Protection and Retention
Data Protection Commissioner v. Facebook (Schrems II)
Closed Expands Expression
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
The High Court of Kenya held that the Communications Authority of Kenya’s plan to implement a system that provided them with access to mobile service subscribers’ data was unconstitutional. The case was brought by the executive director of a legal trust who believed that the plan to install a communication surveillance system on mobile networks allowing access to certain information of mobile service subscribers, including their call data records, was unconstitutional. He argued that the policy formulation and implementation process lacked adequate public participation and that the system itself amounted to a breach of mobile service subscribers’ rights to privacy. The Government of Kenya argued that the system was needed to monitor and identify illegal mobile devices. The High Court found that the system was “a threat to the subscribers’ privacy” and that there were less restrictive measures that could be used to identify illicit devices. The High Court also found that the system had not been adopted in accordance with law. In its judgment, the High Court relied on jurisprudence on the right to privacy from a range of international and regional bodies, including the European Court of Human Rights and the United Nations Human Rights Committee.
In January 2017, the Communications Authority of Kenya (CAK) sent letters to the country’s mobile service providers informing them of a new system that it would be implementing. The system, dubbed the Device Management System (DMS), involved the installation of a communication surveillance system on mobile networks that would reportedly allow access to certain information of mobile service subscribers, including their call data records. [para. 60] The reason given by CAK for adopting the DMS was to “monitor and identify stolen handsets, counterfeit phones and devices that have not been type-approved by the regulator”. [para. 8]
Concerned about the impact the DMS would have on mobile service subscribers, Okiya Okoiti, the executive director of the Kenyans for Justice and Development Trust (a legal trust seeking to promote democratic governance, sustainable economic development and prosperity) filed a petition to the Kenyan High Court in Nairobi. In his petition, he argued that the policy formulation and implementation of the DMS was contrary to the law requiring public participation in such activities. He contended that the Government of Kenya had not provided information on whether the DMS would provide it with capabilities “for spying on calls and texts and reviewing mobile money transactions” or on how the implementation of the system would protect citizens’ rights to privacy. [para. 8] He also argued that the installation of the DMS would enable the Government of Kenya to “snoop” on anything the unsuspecting population transacts through their mobile phones, and Kenyans would no longer enjoy the right to privacy over the use of their mobile phones.
The case was taken against (i) the CAK, (ii) the private company responsible for installing and implementing the DMS (Broadband Communications Networks Ltd), (iii) the Cabinet Secretary for Information, Communication and Technology, and (iv) the Attorney General. Mr. Okoiti sought declaratory relief and a range of orders aimed at remedying and preventing the alleged violations that would be caused by the DMS, including an order prohibiting the Respondents from proceeding to implement the DMS or acting in any way to interfere with the privacy of Kenyan citizens through the use of communications surveillance technologies.
A number of interested parties – including three mobile network operators, a coalition of political parties, and Article 19-East Africa (the East African chapter of the international freedom of expression organization) – joined the case.
Judge John M. Mativo delivered the judgment of the High Court. The main issue before the Court was to determine whether “the DMS system threatens or violates the Right to privacy” of mobile service subscribers. [para. 33]
Judge Mativo began by recognizing that the right to privacy is a fundamental right that is “central to the protection of human dignity and forms the basis of any democratic society” and which “supports and reinforces other rights, such as freedom of expression, information and association”. [para. 63] He added that “[a]ctivities that restrict the right to privacy, such as surveillance and censorship, can only be justified when they are prescribed by law, necessary to achieve a legitimate aim, and proportionate to the aim pursued”. [para. 63] Judge Mativo defined the right to privacy as entailing that individuals “should have control over his or her personal information and should be able to conduct his or her personal affairs relatively free from unwanted intrusions”. [para. 64] Judge Mativo emphasized the importance of data protection as a component of the right to privacy as it “provides for the legal protection of a person in instances where such a person’s personal particulars are being processed by another person or institution”. [para. 74] He stated that the right to privacy has positive and negative elements: “[t]he negative content restrains the state from committing an intrusion upon the life and personal liberty of a citizen” and the “positive content imposes an obligation on the state to take all necessary measures to protect the privacy of the individual”. [para. 77]
The nature of modern life was an important aspect of Judge Mativo’s analysis as he recognized the context in which this matter was being determined, and that the “debate on privacy is being analyzed in the context of a global information based society” and said that “the task before the Court is to impart constitutional meaning to individual liberty in an interconnected world”. [para. 64] He said that the courts had to understand the “needs of and the opportunities and dangers posed to liberty in a digital world”, and he noted that technological advancements had necessitated an evolved understanding of the right to privacy to “encapsulate state obligations related to the protection of personal data”. [para. 71] This was particularly true because of how the quantity of personal data had dramatically increased with the internet. Judge Mativo commented on the way in which data protection can protect individual’s personal information and noted that “the compilation and distribution of personal information creates a direct threat to the individual’s privacy”, [para. 65] and remarked that “[t]hreats to individual privacy are greater now than ever envisaged”. [para. 73]
In the judgment, Judge Mativo made reference to the Universal Declaration of Human Rights, which he said provided the “modern privacy benchmark at an international level”. [para. 66] He went on to acknowledge that “[t]he recognition and protection of the right to privacy as a fundamental human right in the [Kenyan] Constitution provides an indication of its importance”. [para. 68] He also noted that there are international instruments and pieces of domestic legislation that addressed data protection. He observed that the European Court of Human Rights (ECtHR) had “long recognised the intrusiveness inherent in government interception of the content of communications”. [para. 69] He referred, for instance, to 10 Human Rights Organisations v. The United Kingdom where the ECtHR compared the collection of communications data to “having a private investigator trailing a targeted individual at all times”. [para. 72]
Judge Mativo referred to the letter sent by CAK informing the mobile service providers that the DMS would be used to “access information” of their customers. He held that this access would only be lawful if it fell within the permitted parameters established by Kenyan legislation and met the standards set by the general limitations clause under Article 24 of the Kenyan Constitution. Article 24 provided that “[a] right or fundamental freedom in the Bill of Rights shall not be limited except by law, and then only to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom”.
Judge Mativo noted that the CAK’s argument that the DMS was required to help combat illegal mobile devices had to be examined in light of the rationality test and the reaonableness/proportionality test. [para. 80] He said that the Court was required to determine whether the CAK’s justification was “reasonably related” to a legitimate purpose. In this case, the legitimate purpose was “to enable the CAK to fulfil its statutory mandate.” [para. 81] This required a determination of whether “combating illegal devices” was within the CAK’s legislative mandate, which Judge Mativo would return to later.
To determine reasonableness, Judge Mativo noted that he had to consider two factors. First, he had to consider whether there was a “valid, rational connection” between the way in which DMS limits the right to privacy and a legitimate public interest (the connection cannot be so remote as to render the decision arbitrary or irrational). Second, he must consider whether there were alternative ways in which the CAK could achieve that public interest goal. [para. 81] With reference to the Canadian case of R v. Oakes, Judge Mativo also noted that a common way to determine whether a law limiting rights is justified is by assessing whether the law was proportionate. Taking all the above into account, he stated that a limitation on a constitutional right will be constitutionally permissible if “(i) it is designated for a proper purpose; (ii) the measures undertaken to effectuate such a limitation are rationally connected to the fulfilment of that purpose; (iii) the measures undertaken are necessary in that there are no alternative measures that may similarly achieve that same purpose with a lesser degree of limitation; and finally (iv) there needs to be a proper relation (“proportionality stricto sensu” or “balancing”) between the importance of achieving the proper purpose and the special importance of preventing the limitation on the constitutional right.’” [para. 83]
Judge Mativo noted that there were a number of less restrictive measures that could have been adopted to achieve the purpose relied on by the CAK. For instance, as the illegal devices were not manufactured in Kenya, laws and regulatory bodies responsible for overseeing the importation of goods could be relied on to prevent the importation of such illegal devices into Kenya. Judge Mativo also noted that 1.89 illegal devices had been successfully switched off in the past without recourse to the DMS.
He also noted that mobile service providers could only release subscriber data under limited circumstances provided by Kenyan law (e.g. section 27A Kenya Information and Communications Act). No evidence had been provided to the High Court demonstrating that the DMS complied with such provisions of Kenyan law in order to access the relevant information of mobile network subscribers.
He then noted that the DMS could only pass the test for general limitations under Article 24 of the Kenyan Constitution if it was adopted in a manner consistent with the law. Judge Mativo also noted that, for the decision to be legal, the object cited (namely combating illegal devices) must be within the statutory mandate of the CAK. He concluded that the mandating of combating illegal devices did not fall within the statutory mandate of the CAK.
He declared that CAK’s request to use the DMS to access mobile service subscribers’ information as “a threat to the subscribers’ privacy, hence a breach of the subscribers’ constitutionally guaranteed rights to privacy, therefore unconstitutional null and void”, and he prohibited implementation of the DMS in relation to the three mobile networks. [para. 165]
In his judgment, Judge Mativo also held that the public participation process adopted by CAK when designing and implementing the DMS were inadequate and so “the decision to install the DMS system and the purported implementation is incapable of being read in a manner that is constitutionally compliant”. [para. 103]
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
This decision expands expression by recognizing mobile phone users’ rights to privacy over their telecommunications data, and by striking down a potentially intrusive surveillance regime. Although the judgment does not deal explicitly with the right to freedom of expression, by safeguarding the right of mobile users to utilise their devices within a zone of privacy will ensure greater freedom in communications across such devices.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
Let us know if you notice errors or if the case analysis needs revision.