APPLICATION OF THE DATA PROTECTION ACT IN KENYA: THE ‘HUDUMA NAMBA DECISION’
The High Court recently delivered a clear message that the Constitutional right to privacy must be respected, observed and protected and this right has been in existence since the Constitution was implemented and did not first arise with the enactment of the Data Protection Act 2019 (“DPA”). Any subsequent legislation is intended to give effect to the already existing Constitutional right and is clearly important in order to ensure that a legal framework exists, however the absence of such legislation does not mean that these rights can be ignored.
The Huduma project
In January 2019 (prior to the enactment of the DPA), the Kenyan government announced the launch of a national identity card system—the National Integrated Identity Management System (NIIMS), popularly known as "Huduma Namba"—requiring the personal and biometric information of all ID-holders to be entered into a centralised national database. Several legal challenges were filed and in January 2020, shortly after the enactment of the DPA in November 2019, the High Court ordered the Government to delay its implementation until a comprehensive regulatory framework under the DPA could be put in place to address, amongst other factors, the data privacy issues arising from the collection and processing of personal data and sensitive personal data. The Government proceeded to process the collected data and continue with the roll-out of the cards on the basis that it had fulfilled the requisite requirements. The High Court has now declared this roll-out to be unlawful on the grounds that it conflicts with the provisions of the DPA.
The ruling has provided some interesting food for thought:
The retrospective effect of the DPA.
- In its reasoning, the Court observed that the DPA was enacted to give effect to the Constitutional right to privacy and that the DPA was intended to apply retrospectively to such an extent or to such time as to cover any action taken by the State or any other entity or person that may affect the right to privacy.
- The Court further criticised the lack of foresight by the Government stating that “it would have been prudent” for the State to ensure that the legal framework for the protection of the right to privacy was in place before taking any actions that would be likely to infringe such Constitutional right.
- The Court stated that there now existed legislation against which the Government’s actions must be weighed irrespective of when such acts occurred on the basis that it affected the individual’s Constitutional right to privacy.
- According to the Court, the provisions in the DPA setting out the requirements for the conduct of a data protection impact assessment (“DPIA”) did not impose any more obligations or duties on the State than that which already existed.
- From our perspective, this reasoning does raise concerns particularly as regards any processing activities carried out prior to the enactment of the DPA and the draft Data Protection (General) Regulations (which are still under review and include a template form of DPIA). Even where the Constitutional right to privacy was recognised and protected in the context of any pre-DPA processing activities, without a legal framework outlining the form of the assessment that data controllers and data processors are expected to have followed, what were such entities expected to do during this period in the absence of any such guidelines?
Data Protection Impact Assessments.
- The Court held that a DPIA should have been carried out prior to the collection and processing activities and issued an order mandating the conducting of a DPIA in accordance with the provisions of the DPA before the continued processing of data and rolling out of the Huduma cards.
- The Court recognised that whilst DPIAs should usually be carried out prior to the processing of personal data and that a significant number of Huduma cards had already been issued, a fresh DPIA should nonetheless be carried out. The assessment will now assist in determining whether or not additional safeguards or processes need to be put in place in respect of the processed and stored data.
- In its Guidance Note on DPIAs, the Office of the Data Protection Commissioner (ODPC) clarified that the carrying out of a DPIA is only mandatory where processing is “likely to result in a high risk to the rights and freedoms of data subjects” and where it is not clear whether or not a DPIA is required, the ODPC recommends carrying out a DPIA nonetheless.
- Whilst the draft Data Protection (General) Regulations are not yet in force (click here for an earlier update) and the template form of DPIA may be varied, in light of this recent decision, where you determine that a DPIA is required, we would recommend following the template form available in the draft Regulations and the Guidance Note in the interim.
The decision serves as a reminder to ensure that any processing activities that commenced prior to the enactment of the DPA and which are continuing currently comply with the DPA (including storage and use of such personal data). In the event of an investigation by the ODPC, taking steps now to rectify any areas of non-compliance may go some way to show the ODPC what measures your organisation has taken (whether as a data controller or data processor) to ensure compliance with the DPA. This extends beyond the carrying out of a DPIA and includes compliance with notification requirements, technical and security safeguards and organisational systems and procedures.
The Government has issued a press statement announcing that it will move to the Court of Appeal to challenge the High Court’s decision. We will be keeping an eye on developments in this case and the implications arising from the decisions of the courts.