Katiba Institute Challenges the Constitutionality of Public Notices by CA & KRA on IMEI Numbers

Katiba Institute has filed a Petition at the Nairobi High Court Constitutional and Human Rights Division challenging the constitutionality of the public notices issued by the Communications Authority of Kenya (CA) and Kenya Revenue Authority (KRA) posted on their websites on 24 October 2024 and 5 November, respectively. In the notices, the agencies require all individuals to register their International Mobile Equipment Identity (IMEI) Numbers, in a move which is entirely unjustified and disproportionate. IMEI numbers are uniquely and irrevocably tied to the hardware of a mobile phone. The numbers allow mobile phone providers to pinpoint an individual’s location within a 100-meter radius and give insight into a person’s communication history. Without the proper safeguards, it appears that the government is usurping authorities it does not have in the first place to establish a mass surveillance system. If CA and KRA are given access to mobile service provider information, their IMEI database allows them to monitor people’s movements and calls in an unprecedented way.

In summary, the regulations/notices:

1. Require people to disclose their mobile phones’ IMEI numbers to the CA and KRA.

2. Enable CA and KRA to establish a database to store the IMEI numbers.

3. State that only those who have disclosed their IMEI numbers will be able to connect to the local network (a practice known as whitelisting). People who haven’t disclosed their IMEI will not be able to buy SIM cards in Kenya.

Katiba Institute’s Arguments:

  1. Right to Privacy

Katiba Institute contends that these regulations/notices are problematic. One problematic aspect is the new requirement that individuals declare their mobile phones’ IMEI numbers. Upon the registration of phones, IMEI numbers constitute personal data and, when read in combination with specific data held by mobile service providers, can identify a person’s susceptible information, including location and communication history.

In addition, the newly introduced practice of ‘whitelisting’ of devices means that only a device with its IMEI registered on the CAK/KRA databases can connect to mobile networks. Thus, anyone not registering their IMEI cannot buy a SIM card from a Kenyan mobile network provider.

The unnecessary creation of a master database to give comprehensive access to personal IMEI numbers to government authorities threatens the right to privacy. It is the first step towards possible mass surveillance. Further, disclosing IMEI numbers without sufficient safeguards risks an individual’s fundamental rights and freedoms and may lead to illegal and unwarranted state surveillance.

In their bid to fix the revenue leakage, the Respondents, through the notices, do not consider the risk that the measure poses to human rights. The measures in the notice, disguised to be in pursuit of an economic policy, the government has instituted and notified measures that would have minimal impact on revenue leakage but create a foundation for undermining economic freedom, the right to dignity, equality, and privacy. Therefore, the new directive risks creating a surveillance state in which everything is watched, contrary to constitutional protections.

2. Right to Access Information

Article 35(3) of the Constitution provides for Access to Information, and Section 5(1)(c) of the Access to Information Act CAP 7M requires all relevant facts to be published before formulating important policies and announcing decisions impacting the public. Thus, the Respondents were obliged to proactively disclose the Data Protection Impact Assessment conducted on collecting IMEI data.

3. Failure to Comply with the Data Protection Act

Section 31 of the Data Protection Act Cap. 411C requires a data controller or a data processor to conduct a data impact assessment before processing personal data where the processing might pose a right to a data subject’s fundamental rights and freedoms. The Respondents were thus obligated to conduct a data impact assessment before publishing the notices/regulations. Without a data impact assessment, the risk of violating the right to privacy and other fundamental rights and freedoms remains unmitigated.

4. Failure to Involve Parliament

Parliament is the only body constitutionally mandated to make laws. Where state agencies such as the Respondents make regulations, they must be tabled in parliament for scrutiny and consideration. Failure to present regulations to parliament renders them null and void. The purported regulations published by the Respondents are unconstitutional because they fail to involve Parliament.

Download the petition here

SUBSCRIBE FOR UPDATES

Stay in the Know!

We respect your privacy.