R v Joe Mucheru and 2 others ex parte Katiba Institute and another

Cases Detail

Cases

R v Joe Mucheru and 2 others ex parte Katiba Institute and another

Country: Kenya
Court: High Court, Nairobi
Status: Judgment
Tags: digital identity,right to privacy,data protection
Summary

The High Court of Kenya declared that the Huduma Namba rollout was illegal due to a conflict with the Data Protection Act, 2019. According to the applicants, the respondents violated Section 31 of the Data Protection Act and disregarded the Nubian Rights Forum judgment. The court had previously ordered that the respondents could proceed with the National Integrated Identity Management System (NIIMS) implementation only after enacting an appropriate and comprehensive regulatory framework that is compliant with the Constitution. Additionally, they argued that the respondents' actions in collecting and processing data are subject to the entirety of the Data Protection Act. While it is true that Section 31 of the Act requires that a Data Protection Impact Assessment (DPIA) be conducted where the processing of personal data is likely to result in a high risk to the data subjects' rights and freedoms, the respondents and interested party argued that at the time personal data under NIIMS was collected, a DPIA was not a requirement prior to the processing of personal data. The High Court determined that the Data Protection Act applies retrospectively and as such, the processing and collection of data were unlawful due to the absence of a prior data protection impact assessment.

Analysis

On October 14, 2021, the High Court ruled that the rollout of Huduma Namba cards in November 2020 violated the Data Protection Act, rendering the card invalid. The Court stated that the government was in violation of the Act for collecting and processing data, without conducting a Data Protection Impact Assessment as is required by the Act. Section 31 requires that where a processing operation is likely to result in a high risk to a data subject's rights and freedoms as a result of its nature, scope, context, and purposes, a data controller or data processor shall conduct a data protection impact assessment prior to the processing. Additionally, the Act states that a data protection impact assessment shall include the following: a systematic description of the envisaged processing operations and purposes of the processing, including, where applicable, the data controller's or processor's legitimate interest; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; and an assessment of the risks to data subjects' rights and freedoms. 

The aggrieved party was Katiba Institute, which was led by legal scholar Yash Pal Ghai. The complaint was that the government did not provide adequate protection for citizens' personal information against theft or misuse. Katiba Institute questioned the State's failure to conduct a data protection impact assessment prior to the registration and data collection process. Reference was made to Nubian Rights Forum & 2 others v Attorney General & 6 others; Child Welfare Society & 9 others (Interested Parties) (2019), which challenged the government’s data collection practices under the Registration of Persons Act. Additionally, it cast doubt on the security of the National Integrated Information Management System (NIIMS), as well as the absence of public participation and the collection of sensitive personal data, such as DNA and location data. The court determined in this case that the State could continue collection of data and the registration process if it enacted a data protection law. 

The court issued an order of certiorari (review) to vacate the respondent's November 18, 2020, decision to roll out Huduma Card on the grounds that it was in violation of Section 31 of the Data Protection Act. Furthermore, it issued an order of mandamus requiring the respondent to conduct a data protection impact assessment in accordance with the Data Protection Act prior to processing data and disseminating Huduma Namba cards.

As of September 2021, the government had processed 9 million Huduma Cards which were distributed to different collection centers across the county, 6 million Huduma cards have since been collected. The implications of the orders on the issued cards suggests that they cannot be used until the respondents adhere to the orders given and conduct a Data Protection Impact Assessment. The orders further suggest a halt to the Phase II registration process for persons who did not get a chance to register.

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.