Compliance With Data Protection Norms Necessary For Proceeding With National Biometric ID Project : Kenya HC [Read Judgment]

The Kenya High Court at Nairobi last week ruled that compliance with international norms of data protection is necessary for the Government to proceed with its national biometric identity project called "Huduma Numba/National Integrated Identity Management System (NIIMS)".

The Court did not find NIIMS, a national program for mandatory registration of Kenyan citizens with their biometric data, to be per se unconstitutional. However, it held that collection of DNA and GPS location coordinates of the citizens for this project was "intrusive and unnecessary" and hence unconstitutional for infringing right to privacy under Article 31 of the Kenyan Constitution.

The Court gave a declaration that :

"the collection of DNA and GPS co-ordinates for purposes of identification is intrusive and unnecessary, and to the extent that it is not authorised and specifically anchored in empowering legislation, it is unconstitutional and a violation of Article 31 of the Constitution".

In its 205 page long judgment, the court concluded that the stated benefits of NIIMS are in the public interest and not unconstitutional. However, it noted that the legislative framework on the protection of biometric data collected in NIIMS is inadequate. 

It observed :

"an inadequate legislative framework for the protection and security of the data is clearly a limitation to the right to privacy in light of the risks it invites for unauthorized access and other data breaches. To this extent we found the lack of a comprehensive legislative framework when collecting personal data under the impugned amendments, is contrary to the principles of democratic governance and the rule of law, and thereby unjustifiable". 

Highlighting the importance of having a strong data protection system, the Court said :

"It is our conclusion therefore that all biometric systems, whether centralised or decentralised, and whether using closed or open source technology, require a strong security policy and detailed procedures on its protection and security which comply with international standards."

Hence, the Court ruled :

"The Respondents are at liberty to proceed with the implementation of the National Integrated Identity Management System (NIIMS) and to process and utilize the data collected in NIIMS, only on condition that an appropriate and comprehensive regulatory framework on the implementation of NIIMS that is compliant with the applicable constitutional requirements identified in this judgment is first enacted".

 While considering the petitions filed by Nubian Rights Forum, Kenya Human Rights Commission and Kenya National Commission On Human Rights, the Court comprising of Justices P. Nyamweya ,Mumbi Ngugi  and W. Korir mainly considered the following legal issues:

• Whether the Legislative Process was Constitutional?
• Whether there is Violation and/or Threatened Violation of the Right to Privacy?
• Whether there is a Violation of Children's' Rights to Privacy?
• Whether there are Sufficient Legal Safeguards and Data Protection Frameworks?
• Whether the Impugned Amendments are an Unnecessary, Unreasonable and Unjustifiable Limitation?
• Whether there was a Violation of the Right to Equality and Non-Discrimination?
• Whether there is Discrimination of the Nubian Community ?

Need For A comprehensive regulatory framework.

In this regard, the judgment observed:

An inadequate legislative framework for the protection and security of the data is clearly a limitation to the right to privacy in light of the risks it invites for unauthorized access and other data breaches. To this extent we found the lack of a comprehensive legislative framework when collecting personal data under the impugned amendments, is contrary to the principles of democratic governance and the rule of law, and thereby unjustifiable.
What is relevant is that the said principles and standards should be provided and actualized in regulations that will govern the operation of NIIMS. In addition, the biometric data and personal data in NIIMS shall only be processed if there is an appropriate legal framework in which sufficient safeguards are built in to protect fundamental rights.

The Court also referred to an example of similar Regulations in India that were framed under the Aadhaar Act, were the Aadhaar (Enrolment and Update) Regulations, 2016, The Aadhaar (Authentication) Regulations, 2016, The Aadhaar (Data Security) Regulations, 2016 and the Aadhaar (Sharing of Information) Regulations, 2016.

On Exclusion

The Court also considered the question whether obtaining the Huduma Namba is mandatory, a condition precedent to obtaining government services, and therefore likely to result in violation of the right to non-discrimination. It said:

We note that all the parties are agreed that the use of digital data is the way of the future. The challenge is to ensure, among other things, that no one is excluded from the NIIMS and the attendant services. This may occur due to lack of identity documents, or lack of or poor biometric data, such as fingerprints. In our view, there may be a segment of the population who run the risk of exclusion for the reasons already identified in this judgment. There is thus a need for a clear regulatory framework that addresses the possibility of exclusion in NIIMS. Such a framework will need to regulate the manner in which those without access to identity documents or with poor biometrics will be enrolled in NIIMS. Suffice to say that while we recognize the possibility of this exclusion, we find that it is in itself not a sufficient reason to find NIIMS unconstitutional

Reference to Aadhaar Judgment

The High Court, in its judgment, has referred to the Indian Supreme Court judgment in Supreme Court in Justice K.S. Puttaswamy (Retd.) and Another v. Union of India and Others. To hold that biometric data is necessary for identification purposes, it adopted the findings in Justice K.S. Puttaswamy (Retd.) on the necessity of the different types of biometric data in identification.

Indian cyber expert Anand Venkatnarayanan was one among the technical witnesses who had testified for the petitioners in the case.

The Supreme Court of Kenya is the highest court of Kenya.

Click here to Read/Download Judgment

Read Judgment