Kenya: Digital identity regulations must satisfy constitutional requirements

The government of Kenya’s recent attempt to provide guidelines for Kenya’s digital identity system under the National Integrated Identity Management System (NIIMS) is inadequate and threatens to affect the rights to free expression, access to information, privacy and data protection. ARTICLE 19 Eastern Africa and the Kenya ICT Action Network, in two joint submissions, maintained that a comprehensive civil registration and identity management framework should be enacted through a stand-alone Act of Parliament and not via two regulatory frameworks as proposed by the government.

ARTICLE 19 Eastern Africa and the Kenya ICT Action Network (or KICTANet) submitted two joint memoranda on the Data Protection (Civil Registration) Regulations, 2020 and the Registration of Persons (National Integrated Identity Management System) Regulations, 2020 in response to calls for public participation by the relevant government organs in February 2020.
These regulations are intended to provide guidelines for the practical implementation of the Data Protection Act (2019) and the Registration of Persons Act (CAP 107) in relation to digital identity, civil registration and the collection, storage, use and transfer of personal information in Kenya.

“The regulations proposed by the authorities, will undoubtedly affect the protection and promotion of freedom of expression, access to information, privacy and data protection in Kenya. Clearly, these draft regulations are not fit for purpose and should be amended in their entirety,” said Mugambi Kiai, Regional Director of ARTICLE 19 Eastern Africa.

Lamentably, we are concerned that these regulatory frameworks fail to respect the High Court’s orders. Notably, the High Court directed the government to “proceed with the implementation of the National Integrated Identity Management System (NIIMS) and to process and utilize the data collected in NIIMS” but on condition that “an appropriate and comprehensive regulatory framework on the implementation of NIIMS” is first enacted. Significantly, the Court emphasised that this framework must be “compliant with the applicable constitutional requirements identified in the judgment.”

There is a pressing need for a comprehensive legislative framework governing civil registration, legal (digital) identity management, and vital statistics in Kenya. However, this framework must respect international and regional human rights law and standards.

“We urge the government to work in tandem with civil society organisations and other multi-stakeholder groups and either comprehensively amend the Registration of Persons Act (CAP 107) or introduce a stand-alone Act of Parliament which is subjected to legislative oversight and effective public participation,” said Grace Githaiga, Co-Convenor, Kenya ICT Action Network.

As a rule of thumb, regulations should provide guidelines of practice. However, the proposed regulations create substantive systems which have implications on the effective and proper functioning of government, and which directly affect individuals’ ability to determine how, and whether, they should participate in the digitisation of their personal identity.

Worryingly, the Data Protection (Civil Registration) Regulations (2020) purports to anchor substantive civil registration amendments under the Data Protection Act, 2019 (or DPA, 2019). We note that these should rightly be captured under the Registration of Persons Act (CAP 107) and other enabling legislative frameworks affecting civil registration and identity management.

We are also concerned that the Data Protection (Civil Registration) Regulations (2020) directly contravenes the Data Protection Act (2019). Significantly, these regulations subvert the legal requirement under section 18, DPA (2019) mandating the prior registration and certification, by the Office of the Data Protection Commissioner (or ODPC), of all data controllers (including civil registration entities) collecting and processing copious amounts of sensitive personal data.

ARTICLE 19 Eastern Africa and KICTANet are concerned that the delay in operationalising the ODPC continues to weaken data protection in Kenya. As a point of first call, data protection authorities assist state organs and private entities to determine the extent of their obligations – financial, personnel, technical, amongst others – under the DPA, 2019 in relation to personal information in their possession.

Given the limited enforcement and regulatory powers possessed by the Cabinet Secretary and the Commission on Administrative Justice, operationalising the ODPC will give teeth to the DPA, 2019 provisions.

Kenya’s international human rights obligations

Kenya’s Constitution guarantees the rights to privacy, freedom of expression and access to information. Kenya is also obliged to respect these rights under regional and international human rights law. During the January 2020 UN Universal Periodic Review, the government of Kenya submitted a national report which magnified its obligations to protect and actively promote these rights.

Recommendations

ARTICLE 19 Eastern Africa and KICTANet recommend that the respective Kenyan authorities: –

1. Enact an appropriate and comprehensive civil registration and identity management framework through an Act of Parliament which amends the Registration of Persons Act (CAP 107).

2. Notwithstanding Recommendation 1, amend the two Regulations and provide explicit (technical, personnel and procedural) safeguards for the collection, processing, use, and transfer of personal information (including data already collected under NIIMS) to ensure that it is accorded the highest safety and security, management and governance protections in line with the DPA, 2019 and international human rights laws and standards.

3. In conjunction with multiple stakeholders, including civil society organisations, develop appropriate and comprehensive regulatory frameworks which adhere to the High Court’s orders in Consolidated Petitions No. 56, 58 and 59 (2019) and which comply with the DPA, 2019. This will ensure that the Regulations adhere to and respect fundamental rights enshrined in the Constitution of Kenya, 2010 and international human rights law and standards.

Read our joint memorandum on the Data Protection (Civil Registration) Regulations, 2020

Read our joint memorandum on the Registration of Persons (National Integrated Identity Management System) Regulations, 2020 

Contact
For more information, please contact: Mugambi Kiai, Regional Director ([email protected]) and Grace Githaiga, Co-Convenor ([email protected]