A year after halting Kenya’s Huduma Namba, the country’s controversial biometric ID scheme, the High Court of Kenya declared that its rollout was illegal and asked the government to conduct a privacy impact assessment. MediaNama has reviewed a copy of the judgement.
In Thursday’s judgement by Judge Ngaah Jairus of the Kenyan High Court, it said that the digital ID programme was ultra vires to Section 31 of Kenya’s Data Protection Act, which mandates that where a ‘processing operation is likely to result in high risk to the rights and freedoms of a data subject, the data controller or processor must carry out a Data Protection Impact Assessment’.
The respondents, in my humble opinion, have not appreciated the import and the extent of the application of the Data Protection Act, with respect to collection and processing of data collected under the National Integrated Identity Management System. If they did, they would have given effect to section 31 of the Data Protection Act and conducted a data impact assessment before processing personal data and rolling out the Huduma Cards — Justice Ngaah Jarius in the judgement
What else does the judgement say?
a. The order of certiorari is hereby issued to bring to into this honourable court and quash the respondents’ decision of 18 November 2020 to roll out Huduma Cards for being ultra vires section 31 of the Data Protection Act, 2019.
b. The order of mandamus is hereby issued compelling the respondents to conduct a data protection impact assessment in accordance with section 31 of the Data Protection Act, 2019 before processing of data and rolling out the Huduma Cards. — Justice Ngaah Jarius
While certiorari is a writ issued by a superior court to seek judicial review of a decision of a lower court or government agency, mandamus is an order from a court to an inferior government official ordering the government to properly fulfill their official duties or correct an abuse of discretion.
In the Indian context, public bodies here rarely conduct a privacy impact assessment. Moreover, the 2019 version of India’s Personal Data Protection Bill, which is currently under review by a Joint Parliamentary Committee, grants sweeping exemptions to governments and its agencies from various provisions.
What is Huduma Namba?
The Huduma Namba also known as the National Integrated Identity Management System (NIIMS) was established in 2019 to set up and manage a national population register that could act as a single source of information about all citizens and residents of Kenya.
According to the Centre for Internet and Society, the legislation behind Huduma Namba:
- Defines a set of foundational data that will be collected from all persons enrolling in it.
- Talks about collecting functional data, defined as data of an individual created in response to a demand of a particular service or transaction.
- Broadly describes biometric data to be collected as ‘fingerprints and any other biometric data’.
The legislation, according to CIS, also states that every government agency delivering a public service shall be linked to the NIIMS database to enable such agencies to —
- Authenticate personal data in their possession with NIIMS.
- Transmit, access, or retrieve information necessary for the proper discharge of the agency’s functions.
In 2020, Kenya’s High Court halted the biometric ID scheme, until new data protection laws were enacted, as per a BBC report. In the case which was brought by the Kenya National Commission on Human Rights (KNHCR) and Nubia Rights Forum, the judges made these observations —
- Personal details of Kenyans would be available at the click of a button, thus increasing the risk of privacy.
- Collection of DNA and use of GPS to record the precise location of a person’s home was ‘intrusive and unconstitutional’.
Duty of the state to ensure privacy is protected: Justice Ngaah Jarius
Justice Jarius, in his ruling, held that it is the duty of the Kenyan government to ensure that Right to Privacy, and the provisions of the Bill of Rights in Kenya’s Constitution which include fundamental rights such as freedom of expression, freedom of media etc, is protected
To this argument I would reiterate that there was always the duty on the part of the state to ensure that Bill of Rights under Chapter IV of the Constitution, including the right to privacy under article 31 of the Act is respected and protected. Section 31 of the Act does not impose any more obligation or duty on the state than that which the state or the respondents, for that matter, have hitherto had to bear — Justice Ngaah Jarius
Justice Jarius also said that an individual’s constitutional rights were under threat as a result of the biometric ID programme.
If anything, it is the individual’s constitutional rights and which, for all intents and purposes, are vested rights, that were under threat by the excesses of the state in collecting and processing data without prior legal framework to ensure that even as the state embraces a new system of identification, the right to privacy is protected. This is the more reason why section 31 of the Data Protection Act appeals to me to be retrospective in its application. It is more of a bulwark against the excesses of the state than a tool imposing new obligations or duties on the state – Justice Ngaah Jarius (emphasis added)
Kenyan govt finds fault in High Court’s decision, files appeal
According to The Star.co.ke, Attorney General Kihara Kariuki on Friday filed a notice of appeal against the High Court judgement.
“The decision to appeal is informed by the conviction the High Court decision is based on wrong interpretation of the essence and the practical intentions of Huduma Card,” Matiang’i was quoted by The Star.co.ke as saying.
He said that the argument from the court that the validation of relevant data was not factored in is ‘spurious’. “Huduma Card is essentially a collation of different identity documents already issued and certified by government and government agencies,” Kariuki added.
Privacy concerns posed by Aadhaar
In 2016, the Government of India enacted the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (” Aadhaar Act “), touted as India’s biggest welfare legislation. Given the magnitude of data collection about individuals that would arise under the Aadhaar system, the law needed strong privacy safeguards. However, despite the Right to Privacy being recognised as a fundamental right, India still does not have any data protection laws.
Vrinda Bhandari, an advocate, lists the following concerns with Aadhaar —
- The Aadhaar Act does not consider privacy as one of its objectives. The word privacy does not even find mention in the Act
- Aadhaar Act lacks any understanding or articulation of the importance of privacy of personal data
- Unique Identification Authority of India (“UIDAI”) can share information about individuals in such manner as may be specified by regulations.
- The Aadhaar Act does not provide an opt-out clause, wherein Aadhaar number holders can choose to leave the system (and forego all its benefits) and ensure that their identity information is permanently removed from the Central Identities Data Repository
The full article on privacy concerns in the Aadhaar Act, 2016 can be read here.
- Not required: NTA on whether legal opinion was sought for facial recognition in exam centres
- Defence Ministry looking to install facial recognition-based attendance at its PSUs
- The COVID-19 Pandemic requires us to reconsider the Internet as infrastructure
- Facial authentication for vaccination not the same as facial recognition: Nandan Nilekani
Have something to add? Post your comment and gift someone a MediaNama subscription.