wordpress blog stats
Connect with us

Hi, what are you looking for?

Landmark ruling finds Kenya’s government illegally rolled out Aadhaar-like biometric ID

The country’s High Court held that the controversial Huduma Namba infringes on individuals’ privacy and constitutional rights.

A year after halting Kenya’s Huduma Namba, the country’s controversial biometric ID scheme, the High Court of Kenya declared that its rollout was illegal and asked the government to conduct a privacy impact assessment. MediaNama has reviewed a copy of the judgement.

In Thursday’s judgement by Judge Ngaah Jairus of the Kenyan High Court, it said that the digital ID programme was ultra vires to Section 31 of Kenya’s Data Protection Act, which mandates that where a ‘processing operation is likely to result in high risk to the rights and freedoms of a data subject, the data controller or processor must carry out a Data Protection Impact Assessment’.

The respondents, in my humble opinion, have not appreciated the import and the extent of the application of the Data Protection Act, with respect to collection and processing of data collected under the National Integrated Identity Management System. If they did, they would have given effect to section 31 of the Data Protection Act and conducted a data impact assessment before processing personal data and rolling out the Huduma Cards — Justice Ngaah Jarius in the judgement

What else does the judgement say?

a. The order of certiorari is hereby issued to bring to into this honourable court and quash the respondents’ decision of 18 November 2020 to roll out Huduma Cards for being ultra vires section 31 of the Data Protection Act, 2019.

b. The order of mandamus is hereby issued compelling the respondents to conduct a data protection impact assessment in accordance with section 31 of the Data Protection Act, 2019 before processing of data and rolling out the Huduma Cards. — Justice Ngaah Jarius

While certiorari is a writ issued by a superior court to seek judicial review of a decision of a lower court or government agency, mandamus is an order from a court to an inferior government official ordering the government to properly fulfill their official duties or correct an abuse of discretion.

Advertisement. Scroll to continue reading.

In the Indian context, public bodies here rarely conduct a privacy impact assessment. Moreover, the 2019 version of India’s Personal Data Protection Bill, which is currently under review by a Joint Parliamentary Committee, grants sweeping exemptions to governments and its agencies from various provisions.

What is Huduma Namba?

The Huduma Namba also known as the National Integrated Identity Management System (NIIMS) was established in 2019 to set up and manage a national population register that could act as a single source of information about all citizens and residents of Kenya.

According to the Centre for Internet and Society, the legislation behind Huduma Namba:

  • Defines a set of foundational data that will be collected from all persons enrolling in it.
  • Talks about collecting functional data, defined as data of an individual created in response to a demand of a particular service or transaction.
  • Broadly describes biometric data to be collected as ‘fingerprints and any other biometric data’.

The legislation, according to CIS, also states that every government agency delivering a public service shall be linked to the NIIMS database to enable such agencies to —

  • Authenticate personal data in their possession with NIIMS.
  • Transmit, access, or retrieve information necessary for the proper discharge of the agency’s functions.

In 2020, Kenya’s High Court halted the biometric ID scheme, until new data protection laws were enacted, as per a BBC report. In the case which was brought by the Kenya National Commission on Human Rights (KNHCR) and Nubia Rights Forum, the judges made these observations —

  • Personal details of Kenyans would be available at the click of a button, thus increasing the risk of privacy.
  • Collection of DNA and use of GPS to record the precise location of a person’s home was ‘intrusive and unconstitutional’.

Duty of the state to ensure privacy is protected: Justice Ngaah Jarius

Justice Jarius, in his ruling, held that it is the duty of the Kenyan government to ensure that Right to Privacy, and the provisions of the Bill of Rights in Kenya’s Constitution which include fundamental rights such as freedom of expression, freedom of media etc, is protected

To this argument I would reiterate that there was always the duty on the part of the state to ensure that Bill of Rights under Chapter IV of the Constitution, including the right to privacy under article 31 of the Act is respected and protected. Section 31 of the Act does not impose any more obligation or duty on the state than that which the state or the respondents, for that matter, have hitherto had to bear — Justice Ngaah Jarius

Justice Jarius also said that an individual’s constitutional rights were under threat as a result of the biometric ID programme.

If anything, it is the individual’s constitutional rights and which, for all intents and purposes, are vested rights, that were under threat by the excesses of the state in collecting and processing data without prior legal framework to ensure that even as the state embraces a new system of identification, the right to privacy is protected. This is the more reason why section 31 of the Data Protection Act appeals to me to be retrospective in its application. It is more of a bulwark against the excesses of the state than a tool imposing new obligations or duties on the state – Justice Ngaah Jarius (emphasis added)

Kenyan govt finds fault in High Court’s decision, files appeal

According to The Star.co.ke, Attorney General Kihara Kariuki on Friday filed a notice of appeal against the High Court judgement.

“The decision to appeal is informed by the conviction the High Court decision is based on wrong interpretation of the essence and the practical intentions of Huduma Card,” Matiang’i was quoted by The Star.co.ke as saying.

Advertisement. Scroll to continue reading.

He said that the argument from the court that the validation of relevant data was not factored in is ‘spurious’. “Huduma Card is essentially a collation of different identity documents already issued and certified by government and government agencies,” Kariuki added.

Privacy concerns posed by Aadhaar

In 2016, the Government of India enacted the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (” Aadhaar Act “), touted as India’s biggest welfare legislation. Given the magnitude of data collection about individuals that would arise under the Aadhaar system, the law needed strong privacy safeguards. However, despite the Right to Privacy being recognised as a fundamental right, India still does not have any data protection laws.

Vrinda Bhandari, an advocate, lists the following concerns with Aadhaar —

  • The Aadhaar Act does not consider privacy as one of its objectives. The word privacy does not even find mention in the Act
  • Aadhaar Act lacks any understanding or articulation of the importance of privacy of personal data
  • Unique Identification Authority of India (“UIDAI”) can share information about individuals in such manner as may be specified by regulations.
  • The Aadhaar Act does not provide an opt-out clause, wherein Aadhaar number holders can choose to leave the system (and forego all its benefits) and ensure that their identity information is permanently removed from the Central Identities Data Repository

The full article on privacy concerns in the Aadhaar Act, 2016 can be read here

Also read

Have something to add? Post your comment and gift someone a MediaNama subscription.

Advertisement. Scroll to continue reading.
Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ