The past few weeks have been abuzz with public outcry over the call to update SIM registration details for all sim card owners by the Communications Authority of Kenya (CAK). The move has been touted as a step towards improving national security by establishing a comprehensive registry of sim cards and their owners. It is the third such attempt by the regulator to ensure all sim cards are duly registered. In 2010, Kenyans snubbed a similar directive by the then Communications Commission of Kenya. The rationale then was that the government aimed to discourage extortion, fraud and kidnapping that were being perpetrated through unregistered sim cards.

In 2013 more than 2.4 million unregistered SIM cards were disconnected when the CA issued a similar directive. Safaricom led the pack by disconnecting 1.2 million sim cards, Orange disconnected 520,000, Airtel 365,266 and Yu 323,000 lines. Fast forward to 2022 and we are experiencing the third such move by the government. According to the Director-General of the CAK, the requirement to update sim card registration details is being done primarily to protect consumers of telecommunication services stating that the exercise is meant to curb incidences of sim-boxing, financial fraud, kidnapping and terrorism.

The process is not unique to Kenya as governments across the continent rush to register sim cards.  In 2021 Tanzania blocked 18,000 SIM cards allegedly involved in criminal activities and Ghana issued a directive for every SIM card carrier to re-register their SIMs with the Ghana Card, the national residency card.  In December 2020, the Nigerian government issued a directive that all SIM card carriers should link their lines to a unique National Identity Number, citing a need to tackle the growing insecurity in the country.

The Case of Telcos

However, questions have been raised about the nature of the directive which is being implemented differently by the telecommunications players in the industry. All the Telcos have stated that subscribers will need to provide pictures of themselves during the registration process which would only be done physically at the Companies’ shops.

Questions arise as to why the Telcos are asking for subscribers’ pictures under the guise of protecting the security of their data. It raises concern over whether the data being relayed to the Telcos in the form of photos is safe and protected. Section 25 of the Data Protection Act states that data processors like Telcos can only process personal data for explicit, specified and legitimate purposes and in a manner that is not incompatible with the original purposes for data collection.

The purpose of the registration as directed by the CAK is for record purposes and the CAK has not indicated a need for photos; therefore, the Telcos are processing data in a manner that is incompatible with the original indicated purpose of the data collection. The Telcos can only take the photos with the individual consent of each customer and after conducting a Data Protection Impact Assessment.

The Telcos have not indicated whether they have conducted a Data Protection Impact Assessment (DPIA) of its extensive data collection beyond the bounds of the CAK directive. Under the Data Protection Act, The DPIA should include a systematic description of the purposes of the processing including the legitimate interest pursued by the Companies. The companies must also demonstrate that they have assessed the necessity and proportionality of the processing of personal data in the form of pictures. They will also need to demonstrate that they have conducted an assessment of the risks to the rights and freedoms of data subjects as they share their photographs.

Furthermore, section 25 also puts a requirement on Data Processors to process data in a manner that is adequate, relevant and limited to what is necessary for the purposes for which it is processed. Safaricom is violating this by going beyond what is necessary as directed by the CAK.

The Directive

Those opposed to the CAK directive also  argue that by facilitating the creation of an extensive database of user information, it places individuals at risk of being profiled, tracked and targeted through the information they provide. There is also the risk of user information being misused for negative purposes by the government. It is not clear whether the CAK conducted a comprehensive data protection impact assessment before carrying out the data collection exercise and it is now up to the Court to determine the validity of the directive after a lawsuit was filed. The case filed in court last week seeks to compel the telecommunications companies to delete and expunge from their records and systems photographs of persons who are duly registered subscribers which were collected during the registration process.

The burden now shifts to the Office of the Data Protection Commissioner (ODPC) to stop and censor the Telecommunication Companies in their steps and protect the rights of data subjects across the country. All eyes are on the ODPC to reveal whether a valid Data Protection Impact Assessment was conducted by the CAK before they embarked on this data collection exercise.