NEW YORK—The Open Society Justice Initiative welcomes a recent judgment handed down by the High Court in Kenya declaring the data collection and roll-out of biometric Huduma cards for the country’s digital ID system, the National Integrated Identity Management System (NIIMS), unconstitutional. In the decision, Justice Ngaah held that the Data Protection Act of 2019, which was operationalized in 2020, should be applied retroactively to the government’s rollout of NIIMS, which was began in November 2020.
“This decision is especially welcome at a time when many countries in Africa and elsewhere in the Global South are implementing massive digital identity systems without full regard to privacy concerns,” says Nora Mbagathi, a senior associate legal officer with the Justice Initiative. “It is also particularly relevant as personal data harvesting by both governmental and private entities is on the rise globally. The decision is a reminder to governments of their obligation to implement systems and processes that fully secure citizens data and that are compliant with the best human rights standards.”
Filed by Kenyan constitutional law scholar Yash Pal Ghai and Katiba Institute, a civil society organization, the High Court case sought to challenge the rollout of the system without a prior data protection impact assessment. NIIMS has come under criticism for its potential to create further difficulties for marginalized communities that are already excluded from accessing public services due to widespread bureaucratic barriers, such as lack of documentation or failing to have a record of birth. Moreover, critics have noted that NIIMS could pose a significant threat to the privacy rights of enrolled citizens, due to the ways in which information would be stored and shared without constraint among government databases, absent of appropriate checks and balances.
Saying that the Kenyan government had “put the cart before the horse”, Justice Ngaah noted in his decision that the state should have ensured that the legal framework for protection of the right to privacy was in place before taking action “likely to infringe” on this right under the Kenyan constitution. In addition to finding the introduction of Huduma cards to have been unconstitutional, the High Court’s judgment orders the government to conduct a data protection impact assessment of the identity card program in accordance with the Data Protection Act prior to processing data in the system.
The ruling highlights an important matter regarding protective mechanisms for digital ID systems more generally, namely that legal and regulatory frameworks should be in place before these wide-ranging systems are introduced. Civil society has called for technological safeguards to be transparent and built into the design of the databases, warning that rolling out a system before implementing governing legislation and regulations would run a high risk of endangering sensitive biometric and personal data.
The Kenyan Court of Appeal is set to release a decision on an appeal in a related matter filed by Nubian Rights Forum (NRF) and the Kenyan Human Rights Commission (KHRC) regarding the constitutionality of NIIMS due to the dangers posed to equality, non-discrimination, privacy and data protection rights. In a first instance ruling in this case, the High Court held that a strong regulatory framework safeguarding these basic rights would have to be implemented prior to a rollout of the cards.
Some groups behind this separate filing have appealed this ruling, calling for a more explicit outline of what such a regulatory framework would consist of. They also call for this framework to be developed in collaboration with affected rights-holders to ensure that safeguards are built into the way that NIIMS is designed and developed.