By Giulia Botta, P.h.D. Student, Università degli Studi di Milano
The judgement on the Nubian Rights Forum and Others v. Attorney General case has been issued on 30 January 2020 by the High Court of Kenya, after that petitions were filed in September 2019 by three civil society organisations – the Nubian Rights Forum, the Kenya Commission on Human Rights and the Kenya National Commission on Human Rights. The case, initiated in February 2019, concerns a challenge to the constitutionality of the government’s National Integrated Identity Management System (NIIMS), a biometric ID scheme also known as Huduma Namba[1], recently introduced in Kenya.
The facts to the case will be analysed, focusing on the legal reasoning by the Court and the outcomes of the decision impacting the debate on the right to privacy related to data protection. The benefits and challenges posed by centralised biometric identity systems and the use of technology to collect sensitive data will be explored, as a worldwide issue at stake at domestic and at international level, impinging the right to privacy and on fundamental human rights. In comparative analysis, it will be shed light also on the India’s Supreme Court case (2018) upholding the constitutionality of the biometric identification project, Aadhaar and on the biometrics in the Irish Public Services Card (PSC) system in relation to the EU General Data Protection Regulation (GDPR).
The Main Facts and the Legal Claims
In the context of digitalizing Kenyan Public Administration and data collection systems, the NIIMS scheme was established in January 2019 involving the creation of a national database through collection of personal and biometric data of citizens. NIIMS was introduced as an amendment to the Registration of Persons Act (Cap 107 Laws of Kenya), modified after the enactment into law of the Statute Law (Miscellaneous Amendment) Act No. 18 of 2018[2]. The scheme is a single repository of personal information of all Kenyans as well as foreigners resident in the country. Indeed, it applies to all Kenyan citizens aged 6-years old and above, including those living abroad, refugees and foreign nationals resident in the country, requiring them to provide biometric data to the government in order to obtain the ID card. Becoming the only form of ID recognised in the country, being registered in NIIMS is necessary to access public services, including education, housing, healthcare, to register to vote, to get married, to obtain a driver’s license, a bank account, a mobile phone number.
More specifically, the term ‘biometric’ has been defined in the Registration of Persons Act including “fingerprints, hand geometry, earlobe geometry, retina and iris patters, voice waves and Deoxyribonucleic Acid (DNA) in digital form”. Further, it entails collection of GPS coordinates of a person’s place of residence. Therefore, NIIMS allows the government to collect a large range of biometric data on an unprecedented scale according to the applicants, which may lead to risks of violation of the right to privacy related to data protection through a privacy-invasive national ID database[3].
The case[4], involving allegations on the constitutionality of NIIMS and the amendments to the Registration of Persons Act, was initiated in February 2019 and the High Court issued an interim ruling, pending a full hearing, in April 2019. The ruling permitted the government to proceed with data collection but imposing conditions, such as that registration could not be mandatory. However, in April and May 2019, the authorities undertook a mass registration drive: biometric data of 36 million people were collected and stored in the database and now they account for around 40 million[5].
In September 2019, three petitions were filed by the Nubian Rights Forum, the Kenya Commission on Human Rights and the Kenya National Commission on Human Rights, complaining that the amendments to the Registration of Persons Act were passed in violation of the Constitution and in bad faith, posing serious threats to fundamental rights and freedoms protected under the Kenyan Bill of Rights. Despite the interim ruling and the conditions set up by the High Court, the petitioners alleged the Kenyan authorities to have called on people to register, widely publicising the registration deadline, including on official government social media accounts, without making clear that registration was not mandatory. The appellants raised human rights concerns related not only to the right to privacy, enshrined at domestic level in art. 31 of the Kenyan Constitution and at international level in art. 17 of the 1966 International Covenant on Civil and Political Rights (ICCPR), but also concerns related to the right to non-discrimination.
The petitioners claimed, first of all, the exclusion and discrimination against the Nubian community not having national identity cards and birth certificates, being hence disadvantaged by the implementation of the NIIMS system. Secondly, the petitioners complained that the impugned amendments were introduced and passed without public consultation and public participation, through an unconstitutional process. Thirdly, they alleged that adequate and proper safeguards for protection of data and personal information intended for collection under the NIIMS system are lacking, hence there is a violation and threat of the right to privacy guaranteed under art.31 of the Constitution. Finally, it was complained that the impugned amendments were published in an omnibus legislation and in a Gazette Notice that was crafted in such a manner as to conceal the amendments from the public[6].
The Petitioners, thus, sought various declarations, inter alia that sections 3, 5 and 9 of the Registration of Persons Act as amended by the Statute Law Miscellaneous (Amendment Act) 2018 are unconstitutional for infringing various provisions of the Constitution.
The High Court’s Legal Reasoning
The High Court of Kenya, developing its legal reasoning went through the analysis of three substantive claims filed by the Petitioners, assessing firstly whether the legislative process for NIIMS had been constitutional; secondly, whether the legislation violated the right to privacy under art. 31 of the Kenyan Constitution; thirdly, whether it violated the right to equality and non-discrimination under art. 27 of the Constitution.
Firstly, regarding the assessment of the legislative process for approving NIIMS, the Court was concerned about the extent of public participation, the use of an ‘omnibus Bill’ procedure to pass the legislation through Parliament, and the lack of involvement of the country’s Senate, finding out that the process had not been unconstitutional, although it acknowledged that the process “appeared to have been rushed”.
Secondly, regarding the alleged violations of the right to privacy enshrined in art.31, the Court considered potential privacy implications and the risks associated with the use of biometric data. More specifically, biometric data refer to “the physiological and behavioural characteristics of individuals, including fingerprints, voice, face, retina and iris patterns, hand geometry, gait or DNA profiles” [7], representing sensitive types of data and unique to each individual. Biometric information is particularly sensitive as it can be used to identify and track people during their lifetimes, as people cannot change their fingerprints, eyes, or faces[8]. The Court concluded, inter alia, that “biometric and personal data in NIIMS should only be processed if there is an appropriate legal framework in which sufficient safeguards are built in to protect fundamental rights”. Therefore, the key order from the Court was that the Government could not proceed with the implementation of NIIMS until there is “an appropriate and comprehensive regulatory framework on the implementation of NIIMS”, acknowledging that “a law that affects a fundamental right or freedom should be clear and unambiguous” and this “applies to any law that seeks to protect or secure personal data, particularly in light of the grave effects of breach of the data already alluded to”. Further, the Court expressed concern over provisions enabling the collection of DNA and GPS coordinates of individuals’ homes noting the lack of justification and evidence provided by the Government on the need to collect this kind of data and the lack of specific safeguards. So, the Court concluded that the collection of DNA and GPS co-ordinates for purposes of identification is “intrusive and unnecessary”, and to the extent that it is not authorised and specifically anchored in empowering legislation, it is unconstitutional and in violation of art. 31. Therefore, the sections in the Registration of Persons Act requiring such collection, conflict with art. 31 and are unconstitutional, null and void.[9]. Thirdly, in regard to the right to equality and non-discrimination under art.27, the Court assessed the claims of discrimination against the Nubian community and other marginalised communities, facing barriers in accessing the national identity documents required for NIIMS registration, leading to exclusion from access to essential services, such as education, housing, healthcare. According to the petitioners, NIIMS could have damaging effects on marginalised groups such as refugees and ethnic minority groups[10], who already faced additional scrutiny from Kenyan authorities and are required to provide additional information when registering for ID cards, running into obstacles for the documents required to get a biometric ID, facing outright rejection. As stressed by the chairmen of the Nubian Rights Forum, Shafi Ali, without a national identity card “you are totally a living dead” in Kenya[11]. However, the Court held that no violation of art. 27 was found against these communities, and that while there was a possibility of exclusion, this was not itself a reason to find NIIMS unconstitutional.
The result of the judgment is that the government may continue with the implementation of NIIMS, but only once “an appropriate and comprehensive regulatory framework” is enacted, addressing the shortcomings identified by the Court in relation to privacy and the risk of exclusion. The Nubian Rights Forum has however filed an appeal, with an urgent application for stay of the implementation of NIIMS and the legal proceedings are therefore expected to continue.
The Impacts on Data Protection and the Right to Privacy in Comparative Perspective
The case, dealing with centralised biometric systems, has highlighted the necessity of a clear regulatory framework and strong data protection safeguards related to identity systems, which are still absent in Kenya. As declared by the Court, biometric data in NIIMS shall only be processed if there is an appropriate legal framework in which sufficient safeguards are built in to protect fundamental rights. The Court, indeed, found that the legal framework on the operations of NIIMS is inadequate, and poses a risk to the security of data collected through this system.
The Court’s decision has impacts on the domestic jurisprudence related to the right to privacyrelated to data protection, highlighting the need for a stronger data protection framework, but it has also international relevance, dealing with the right to privacy intended as fundamental and universal human right. As stressed by the U.N. Special Rapporteur on the promotion and protection of human rights and fundamental freedoms, the right to privacy constitutes a fundamental right in itself but also a basis for the development and enjoyment of other universal rights, such as the freedom of expression, opinion, religion, association, the right to equal participation in political and public affairs, etc. Indeed, they all require privacy to be able to develop effectively[12].Especially, the U.N. Special Rapporteur for freedom of expression highlighted that “the right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression” [13].
In this regard, Kenya has signed the Universal Declaration of Human Rights (UDHR)[14] and has ratified the ICCPR[15], upholding the right to privacy and the right to protection against interferences with it. As stressed by the Human Rights Committee, State Parties to the ICCPR have a positive obligation to “adopt legislative and other measures to give effect to the prohibition against arbitrary or unlawful interferences with the right to privacy,” regardless of “whether they emanate from State authorities or from natural or legal persons”[16].
At domestic level, the Constitution of Kenyaprotects the right to privacy by enshrining international law in domestic law and explicitly protecting privacy as a fundamental right: art. 2§5 provides that “general rules of international law shall form part of the law of Kenya,” and art. 2§6 provides that “any treaty or convention ratified by Kenya shall form part of the law of Kenya under this Constitution,” which includes the UDHR and the ICCPR. Then, art. 31 explicitly protects the right to privacy providing that “every person has the right to privacy, which includes the right not to have (a) their person, home or property searched; (b) their possessions seized; (c)information relating to their family or private affairs unnecessarily required or revealed; or (d) the privacy of their communications infringed”.
More specifically, identification schemes used by public administration are strictly linked to data protection and more broadly to privacy issues. Referring to biometric registration systems, they entail two main components: “firstly, biometric technologies capture and store characteristics in a database in order to identify an individual. Secondly, the information in this database is cross-referenced to verify or authenticate an individual’s identity in a range of contexts – eg. when accessing government services, or crossing borders, to enable an individual to vote, access bank accounts, access health services etc.”[17]. According to the U.N. High Commissioner for Human Rights, biometric data “is particularly sensitive, as it is by definition inseparably linked to a particular person and that person’s life, and has the potential to be gravely abused. For example, identity theft on the basis of biometrics is extremely difficult to remedy and may seriously affect an individual’s rights. Moreover, biometric data may be used for different purposes from those for which it was collected, including the unlawful tracking and monitoring of individuals. Given those risks, particular attention should be paid to questions of necessity and proportionality in the collection of biometric data. Against that background, it is worrisome that some States are embarking on vast biometric data-based projects without having adequate legal and procedural safeguards in place”[18].
The Kenyan government has increased its use of centralized biometric database through NIIMS but also trough efforts in the transition to biometrically verifying voters[19] and on biometric data collection information on people living with HIV. However, in collecting sensitive biometric data, there are potential risks, for example, “with data collected for health purposes being used by police to target key populations for arrest,” as well as “the risk of data breaches that could expose stigmatised populations publicly” and result in “discrimination, including in access to government services”[20].
Problems of public transparency, accountability, public trust and security regarding biometric systems represent a potential obstacle for the right to privacy realization in Kenya, requiring safeguards and strong legislation on access and retention of data. Indeed, a key aspect of the judgment has been the acknowledgment of the importance of a strong and enforced data protection framework. When NIIMS was announced, no such framework was in place in Kenya but the Kenyan Data Protection Act was passed in 2019, with further submissions by the Court. So, it is outlined the need for a Data Protection Act to be in place and it is recognized by the Court that a legal framework per se is not sufficient, but the effective implementation, enforcement and operationalization of the legal framework is needed .
The case is still pending, creating positive inputs for the Government to protect the right to privacy in a stronger way, but on the other side petitioners are disappointed on the outcomes of the decision which does not recognize the unconstitutionality of the system, especially on the discrimination of Nubian and other minorities and their risk of exclusion.
Adopting a comparative perspective, the case represents an important precedent not only in Kenya, but also for domestic, regional and international law jurisprudence on the matter, having impacts on the debate on data protection, the right to privacy and the development of technology and AI for data collection.
Similar cases experienced by India, having established the largest biometric ID system, and by Ireland with the public services card (PSC) system, will be at stake.
In 2018 the Indian Supreme Court has ruled on the world’s largest biometric ID program, Aadhar, established since 2010 in India with roughly 1 billion registered users representing nearly all of India’s 1.3 billion population. The system is run by the Unique Identification Authority of India (UIDAI)[21], a statutory body of the Indian government which collects personal and biometric data such as fingerprints, facial photographs, and iris scans, issuing a 12-digit individualized identity number and a registration card for each resident. The project, initially established as voluntary, aimed at streamlining government welfare schemes and preventing identity frauds, by providing identification for people. Its rollout began in 2010 and it was retroactively legalized by the law – the Aadhaar Act (2016)[22] – after that its scope increased, making the enrollment mandatory for all to access social services and benefits, including government subsidies, pensions, and scholarships. It was also linked to services such as banking, insurance, telephone, and internet access.
The Court upheld the constitutionality of such biometric identification project, considered controversial by several petitioners. About 30 petitions were filed to court arguing that the scheme linked to essential services and the mandatory enrollment could disproportionately interfere with the Indians’ privacy rights of millions of people. Claims were linked to risks of exclusion from registration especially for the poor and more vulnerable, left behind in the process. Allegations were also linked to increased state surveillance in India, with the convergence of various databases making it easier for the government to track information about individuals, and to target dissent. The Supreme Court, similarly to the Kenyan case, ruled on the constitutionality of the program, concluding that the data collection scheme is constitutional despite claims that it violated privacy laws and was unlawfully established. The majority[23] declared that the program could continue, but with limited scope and restrictions on data storage, stating that it could not be compulsory for bank accounts, mobile connections, school admissions, barring also private companies from demanding Aadhaar. The case sheds light on the need for the government to create adequate safeguards to ensure that Aadhaar registration requirements do not prevent poor and marginalized people from getting access to essential services constitutionally guaranteed, including food and health care. Similarly to the Kenyan High Court case, the importance of a stronger protection of the right to privacy and a proper regulatory framework to protect it as fundamental human right has been highlighted. As the NGO Human Rights Watch representative Ganguly has stated “The court’s decision to restrict private actors from accessing information under Aadhar and limiting its expansion is helpful at a time when there are serious fears of data breach, profiling and surveillance”[24]
The importance of a proper data protection regulation in case of biometric systems, has been outlined also in the EU context, with a recent case on the Irish biometric system based on the Public Services Card (PSC). EU Member States’ data protection frameworks are shaped by the European General Data Protection Regulation (EU GDPR)[25] establishing a harmonized framework, entailing, inter alia, the right to be forgotten, unambiguous, and affirmative consent and penalties for failure to comply with these rules. The EU data privacy law defines biometric data as “special categories of personal data” and prohibits its “processing”. More precisely, biometric data are defined as “personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or fingerprint data”. The GDPR protects EU citizens and long-term residents from having their information shared with third parties without their consent. The data processing for “uniquely identifying a natural person” is prohibited, but there are some exceptions: (a) if consent has been given explicitly; (b) if biometric information is necessary for carrying out obligations of the controller or the data subject in the field of employment, social security and social protection law; (c) if it is essential to protect the vital interests of the individual and is incapable of giving consent; (d) if it’s critical for any legal claims; (e)if it is necessary for reasons of public interest in the area of public health. Moreover, the Regulation permits the Member States to introduce other limitations regarding the processing of biometric information.
Ireland’s biometric identification system entails a Public Services Card (PSC), rolled out nationally since 2012 and required to access a range of essential services including social welfare, passport services, citizenship applications, student grant applications, etc. The rationale behind the system is to enable authorities to prevent welfare fraud, and to expedite administration processes. The system has, recently, raised concerns on the right to privacy, by Digital Rights Ireland and the Irish Council for Civil Liberties (ICCL), linked to alleged violations of the GDPR in how the scheme is run. The ICCL representatives have expressly stated that the card is “a well-known Irish example of how technology can be used against people living in poverty” increasing risks of exclusion of the most vulnerable. The system and its possible violations of human rights have worried also the UN Special Rapporteur on Extreme Poverty and Human Rights, Professor Philip Alston, outlining that controversies are linked also to the use of facial recognition by the Department of Social Protection to detect potential identity fraud, with risks that private information collected for the PSC could be tempting for the government to aggregate with other information systems.
In conclusion, a process of
digitalization of public administrations fostered by the need to more efficient
data collection and effective identification systems are currently developing
worldwide, as documented by digital biometric systems in Kenya with the National Integrated Identity Management
System (NIIMS), in India with the Aadhaar largest biometric system in the
world and in the EU context with the Irish Public Services Card (PSC), as
examples inter alia. The fundamental
importance of an efficient digitalization of identification systems and public
services access has been evidenced even more during COVID-19 crisis, where the
crucial potential for technology for increasing inclusion and provide efficient
services for all has been shown. The risks of collision with privacy and data
protection rights have been outlined, referring to recent cases which have
involve High Courts, especially in Kenya and India, ruling on the constitutionality of such
systems, outlining the importance of data protection safeguards and strong
regulation frameworks in which biometric systems can develop, without impinging
fundamental and human rights of the individuals. As evidenced by the Kenyan High Court in Nubian
Rights Forum and Others v. Attorney General a stronger protection of the right to privacy and a proper regulatory
framework is needed to protect it as fundamental human right.
[1] Meaning “service number” in Swahili
[2] The President Uhuru Kenyatta passed into law the amendment to section 9A of the Registration of Persons Act to include a national ID registration system being a “single source of personal information of all Kenyan citizens and registered foreigners resident in Kenya”. NIIMS was rolled out nationally on 2 April 2019.
[3] Amnesty International Submission to the Office of the United Nations High Commissioner for Human Rights on the Impact of Digital Technologies on Social Protection and Human Rights https://www.ohchr.org/Documents/Issues/Poverty/DigitalTechnology/AmnestyInternational.pdf
[4] The sentence available at http://kenyalaw.org/caselaw/cases/view/172447/
[5] Cullen, D., 2020, “High Court of Kenya suspends implementation of biometric ID system”, 2020 OxHRH Blog, available at http://ohrh.law.ox.ac.uk/high-court-of-kenya-suspends-implementation-of-biometric-id-system/
[7] National Coalition of Human Rights Defender-Kenya (NCHRD-K), the Kenya Legal & Ethical Issues Network on HIV and AIDS (KELIN), Paradigm Initiative, and Privacy Internationalhttps://uprdoc.ohchr.org/uprweb/downloadfile.aspx?filename=7566&file=EnglishTranslation
[8] Amnesty International Submission to the Office of the United Nations High Commissioner for Human Rights on the Impact of Digital Technologies on Social Protection and Human Rights https://www.ohchr.org/Documents/Issues/Poverty/DigitalTechnology/AmnestyInternational.pdf
[9] Privacy International, Kenyan Court Ruling on Huduma Namba Identity System: the Good, the Bad and the Lessons, https://privacyinternational.org/long-read/3373/kenyan-court-ruling-huduma-namba-identity-system-good-bad-and-lessons
[10] Nubians, Somalis, Maasais, Boranas, Indians and Arabs are some of the ethnic minorities living in Kenya
[11] https://www.nytimes.com/2020/01/28/world/africa/kenya-biometric-id.html
[12] Martin Sheinin, Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, U.N. Doc. No. A/HRC/13/37, 28 Dec. 2009, p. 13, para. 33, available from https://www2.ohchr.org/english/bodies/hrcouncil/docs/13session/a-hrc-13-37.pdf.
[13] La Rue, F., 2013, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, U.N. Doc. A/HRC/23/40, pgs. 7, 20, paras. 24, 79, https://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSession/Session23/A.HRC.23.40_EN.pdf
[14] Art. 12 UDHR : “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
[15] Art.17 ICCPR: “no one shall be subjected to arbitrary of unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation” and “everyone has the right to the protection of the law against such interference or attacks.”
[16] General Comment No. 16: Art.17 (The right to respect of privacy, family, home and correspondence, and protection of honour and reputation), para 1.
[17] Privacy International, Biometrics, available from: https://privacyinternational.org/topics/biometrics
[18] UN High Commissioner for Human Rights, 2018 The right to privacy in the digital age, Report of the United Nations High Commissioner for Human Rights, U.N. Doc. A/HRC/39/29, pg. 5, para. 14, available from https://undocs.org/A/HRC/39/29
[19] Muthuri, R. et al., Biometric Technology, Elections, and Privacy: Investigating Privacy Implications of Biometric Voter Registration in Kenya’s 2017 Election Process, The Centre for Intellectual Property and Information Technology Law, https://privacyinternational.org/sites/default/files/2018-06/Biometric%20Technology-Elections-Privacy.pdf
[20] “Everyone said no:” Biometrics, HIV, and Human Rights, a Kenya Case Study, KELIN and the Kenya Key Populations Consortium, http://www.kelinkenya.org/wp-content/uploads/2018/04/%E2%80%9CEveryone-said-no%E2%80%9D.pdf
[21] https://uidai.gov.in/about-uidai.html
[22] https://www.prsindia.org/uploads/media/AADHAAR/Aadhaar%20act,%202016.pdf
[23] Four judges on the five-member Supreme Court panel
[24] https://www.hrw.org/news/2018/09/27/india-top-court-oks-biometric-id-program
[25] The Regulation 2012/0011 was adopted officially on 27 April 2016 and it entered into force on 24 May 2016, with obligation of MSs to transpose it into their national law by 6 May 2018 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN