The Government proposed to develop NIIMS by collating personal information from all Government agencies into one omnibus register that would then assign a single unique national identification number to all registered persons, for the purposes of accessing Government services.
In order to achieve this sizeable objective, the Government began the process of creating the NIIMS register. This involved a public, nationwide, personal data and sensitive personal data collection exercise that initiated active debate across the country. Shortly after the data collection exercise began, the constitutionality of Section 9A was brought into question before the High Court by the Nubian Rights Forum, the Kenya Human Rights Commission and the Kenya National Commission on Human Rights (Nubian Case). In the Nubian Case, the High Court found that:
- the Government’s proposed collection of certain personal data and sensitive personal data, that is, DNA and GPS co-ordinates was unconstitutional;
- the sections of the RPA that required the collection of DNA and GPS co-ordinates were unconstitutional; and
- the Government could proceed with the implementation of the NIIMS, subject to the development of an appropriate and comprehensive regulatory framework for such implementation in compliance with constitutional requirements.
It is key to note that the Nubian Case was filed prior to the enactment of the Data Protection Act, 2019 (DPA). By the date of delivery of the judgment in January 2020, the DPA had only just been enacted, a fact that the High Court took notice of in its judgment. The High Court therefore directed that further processing of the personal data collected as part of the NIIMS registration process should not be undertaken before the operationalization of the DPA.
Thereafter, on 18 November 2020, following the appointment of the Data Commissioner, the Government announced the beginning of a phased nationwide roll out of the issuance of NIIMS registration cards popularly referred to as “Huduma Cards”. Following this announcement, Katiba Institute (and another applicant) instituted Judicial Review Application Number E1138 of 2020 (Katiba Case) (which is the subject of this alert) requesting the High Court to:
- prohibit the Government from rolling out the Huduma Cards without first conducting a Data Protection Impact Assessment (Impact Assessment), as required under Section 31 of the DPA;
- quash the Government’s decision to roll out the Huduma Cards for being in contravention of Section 31 of the DPA; and
- compel the Government to conduct the Impact Assessment prior to rolling out the Huduma Cards.
The applicants’ contention in the Katiba Case was that rolling out the Huduma Card without an Impact Assessment being carried out contravened the requirements of Section 31 the DPA, sub-section (1) of which states that: “Where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall, prior to the processing, carry out a data protection impact assessment.”
The applicants also asserted that an Impact Assessment was necessary to fulfil the direction of the High Court in the Nubian Case that permitted the Government to proceed with the NIIMS subject to the enactment of an appropriate and comprehensive regulatory framework in line with constitutional requirements. It was the applicants’ case that Section 31 of the DPA represents the appropriate and comprehensive regulatory framework that the High Court envisaged in its judgment in the Nubian Case. The Government, however, argued that the DPA and the requirement for an Impact Assessment under Section 31 came into force in November 2020, after the collection of personal data for purposes of the NIIMS had already been completed. As such, there was no requirement in law for an Impact Assessment at the time when the personal data was being collected and the subsequent introduction of this legal requirement ought not to be applied retrospectively.
On this point, the High Court found that “It is beyond doubt that legislation can be retrospective in its application only that such an intention has to be either apparent from the statute in question or can be implied as a matter of necessity.”
The learned judge went further to state that:
“Reading the preamble to the Act [DPA] together with Section 3 thereof on the Act’s object and purpose, it is clear that the Act was intended to be retrospective to such an extent or to such a time as to cover any action taken by the state or any other entity or person that may be deemed to affect, in one way or the other, the right to privacy under Article 31 (c) and (d) of the Constitution. Needless to say, the need to protect the constitutional right to privacy did not arise with the enactment of the Data Protection Act; the right accrued from the moment the Constitution was promulgated.”
Based on this reasoning, the High Court found that the decision not to conduct an Impact Assessment prior to rolling out the Huduma Cards was illegal. The High Court then proceeded to quash the Government’s decision and to direct the Government to carry out an Impact Assessment.
Analysis and implications
The decision in the Katiba Case has far-reaching implications for the protection of personal data in Kenya. It establishes that the DPA applies retrospectively to personal data processing activities undertaken by data controllers and data processors presumably throughout the entire period between the promulgation of the Constitution (August 2010) and the enactment of the DPA (November 2019). This pronouncement raises serious questions as to whether data controllers and data processors ought to be held liable (and penalised under the DPA) for any non-compliant data processing activities carried out during the said period that preceded the enactment of the DPA.
In our view, the decision in the Katiba Case suggests that:
- such liability can arise; and
- data controllers and data processors can, on this basis, be directed to align any processing of personal data that occurred after the promulgation of the Constitution in 2010 with the requirements of the DPA, to the extent that this is possible.
The implication of this is that any failure to correct pre-November 2019 defaults in compliance with the DPA could technically be deemed to constitute an illegality for which the Data Commissioner could be entitled to issue an enforcement notice and a penalty notice. Aggrieved data subjects could under those circumstances also seek compensation for such defaults, subject to any applicable statutory time limits for such claims. Through this landmark decision, the High Court seems to be taking a very bold stand on the right to privacy and further to be demonstrating its resolve to protect the constitutional rights and freedoms of individuals against what it terms as the excesses or might of the state.
Both public and private data controllers and data processors ought to be particularly wary of the High Court’s finding regarding the retrospective applicability of the DPA in this case. This finding of retrospective applicability would require natural persons and corporate entities to ensure that their past data processing activities, (possibly stretching back to August 2010) when the constitutional right to privacy was promulgated, are aligned with the DPA, to the greatest extent possible. This would require data controllers and data processors to consider conducting audits of their past processing activities within the relevant period so as to identify gaps in compliance and take remedial measures in line with the relevant obligations under the DPA.
It is worth noting that the Data Commissioner participated in these proceedings as an interested party and argued against the retrospective applicability of the DPA. The government has already indicated an intention to challenge this decision before the Court of Appeal and it will therefore be interesting to see how the jurisprudence on this point develops. We will monitor the developments on the possible appeal and issue a further alert in due course.
Read the original publication at Cliffe Dekker Hofmeyr