Breaking New Legal Ground Focus Month Human Rights

‘Good Order’ as Basis for Conducting Data Protection Impact Assessment during Transitional Periods

Source: Walid Kilonzi (2018)

ANALYSIS Nelson Otieno 21 January 2022

Registration of Persons Act[1] is the legislation that provides for registration of Kenyans who have attained the actual or apparent age of eighteen years or over. The Act empowers registration officers to issue National Identity Cards as evidence of registration. Sometime in 2018, the Government of Kenya passed the Statute Law (Miscellaneous Amendments) Act,[2] to amend the Registration of Persons Act. The amendment provided for a new biometric system of registration of nationals and foreigners in Kenya. Under this new registration system known as National Integrated Identity Management System (NIIMS), the Government would issue one card with a unique number.[3]

The Right to Privacy in the Context of a New Identity Management System

The roll-out of NIIMs, which started in March 2019, faced its first major legal hurdle when the Nubian Rights Forum, a human rights organization based in Nairobi, teamed up with other applicants to challenge the roll-out of NIIMs. The challenge was based on suspicion that the Government would collect DNA and GPS co-coordinates of people as part of NIIMS’ implementation.  In Nubian Rights Forum case[4] the Kenyan High Court held that collection of DNA and GPS co-coordinates would be unnecessarily intrusive and thus be in breach of the constitutional right to privacy.

During pendency of Nubian Rights Forum case, Parliament enacted the Data Protection Act 2019,[5] to provide for the regulation of the processing of personal data. The court noted this development and ordered that NIIMS be implemented only after the Government had operationalized the regulatory framework under the Data Protection Act 2019.

However, the Government went ahead and issued a press statement on the implementation of NIIMS on 18th November 2020 without data protection impact assessment (DPIA) as prescribed by section 31 of the Data Protection Act. This inaction prompted a second court action, this time an application for judicial review in Ex-Parte Kabita Institute & Another.[6]  The Institute sought to compel the Ministry of ICT to conduct a DPIA before implementing the NIIMS.

Implementation before Legislation: Data Protection in a Transitional Period

By the time the Ex-Parte Kabita Institute case was filed and indeed when the Data Protection Act 2019 was coming into force in November 2019, NIIMS had been rolled out and was awaiting full implementation. Therefore, the court was to determine whether section 31 could apply retrospectively to actions that are covered by the constitutional right to privacy but which were done before Data Protection Act 2019 came into force. Besides endorsing retroactive application of the legislation, the court found that the government should have conducted a DPIA for ‘good order’. Consequently, the court held that the Data Protection Act 2019 applied to such an extent or to such a time as to cover any action that could be deemed to affect the right to privacy.

The two court cases have had an impact in guiding DPIA process and facilitating development of DPIA frameworks in Kenya. For example, as a result of the Nubian Rights Forum case, the Government sponsored a legislation known as Huduma Bill to provide the legislative basis for the establishment of NIIMS. The Office of the Data Protection Commissioner has also published Data Protection (General) Regulations 2022 and a Guidance Note on Data Protection Impact Assessment that prescribe the DPIA process in Kenya.

 Innovative Courts as Data Protectors in Transitional Periods

Most African States have Constitutions that provide for right of privacy. The States have experienced transitional periods before they enact and implement legislations, regulations and guidelines that provide for DPIA, either expressly or impliedly. What are the obligations of private and public sector players in such transitional periods? So far only the Nubian Rights Forum and Ex-Parte Kabita Institute cases have presented the fora for analysis of implementation of DPIA frameworks in Kenya. The Kenyan jurisprudence shows that transitional periods can be problematic. It also shows that courts can use innovative interpretation to impose an obligation to conduct DPIA during the transitional periods before an enabling law is operationalized through regulations and guidelines.

[1] Registration of Persons Act Cap 107 Laws of Kenya.

[2] Statute Law (Miscellaneous Amendments) Act 2018.

[3] Mercy Asamba, and Hilllary Orinde, ‘Huduma Numba to replace the National ID From December 2021’ (The Standard, 18 November 2020) <> accessed 31 January 2022.

[4] Nubian Rights Forum & 2 others v Attorney General & 6 others; Child Welfare Society & 9 others (Interested Parties) [2020] eKLR, paras 1-1047.

[5] Data Protection Act 2019.

[6] Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others; Institute & another (Exparte); Immaculate Kasait, Data Commissioner (Interested party)[2021] eKLR, paras 1-121.

By Nelson Otieno

Nelson Otieno is an Advocate of the High Court of Kenya and an Associate at MMK Advocates, Nairobi. His research interests are in cybersecurity and ICT law.

Leave a Reply

Your email address will not be published. Required fields are marked *