[kictanet] SIM CARD REGISTRATION & DATA PROTECTION ACT, 2019

James Mbugua jgmbugua at gmail.com
Wed Mar 16 16:04:34 EAT 2022 

Listers,

I am not sure if I am being paranoid but the SIM card re-registration order
ostensibly by CA (Communications Authority) and which has mobile operators
asking us to te-register our SIM cards by April or risk being deregistered,
seems like regulatory overreach.

CA says under the SIM Registrations regulations of 2015, MNOs are required
to update their registers with details including ID documents and photo
IDs. The reason given, ostensibly, is that many had their SIM details
registered before that law came into place.

Speaking of laws coming into operation, the Data Protection Act, itself
came into effect in 2019. Significantly long after the said regulations.

In seeking to protect privacy and personal data, the DPA  requires Data
Minimisation where personal data collected should be:

"adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed (‘data minimisation’);" Sec. 25(d)
DPA, 2019

This means that data that the controller does not really need to achieve a
specific purpose, should not be collected.

Biometric information such as Passport Photos that the Operators will take
and store,for example, are in my opinion, surplus to requirements.

The identification of the subscriber can be done without collection of
intrusive biometric data for example by using national IDs. CA explicitly
asks that the operators verify details with the Integrated Personnel
Registry System. so collection of biometric data to me is disproportionate
and cannot meet the threshold of lawful basis.

Being the later law, and by the Huduma Number case precedent, the data
minimisation provisions of the DPA, 2019 in my opinion hold primacy and in
fact impliedly, repeal or render unlawful, the requirements for photo
taking for SIM registration in the 2015 regulations.

2. Data Protection Impact Assessment.

Another question I would have for the CA, the Data Commissioner and mobile
operators, is if, as per the precedent sent by Justice Ngaah in the Katiba
Institute v. MoICT & others regarding the need for the conduct of a Data
Processing Impact Assessment, has been carried out in this instance when CA
proposes to have collected the data of more than 30 million subscribers
including biometric data.

I think this is a plain case of flouting judicial guidance viz a viz when
DPIAs should be carried out and CA should have had this carried out first
before issuing the said directive.

Regards,

James G. Mbugua
Data Privacy Consultant & Tech Policy Blogger
@jgmbugua <jgmbugua at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20220316/071f7535/attachment.htm>

More information about the KICTANet mailing list