[kictanet] SIM CARD REGISTRATION & DATA PROTECTION ACT, 2019
Benson Muite
benson_muite at emailplus.org
Thu Mar 17 10:20:26 EAT 2022
It is interesting to observe that MTN is re-branding to become a
data/technology company - full details are unclear, but it maybe
something that other telecommunications companies in Africa may also do.
Anti-trust regulations have had an interesting history in the USA, for
example [1] and [2].
[1] https://en.wikipedia.org/wiki/United_States_v._Microsoft_Corp.
[2] https://en.wikipedia.org/wiki/Breakup_of_the_Bell_System
On 3/16/22 11:25 PM, kanini mutemi via KICTANet wrote:
> @Mwendwa Kivuva <mailto:Lordmwesh at gmail.com> Let us not conflate issues.
> ALWAYS treat mobile banking (and banking in general) quite separate from
> other services offered by MNOs. A practical problem- @James Mbugua was
> right on data minimization (I would add necessity as well) disqualifying
> the current directive by CA. If you speak of harmonization of
> regulations, you can no longer rely on minimization and necessity
> because a need (banking) has been created. While all these things begin
> with a SIM Card registration, MPESA requires a further positive step of
> registration. At that point, we can safely speak of harmonization and
> requiring more information to prevent financial crimes etc. Different
> products, different markets.
>
> Are we sure CA is the source of the photos directive? (Kindly share the
> directive if you have access to it). The Regulations only allow this
> information to be collected during SIM Card registration-
>
> 5 (1) A person who intends to register a SIM-card shall provide the
> following particulars to the telecommunications operator or agent—
>
> (a)
>
> full names;
>
> (b)
>
> identity card, service card, passport or alien card number;
>
> (c)
>
> date of birth;
>
> (d)
>
> gender;
>
> (e)
>
> physical address;
>
> (f)
>
> postal address, where available;
>
> (g)
>
> any other registered subscriber number associated with the subscriber;
>
> (h)
>
> an original and a copy of the national identity card, service card,
> passport or alien card;
>
> (i)
>
> an original and a copy of the birth certificate, in respect of
> registration of minors;
>
> (j)
>
> subscriber number in respect to existing subscribers;
>
> (k)
>
> an original and true copy of the certificate of registration, where
> relevant;
>
> (l)
>
> a letter duly sealed by the chief executive officer or the person
> responsible for the day to day management of the statutory body.
>
>
> (while your ID would normally have a photo- it is vastly different from
> a digital photo which can become part of a biometric register).
>
>
> I cannot insist on this enough, a SIM Card registration is not the same
> thing as MPESA (or other mobile money platform registration). The
> requirements for SIM Card registration have to remain as basal as possible.
>
>
> On Wed, Mar 16, 2022 at 9:33 PM Mwendwa Kivuva via KICTANet
> <kictanet at lists.kictanet.or.ke <mailto:kictanet at lists.kictanet.or.ke>>
> wrote:
>
> Since SIM card data is used by a large section of the population for
> mobile banking (Safaricom has 30 million mobile money customers) -
> and banking regulations require a photo ID, should the regulation be
> harmonised for all mobile money customers to provide their photo ID?
>
> KICTANet had a Thought Leadership Forum with the ODPC, and the
> question of DPIA came up. I can't remember the response. The
> recording of the forum is available here
> https://youtu.be/Rmdvoc8Valo <https://youtu.be/Rmdvoc8Valo>
>
> On Wed, 16 Mar 2022, 16:04 James Mbugua via KICTANet,
> <kictanet at lists.kictanet.or.ke
> <mailto:kictanet at lists.kictanet.or.ke>> wrote:
>
> Listers,
>
> I am not sure if I am being paranoid but the SIM card
> re-registration order ostensibly by CA (Communications
> Authority) and which has mobile operators asking us to
> te-register our SIM cards by April or risk being deregistered,
> seems like regulatory overreach.
>
> CA says under the SIM Registrations regulations of 2015, MNOs
> are required to update their registers with details including ID
> documents and photo IDs. The reason given, ostensibly, is that
> many had their SIM details registered before that law came into
> place.
>
> Speaking of laws coming into operation, the Data Protection Act,
> itself came into effect in 2019. Significantly long after the
> said regulations.
>
> In seeking to protect privacy and personal data, the DPA
> requires Data Minimisation where personal data collected should be:
> "adequate, relevant and limited to what is necessary in relation
> to the purposes for which they are processed (‘data
> minimisation’);" Sec. 25(d) DPA, 2019
>
> This means that data that the controller does not really need to
> achieve a specific purpose, should not be collected.
>
> Biometric information such as Passport Photos that the Operators
> will take and store,for example, are in my opinion, surplus to
> requirements.
>
> The identification of the subscriber can be done without
> collection of intrusive biometric data for example by using
> national IDs. CA explicitly asks that the operators verify
> details with the Integrated Personnel Registry System. so
> collection of biometric data to me is disproportionate and
> cannot meet the threshold of lawful basis.
>
> Being the later law, and by the Huduma Number case precedent,
> the data minimisation provisions of the DPA, 2019 in my opinion
> hold primacy and in fact impliedly, repeal or render unlawful,
> the requirements for photo taking for SIM registration in the
> 2015 regulations.
>
> 2. Data Protection Impact Assessment.
>
> Another question I would have for the CA, the Data Commissioner
> and mobile operators, is if, as per the precedent sent by
> Justice Ngaah in the Katiba Institute v. MoICT & others
> regarding the need for the conduct of a Data Processing Impact
> Assessment, has been carried out in this instance when CA
> proposes to have collected the data of more than 30 million
> subscribers including biometric data.
>
> I think this is a plain case of flouting judicial guidance viz a
> viz when DPIAs should be carried out and CA should have had this
> carried out first before issuing the said directive.
>
> Regards,
>
> James G. Mbugua
> Data Privacy Consultant & Tech Policy Blogger
> @jgmbugua <mailto:jgmbugua at gmail.com>
>
>
>
> _______________________________________________
> KICTANet mailing list
> KICTANet at lists.kictanet.or.ke <mailto:KICTANet at lists.kictanet.or.ke>
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> <https://lists.kictanet.or.ke/mailman/listinfo/kictanet>
> Twitter: http://twitter.com/kictanet <http://twitter.com/kictanet>
> Facebook: https://www.facebook.com/KICTANet/
> <https://www.facebook.com/KICTANet/>
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafrica.com
> <https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafrica.com>
>
>
> KICTANet is a multi-stakeholder Think Tank for people and
> institutions interested and involved in ICT policy and
> regulation. KICTANet is a catalyst for reform in the Information
> and Communication Technology sector. Its work is guided by four
> pillars of Policy Advocacy, Capacity Building, Research, and
> Stakeholder Engagement.
>
> KICTANetiquette : Adhere to the same standards of acceptable
> behaviors online that you follow in real life: respect people's
> times and bandwidth, share knowledge, don't flame or abuse or
> personalize, respect privacy, do not spam, do not market your
> wares or qualifications.
>
> KICTANet - The Power of Communities, is Kenya's premier ICT
> policy engagement platform.
>
> _______________________________________________
> KICTANet mailing list
> KICTANet at lists.kictanet.or.ke <mailto:KICTANet at lists.kictanet.or.ke>
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> <https://lists.kictanet.or.ke/mailman/listinfo/kictanet>
> Twitter: http://twitter.com/kictanet <http://twitter.com/kictanet>
> Facebook: https://www.facebook.com/KICTANet/
> <https://www.facebook.com/KICTANet/>
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.com
> <https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.com>
>
>
> KICTANet is a multi-stakeholder Think Tank for people and
> institutions interested and involved in ICT policy and regulation.
> KICTANet is a catalyst for reform in the Information and
> Communication Technology sector. Its work is guided by four pillars
> of Policy Advocacy, Capacity Building, Research, and Stakeholder
> Engagement.
>
> KICTANetiquette : Adhere to the same standards of acceptable
> behaviors online that you follow in real life: respect people's
> times and bandwidth, share knowledge, don't flame or abuse or
> personalize, respect privacy, do not spam, do not market your wares
> or qualifications.
>
> KICTANet - The Power of Communities, is Kenya's premier ICT policy
> engagement platform.
>
>
>
> --
> *Mercy Mutemi, Advocate*.
>
> */
> /*
>
>
> _______________________________________________
> KICTANet mailing list
> KICTANet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/benson_muite%40emailplus.org
>
>
> KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
>
> KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.
>
More information about the KICTANet
mailing list