Last Friday media reports suggested that the Communications Authority of Kenya(“the CA”) intended to roll out an application called the Device Management System (DMS) capable of tapping into a mobile phone carrier’s network enabling the CA to access personal information from people using that carrier’s network. The CA clarified that it intends to curb the proliferation of counterfeit devices by identifying and isolating those devices and denying them access to services and not collecting a subscriber’s personal information. Despite this, questions as to data protection for the rest of the users of the network have arisen.
It is well known that phone tapping, surveillance and interception of communications violates the right to privacy (see Kennedy vs Ireland (1987) I.R 587 and Coalition for Reforms and Democracy (CORD) v Attorney General Petition No.630 of 2014.)
There are two bases to challenge this phone tapping. Firstly, the Constitution provides that every person has the right to privacy – which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed.
The Constitution grants every person the right to institute court proceedings when his/her fundamental right or freedom, such as the right to privacy as described above, has been denied, violated, infringed or is threatened.
The Kenya Information and Communications Act (Act no. 2 of 1998 (as amended)) (“KICA”), provides that the Cabinet Secretary in charge of Information and Communication has the power to make regulations in relation to a telecommunication service and specifically, to make regulations on the privacy of telecommunication.
Pursuant thereto, the KICA Consumer Protection Regulations require that a Customer has a right to personal privacy and protection against unauthorized use of personal information and specifically restricts a telecommunication licensee from allowing any person to monitor or disclose the content flowing through their system.
Further, the KICA (Registration of Subscribers of Telecommunication Services) Regulations bars the sharing of subscriber data by mobile providers without the express authority of the affected subscriber.
The current legal position in Kenya is that any person, including a public entity, collecting personal information has to abide by the Constitutional provisions of the Right to Privacy and the KICA regulations on consumer/customer protection.
Consequently, it appears that there would be good grounds to challenge the tapping of the carrier networks by the CA. For now the High Court has granted orders stopping the implementation of the CA directive ordering that it be heard on March 6 2017.