July 25, 2009
On July 20, 2009, during an event to mark the tenth anniversary of the Communications Commission of Kenya (CCK), President Mwai Kibaki, through a speech read on his behalf by Vice President S. Kalonzo Musyoka directed “the Ministry of Information and Communication to put in place within six months from now, an elaborate databank that will ensure all mobile telephone subscribers are registered". The directive was preceded by the President’s concern over the increased use of mobile phones for criminal purposes.
In the wake of the directive, I took questions from journalists Jevans Nyabiage of the Daily Nation and Michael Ouma of the East African Standard.
Qstn: The president yesterday directed that all SIM cards should be registered within six months. Does the President’s directive constitute a regulation or it has to go through Parliament?
Ans: The President’s directive, albeit well-meaning, needs to be more clearly expressed in order for it to be properly applied. The clearest form of expression that it can be given is legislation. Section 27 of the Kenya Information and Communications Act, 1998 empowers the Minister for Information and Communications to make regulations with respect to “the privacy of telecommunication”. Presently, no such regulations have been made. This ministerial power would be the first thing to leap into the mind of those in charge of implementing the President’s directive. The Minister can invoke this section to make regulations providing for the collection, storage and use of subscribers’ personal information. Being in the nature of ministerial regulations, they would not need to be considered by Parliament and the Minister may issue them through a Legal Notice. On the other hand, Parliament may take this as an opportunity to pass a comprehensive legal framework governing the collection, management and use of personal information in Kenya not only in telecommunications but in all spheres of commerce and governance. This would be through an Act of Parliament which would take a longer time before it can acquire the force of law.
Qstn: I am just wondering whether [the President’s directive] infringes on the right of privacy of individuals.
- While civil libertarians would argue that the implementation of the President’s directive would amount to an infringement on the privacy of individuals, the state would argue that the move is necessary as a matter of national security and in the interests of safeguarding the welfare of the consumers of mobile phone services. The two arguments are equally compelling, though the state would appear to have the upper hand. Save as a broad constitutional norm encompassed in the right against unlawful entry and the search and seizure of one’s property and effects, the right to privacy is not expressly legislated as a constitutional norm in Kenya. As a corollary, there is no express constitutional right to confidentiality and the protection of personal information. Kenyan practice on the right to privacy and confidentiality is guided largely by English Common law – a system of law which has developed from the judicial opinions of the English judiciary. On the other hand, while the Constitution is not clear on individual privacy, it very clearly permits the abrogation of constitutional rights in the interests of public welfare and national security.
Qstn: What are the possible hurdles that the move is likely to face?
- Opposition from civil libertarians who argue that the implementation of the directive would be an infringement on the individual’s right to privacy.
- The period of six months may be an onerous deadline for mobile phone operators. If we have approximately 18 million mobile phone subscribers in the country, and assuming that the legal framework is in place very shortly after the directive, we are talking about registering 3 million people per month. That’s about 100,000 people per day. Depending on the nature and breadth of the information that has to be registered, the process may be an enormous strain on the infrustructural and financial resources of some of the operators. Spain, which has over 20 million pre-paid mobile phone users, gave a period of almost a year for their registration.
- There is an inherent technical difficulty in fashioning a legal framework that perfectly balances the spectrum of the legal rights and obligations that stand to be affected by the President’s directive: the state’s claim to preserving national security by curbing phone-related crime; the individual’s right to privacy; the mobile operators’ claim to protection from new licensing conditions that roll back on their investment; the consumer’s increased vulnerability to identity theft, etc.
- The implementation of the directive may not achieve dramatic results in crime prevention and it may lead to new forms of crime, such as identity theft.
Qstn: Does the CCK currently have any legislation that compels mobile service providers to demand for identification before issuing out a SIM card to a subscriber?
The simple answer to this question would be no. There is no law that imposes such an obligation on mobile service providers. As I have stated, section 27 of the Kenya Information and Communications Act empowers the Minister for Information and Communications to make regulations with respect to “the privacy of telecommunication” but no such regulations have been made.
Perhaps an equally valid question to ask would be “is there any law that forbids mobile service providers from taking personal identification information from their subscribers?”
The answer again is “no”. Already, many subscribers of the ZAP and M-PESA mobile phone money transfer services have had to give their personal information to the operators as a precondition for registering for the services.
Qstn: What is the position on the matter as contained in the KCA Bill as well as any related legislation?
I have previously referred to the Constitution of Kenya and section 27 of the Kenya Information and Communications Act, 1998. In addition, Section 93 of the Act forbids any person from disclosing without consent any “information with respect to any particular business… “which relates to the private affairs of any individual or to any particular business during the lifetime of the individual or business”.
However, the section provides for three instances in which disclosure may be lawfully made:
in the course of the performance of the duties of the CCK;
in the investigation of a criminal offence or for the purpose of any criminal proceedings;
for the purpose of any civil proceedings brought under or by virtue of the Act.
Any disclosure of information that contravenes this section is punishable by a fine of up to Kshs. 100,000/-
Section 31 makes it an offence for a telecommunications operator to intercept or disclose a message sent through the operator’s system or to disclose the statement or account of its subscriber. The prescribed punishment for the offence is a fine not exceeding Kshs. 350,000 (USD 4375) or imprisonment for a term of up to 3 years or to both imprisonment and fine.
Further, section 44 forbids any person from using radio communication apparatus with the intention of obtaining information on the contents, the sender or addressee of any message. Except in the course of legal proceedings, the section forbids the disclosure of any information as to the contents, sender or addressee of any message coming to the person through a radio communication.
A conviction for contravening any of these provisions will lead to a fine of up to Kshs. 1 Million (USD 12,500) or imprisonment for up to 5 years or both fine and imprisonment.
Qstn: Do you think it would be prudent for operators to demand for forms of identification before issuing out new SIM Cards? What would such a legislation have on mobile service providers in as far as penetration and tapping new subscribers volumes is concerned?
Even though from a national security point of view it may be prudent for operators to retain the identity of their subscribers, it is not in the operators’ economic interests to do so. Even though this may be said of any market for consumer goods, it is especially evident in the mobile telephone services market that operators who are the first to tap into a virgin market acquire a considerable competitive advantage over their rivals. Brand loyalty and the inconveniences of migrating to another operator can be serious barriers to entry for late market comers. Therefore, market hungry operators want to put as little impediments as possible to the acquisition of a SIM card. The mandatory registration of SIM Card buyers would therefore not only slow down market penetration but it would also mean loss of business for the operator from consumers who would prefer not to give up their personal information. Moreover, in the absence of a law compelling them to retain their subscribers’ personal information, any self-interested operator would choose to avoid altogether the operational costs and the attendant legal risks of maintaining and protecting the personal information database.