Kenyan High Court declares surveillance policy unconstitutional
Okiya Omtatah Okoiti v Communications Authority of Kenya and Others, Constitutional Petition No. 53 of 2017
Court: High Court of Kenya (Nairobi, Milimani Law Courts): Constitutional and Human Rights Division
Judgment date: 19 April 2018
The High Court of Kenya (the Court) has recently declared an intended government surveillance policy to be in conflict with the right to privacy, and therefore constitutionally invalid. The petitioner argued that, contrary to the law which requires public participation in policy formulation and implementation, and the Constitution of Kenya which protects the right to privacy, the Government of Kenya had secretly embarked on a plan to monitor the population by installing a communication surveillance system, dubbed Device Management System (DMS), on mobile phone networks operated by the first, second and third respondents. According to the petitioner, the DMS device would have the capability to spy or snoop on the general population and collect and store subscribers personal data, thereby enabling the government to access, collect and retain communication data belonging to subscribers. According to the Communications Authority of Kenya, the purpose of enforcing the DMS system was to combat counterfeit and illegal devices.
After reaffirming the importance of the right to privacy (at paras 63-64), the judgment went on to state (at para 65):
“Data protection is an aspect of safeguarding a person’s right to privacy. It provides for the legal protection of a person in instances where such a person’s personal particulars (information) is being processed by another person or institution (the data user). Processing of information generally refers to the collecting, storing, using and communicating of information. The processing of information by the data user/responsible party threatens the personality in two ways: a) First, the compilation and distribution of personal information creates a direct threat to the individual’s privacy; and (b) second, the acquisition and disclosure of false or misleading information may lead to an infringement of his identity.”
With regard to the limitations analysis, the Court noted that there were less restrictive means available to achieve the stated purpose for the DMS system, and fell outside of the legislative mandate of the Communication Authority of Kenya. As noted in the judgment (at para 76): “Technological change has given rise to concerns which were not present several decades ago and the rapid growth of technology may render obsolescent many notions of the present. Hence the interpretation of the Constitution must be resilient and flexible bearing in mind its basic or essential features. Like other rights which form part of the fundamental freedoms protected by the Bill of Rights, privacy is not an absolute right. A law which encroaches upon privacy will have to withstand the touchstone of permissible restrictions on fundamental rights.”
The Court then considered whether the respondents had engaged in adequate public participation in the process leading to he decision to acquire and install the DMS system. The Court took note of the fact that millions of subscribers and the general public whose records are held by mobile network operators had not been involved in any consultations. The Court therefore held that t the decision to install the DMS system and the purported implementation was done before undertaking any meaningful stakeholder engagement, and that it was therefore incapable of being read in a manner that is constitutionally compliant. The Court held further that the public whose data is held by the respondents must of necessity be involved in the engagements, and that the process must be wide enough to cover a reasonably high percentage of the affected population in the country.
The Court went on to make the following order:
- A declaration that policy decisions or regulations affecting the public must conform to the Constitution and the relevant statute in terms of both its content and the manner in which it is adopted and failure to comply renders the policy decision, regulation or guideline invalid.
- A declaration that the decision, policy or regulation seeking to implement the DMS system was adopted in a manner inconsistent with the provisions of the Constitution and applicable legislation, and lacked adequate public participation prior to its adopting and implementation, and is therefore null and void for all purposes.
- A declaration that the Communication Authority of Kenya was obliged to craft and implement a meaningful programme of public participation and stakeholder engagement in the process leading to the decision, policy and/or regulation or implementation of the DMS System.
- A declaration that the Communication Authority of Kenya’s request and/or purported intention and/or decision and/or plan seeking to integrate the DMS system into the telecommunications networks to create connectivity and access subscriber information is a threat to the subscribers’ privacy, and therefore a breach of the subscribers’ constitutionally guaranteed rights to privacy.
- A declaration that the Communication Authority of Kenya’s decision to set up connectivity links between the DMS system and the telecommunications networks is unconstitutional, null and void to the extent that it was arrived at unilaterally, without adequate public participation and is a threat to the right to privacy of subscribers and a gross violation of their constitutionally and statutory protected consumer rights.
- An order prohibiting the Communication Authority of Kenya from implementing its decision to implement the DMS system to establish connectivity between the DMS system and the telecommunications networks to access subscriber information.
The full judgment is accessible here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].