The case is a watershed moment in the regulation of data-driven public sector initiatives
The Context: A Global Biometric Identification Industry
Digital technologies dominate decisions about the future of public infrastructures like civil registration and electoral systems, social assistance, and banking. The prospect of digital transformation in these sectors stokes optimism in emerging economies and receives ample support from influential international development and foreign aid institutions like the Inter-American Development Bank, the European Union, and the World Bank.
In the case of digital identification systems (digital ID), the 2030 Sustainable Development Goals, specifically Target 16.9 which obliges governments to “provide legal identity for all,” unleashed a tidal wave of global investment (from wealthy economies). Those investments are tied to the untested assumption that there is a rough equivalence between a digital ID, and legal identity, which is anchored in the human right to recognition as a person before the law. The actual integration of human rights and development languishes far behind the implementation of these technologies, but further investment in understanding and mitigating the human rights implications of this massive digital ID industry couldn’t be more urgent.
Most digital ID systems utilize biometric identifiers like fingerprints or facial images as a means of matching records (an anti-fraud mechanism that is far from foolproof). In most cases, new e-ID technologies are also layered on top of existing identification systems of all shapes and sizes, without meaningful public engagement or regulatory reform. All over the world, as systems roll-out in rapid succession, a growing body of evidence suggest that the people already struggling with structural disadvantage under these regimes end up suffering compound harm in a digital transformation. In many countries, the systems are rolled out without a data protection law or in the absence of an implementing framework (see Uganda, India, Jamaica, and Brazil, for example).
The Katiba Institute Decision
Last week, a Kenyan High Court, a trial court that hears cases for judicial review, handed down a landmark judgment with important global ramifications for all stakeholders in digital transformations. The Court declared Kenya’s digital ID system – the National Integrated Identity Management System (NIIMS), or Huduma Namba (Swahili for “service number”) – illegal because the government failed to study the potential data privacy risks and devise ways to mitigate them before collecting and processing sensitive data from millions of people and taking the decision to roll-out ID cards using the data. That kind of study is called a data protection impact assessment (DPIA). According to the Court in Katiba Institute, Article 31 of Kenya’s 2019 Data Protection Act – a law similar to the EU’s General Data Protection Regulation (GDPR) – requires that step. But importantly, the Court wasn’t only looking at the 2019 Act, which hadn’t yet been adopted when Kenya began its digital ID project. Judge Jairus Ngaah grounded his decision in the 2010 Constitution of Kenya, and specifically Article 31, guaranteeing the right to privacy.
Kenya’s Data Protection Act was passed in a hurry in November 2019, after the fingerprints and facial images and extensive biographical data of 38 million people had already been collected for NIIMS, back in April and May 2019. The Kenyan authorities responsible for the Huduma Namba system argued that Article 31 of the Act couldn’t apply because all that data was collected before the Act took effect. The adoption of the DPA factored in the outcome of a related constitutional case, Nubian Rights Forum, et al. v. Attorney General, et al. decided in January 2020. In Nubian Rights Forum a three-judge bench of the High Court ruled that the system could not advance without a comprehensive legal framework that would address not only data privacy concerns, but also risks of discrimination, exclusion and mass surveillance. That case is currently on appeal.
Echoing the concerns motivating these legal challenges, Judge Ngaah concluded that the system’s implementers “put the cart before the horse” by collecting data and rolling out Huduma cards without undertaking the necessary steps required under the Data Protection Act and the constitutional rights it safeguards. Recognizing the immense power of such a system to threaten constitutional rights including the right to privacy, the Court affirmed the retroactive application of Section 31 of the Data Protection Act: “I will stand with the individual against the might of the state and hold that fairness is in the interpretation of Section 31 as being retrospective in its application.”
Authority and Influence in Questions of Data Governance
The emergence of new standards should be led from the jurisdictions and people most directly impacted. When it comes to grappling with the most pressing legal questions thrown up in the midst of digital transformations, a radical reorientation of influence in global norm development is overdue. The Katiba Institute decision sets a precedent not only for Kenya, or for East Africa, but one worth of study globally that is already reverberating from India to Brazil. The case addresses some of the same fundamental questions facing the EU as it elaborates a digital transformation agenda with eID and e-services at its center. And its holding’s stance on fairness in relations between individual rights and state power is equally relevant in the United States, where biometric databases flourish and persistently evade scrutiny under our privacy laws and Bill of Rights.
Is conducting a DPIA on a system like NIIMS enough? No. Civil society groups have been pressing for more holistic protections, including legal safeguards and practical steps to ensure that the system does not discriminate against groups who already face discriminatory laws and practices in accessing legal identification documents, including proof of Kenyan nationality. Kenya is not alone in failing to address the impact of compounding exclusion through the introduction of a digital ID system.
What happens to the data already collected? We don’t know. Calls for the deletion of the data emerged immediately. Last year, the Kenyan government claimed that the data had been “cleaned up and matched” and, in November 2020, the ICT Cabinet Secretary, Joe Mucheru, announced that it was in the process of generating Huduma Cards, intended to replace national IDs and other forms of identification by the end of 2021. With millions of Kenyans and residents unenrolled, many have questioned the feasibility of that step even before the Katiba Institute ruling.
Laura Bingham is the inaugural Executive Director of the Temple Institute on Law, Innovation, and Technology. She served as a member of the legal team that brought the Katiba Institute case before the High Court.