The Nubian Rights Forum (NRF), a community-based organization, the Kenya Human Rights Commission (KHRC), and the Kenya National Commission on Human Rights (KNCHR) have launched multiple legal challenges to the government’s implementation of the system. Although, in response to mounting criticism, Kenya passed a Data Protection Act requiring a privacy impact assessment to be conducted and approved by a data protection commissioner before the system’s implementation, the impact assessment has never been carried out.
In January 2020, the Kenyan High Court ordered the government to delay the implementation of the system until a comprehensive and constitutionally sound regulatory framework can be implemented to protect data privacy and address the exclusionary nature of the system. The court also determined that the collection of DNA and GPS information for identification is unconstitutional.
The NRF and the KHRC have appealed portions of the High Court decision on the basis that:
- the court declined to review the constitutionality of NIIMS itself in its current form;
- the court did not cite insufficient public participation in the introduction and implementation of NIIMS; and
- the court did not order the establishment of a task force that would include experts and civil society to design the system’s architecture and regulatory framework, as requested by the NRF.
In October 2020, the Kenyan government published a gazette notice announcing implementing regulations on NIIMS and the Data Protection Act, which neither acknowledge the High Court’s ruling nor correspond to domestic or international law and standards.
NIIMS is highly vulnerable to data security breaches due to the centralized way in which it would store information. Security breaches would result in harsher repercussions because records would be linked across different databases in a massive and integrated manner through a unique ID number. Moreover, the collection and storage of biometric data in NIIMS means that the consequences of a breach would be particularly dire and permanent: while a stolen password can be changed, it is impossible to alter biometric markers. In addition, there are insufficient protections against unauthorized access across the entire system.
The introduction and implementation of a centralized biometric ID system should not proceed without democratic checks and balances, due to its wide-ranging impacts on basic rights and fundamental freedoms. The Kenyan government violated the Constitution by using an administrative act to introduce legislation of such significance. The government also acted unlawfully by failing to consult the Senate in the adoption of the law, in light of its wide-ranging impacts at the national and county level in Kenya’s devolved system of government.
This article was first published by the Open Society Justice Foundation.