An edited version of this article was published in the Daily Nation on February 21, 2018.
I was buying a sim card when the customer care agent asked me to pose for a photo. I asked why they wanted a photo of me as they had all my personal information including a scanned copy of my national identity card. He mumbled back that government required SIM Card agents to take subscriber’s photos. Not convinced, I probed further on this new law but he could not elucidate the reasons. I later on discovered after reading the Kenya Information and Communications (Registration of SlM-cards) Regulations, 2015 that such a requirement doesn’t exist. The customer care agent either didn’t know the requirements, or lied to me about them.
This was not an isolated incident. Every day people give out their biometric data to both state and non-state agencies such as professional bodies, banks and even schools. Despite this mass data collection taking place for a while now, parts of the Kenyan citizenry have always expressed their reservations with the collection of biometric data.
During the first biometric voter registration in 2012, rumours were rife in western Kenya region on how fingerprint scans would make it easy for chiefs to arrest petty village offenders. Joseph Kamaru’s rendition of Mau Mau’s song Uhoro Uria Mwaiguire tells of a community mourning the incarceration of their war heros who refused to have their fingerprints taken. This reservation and fear played out recently in 2017 when some Mau Mau veterans raised concerns around biometric voter registration for fear of arrest over crimes they did while fighting for independence. All these show a lingering historical concern on the use of technology that communicates how some feel about the collection and use of biometric data.
In addition, there is currently no data protection law stipulating how personal information like biometric data should be handled and processed by both private and state actors. In fact, the only place where biometrics have been mentioned in Kenyan law is in the Elections Act. According to this legislation, biometrics are unique identifiers or attributes including fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA, and signatures. Even the abandoned Data Protection Bill of 2013 only contained a mention of fingerprints and blood type which were to be categorised as personal information.
Motivation behind collection of data
Data collection is part of know your customer logic, both for efficiency, trust and security. But increasingly, data collection has in itself become the business model of most companies. The value of personal aggregated personal thoughts, habits, and social networks are as valuable as any other high end market activities, witfully branded surveillance capitalism.
However, the collection and centralized storage of this highly sensitive and valuable data exposes these corporations to the risk of the data being misused at best and being stolen at worst. There are many reported cases of deliberate targeting of secure systems that hold sensitive data. These sensitive data is later sold to third parties in the black market who have illegal ways to monetize it such as by sale of data to fraudsters and identity theft.
In jurisdictions with data protection laws, the general privacy principle for corporations handling consumer data is that data obtained for one purpose shall not be used for any other purpose. This rule has general exceptions such as when the information is public, the data subject has given consent and public interest. However, Kenya has no data protection law which leaves personal information such as biometric data at the mercy of corporations that collect it. Security breaches and data loses are reported regularly in the US and Europe, but in Kenya there is no requirement for public or private sector entities to disclose such occurrences. Thus we don’t even know the risks that we face.
For example, during the 2017 general elections, many voters received targeted campaign texts messages that were rather too intrusive. The texts had the name of the voter and the exact constituency where they were registered as a voter. How politicians received access to the voter register and the voters cell-phone numbers remains a mystery to date. But it also shows us how vulnerable we are after subscribing for services where personal information is required, and could be shared with others without our knowledge.
One way we can push for accountability is by asking our newly elected parliamentarians to breathe life to Article 31 of the Constitution by legislating a data protection law. We are in dire need of a data protection law that give us, the data subjects, more say on how our personal information is collected and used by data processors. Daniel J Solove argued in his book ‘Conceptualizing Privacy’ that privacy ‘involves more than avoiding disclosure; it also involves the individual’s ability to ensure that personal information is used for the purposes she desires’.
Other than just the law, there is need for a legal obligation on data processors to be transparent about what data they are collecting, how will be used and who it will be shared with. This obligation can be based on the tort and crime of misuse of personal information. It will force data processors, such as public and private entities, to take data protection more seriously while protecting the data subject’s right to privacy. While many argue that they have nothing to hide, they should always remember that they have something to protect. Next time you think of buying a SIM Card, remember that you will probably be asked for more personal information than is required and that there is no law governing the use of that information.