Briefly

Click to View

Briefly
Communications Authority Kenyapress_release
press_releaseKenya·Communications Authority Kenya·Briefly Analysis

Abstract

The Communications Authority of Kenya (CAK) has intensified its regulatory oversight on subscriber registration, particularly concerning SIM cards, underscoring the critical intersection of telecommunications law and data protection principles. This article examines the legal framework underpinning the CAK's directives, primarily the Kenya Information and Communications Act, 1998, and the Kenya Information and Communications (Registration of SIM-Cards) Regulations, 2015. It further analyses the significant implications of the Data Protection Act, 2019, on the collection, processing, and retention of subscriber data by telecommunication operators. Practitioners must navigate a complex regulatory landscape, ensuring clients comply with stringent registration requirements while upholding data privacy rights to mitigate legal and reputational risks.

Introduction

The digital landscape in Kenya is rapidly evolving, necessitating robust regulatory frameworks to ensure security, consumer protection, and orderly market development. At the forefront of this regulation is the Communications Authority of Kenya (CAK), established under the Kenya Information and Communications Act, 1998 (KICA). The CAK's mandate extends to licensing, managing frequency spectrum, protecting consumer rights, and enforcing compliance across the telecommunications, broadcasting, and postal sectors.

Recently, the CAK has renewed its focus on the comprehensive and accurate registration of telecommunication service subscribers, particularly concerning SIM cards. This drive is motivated by national security concerns, the fight against cybercrime, and the need to protect consumers from fraud. However, these regulatory imperatives invariably intersect with the fundamental right to privacy and the stringent requirements of the Data Protection Act, 2019. This article delves into the legal underpinnings of the CAK's directives on subscriber registration, analysing the obligations imposed on telecommunication operators and the critical data protection considerations that legal practitioners must address.

Background

The regulatory authority of the CAK is primarily derived from the Kenya Information and Communications Act, 1998 (KICA), which provides the overarching framework for the communications sector. Section 5 of KICA outlines the object and purpose of the Authority, which includes licensing and regulating telecommunication, radio-communication, and postal services. To operationalise these provisions, the CAK has promulgated various subsidiary legislations, notably the Kenya Information and Communications (Registration of SIM-Cards) Regulations, 2015 (Legal Notice No. 163 of 2015).

These Regulations of 2015 impose specific obligations on telecommunication operators regarding the registration of subscribers, including the requirement to collect and retain identification particulars. Failure to comply can lead to penalties, including fines and imprisonment. More recently, the enactment of the Data Protection Act, 2019 (DPA), introduced a new layer of compliance for all entities processing personal data in Kenya, including telecommunication operators. The DPA, which came into force on 25th November 2019, gives effect to Article 31(c) and (d) of the Constitution of Kenya, 2010, on the right to privacy, and establishes the Office of the Data Protection Commissioner (ODPC) to oversee its implementation and enforcement. This dual regulatory environment necessitates a careful approach to subscriber data management.

Analysis

The CAK's recent directives on SIM card registration underscore the Authority's commitment to enforcing compliance with the Kenya Information and Communications (Registration of SIM-Cards) Regulations, 2015. These regulations mandate telecommunication operators to register all subscribers and verify their identification particulars. The CAK has previously issued deadlines for re-registration and deactivation of unregistered SIM cards, with significant numbers of lines being disconnected for non-compliance. For instance, the regulations prohibit the hawking of SIM cards and require registration to be done in specific shops using identification documents, aiming to curb mobile phone fraud and other crimes.

A critical aspect of these directives involves the registration of SIM cards for minors, where parents are required to use birth certificates and their own identification documents. This requirement, while aimed at child online protection, highlights the extensive data collection involved. Telecommunication operators, as data controllers, are obligated under the Data Protection Act, 2019, to process personal data lawfully, minimise data collection, restrict further processing, ensure data quality, and establish security safeguards. The DPA also requires data controllers and processors to register with the Office of the Data Protection Commissioner (ODPC) and renew their registration every three years.

Challenges arise in reconciling the CAK's enforcement mechanisms with the DPA's principles. For example, the collection of digital passport-size photos during SIM card re-registration, as reportedly required by some operators, has raised questions regarding proportionality and consent under the DPA, especially if the CAK's directive itself did not explicitly require photos. The DPA mandates that data processing must be for a lawful purpose and compatible with the original purpose of collection, or fresh consent must be sought. Any extensive data collection beyond the CAK's directive would necessitate a Data Protection Impact Assessment (DPIA) by the telecommunication operators. The DPA empowers the Data Commissioner to issue enforcement notices for non-compliance, with penalties including fines and imprisonment.

Furthermore, the Kenya Information and Communications Act, 1998, also contains provisions related to interception of messages and disclosure of communication contents, which must now be interpreted in light of the DPA's robust privacy protections. The interplay between these statutes creates a complex compliance environment, requiring operators to not only meet the CAK's operational and security requirements but also adhere strictly to data protection principles, including transparency, accountability, and data subject rights such as access, correction, and deletion.

Conclusion

The enhanced focus by the Communications Authority of Kenya on subscriber registration, particularly for SIM cards, signals a tightening of regulatory enforcement in the telecommunications sector. Legal practitioners advising telecommunication operators and other entities involved in subscriber data processing must ensure a comprehensive understanding of both the Kenya Information and Communications Act, 1998, and its subsidiary regulations, alongside the Data Protection Act, 2019.

Practitioners should advise clients to conduct thorough internal audits of their data collection, processing, and storage practices for subscriber information to ensure full compliance with the DPA's principles and the CAK's directives. This includes verifying the lawful basis for data processing, obtaining explicit consent where necessary, implementing robust data security measures, and ensuring adherence to data minimisation principles. Proactive engagement with the Office of the Data Protection Commissioner and the CAK, coupled with regular training for staff on data protection and regulatory compliance, will be crucial in mitigating legal risks and avoiding significant penalties. The evolving regulatory landscape demands continuous vigilance and a strategic approach to compliance to safeguard both operational integrity and data privacy rights.

Citations

  1. 1.The Kenya Information and Communications Act, 1998 (No. 2 of 1998)
  2. 2.The Kenya Information and Communications (Registration of SIM-Cards) Regulations, 2015 (Legal Notice No. 163 of 2015)
  3. 3.The Data Protection Act, 2019 (No. 24 of 2019)
  4. 4.The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021
  5. 5.The Data Protection (Complaints Handling and Enforcement) Regulations, 2021