High Court at Nairobi (Milimani Law Courts)
Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others; Institute & another (Exparte); Immaculate Kasait, Data Commissioner (Interested party)
Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others; Institute & another (Exparte); Immaculate Kasait, Data Commissioner (Interested party) (Judicial Review Application E1138 of 2020)  KEHC 122 (KLR) (Judicial Review) (14 October 2021) (Judgment)
High Court quashes the decision to roll out Huduma Cards for being ultra vires section 31 of the Data Protection Act, 2019 on data protection impact assessment.
The Statute Law (Miscellaneous Amendments) Act, No. 18 of 2018 (Miscellaneous Amendments Act) amended several Acts of Parliament including the Registration of Persons Act, cap. 107. The amendment introduced the National Integrated Identity Management System (NIIMS) which was a new system of identification for both citizens of Kenya and foreigners registered as residing in Kenya. Following the amendment, the 1st and 2nd respondents embarked on a nationwide exercise of collection of personal and biometric data.
The amendment and its implementation were, however, challenged before the court in constitutional petitions by the Nubian Rights Forum, Kenya Human Rights Commission and the Kenya National Commission on Human Rights (Nubian Rights Forum case). The three petitions were consolidated and determined together by a three-judge bench of the court which declared that the collection of DNA and GPS co-ordinates for purposes of identification was intrusive and unnecessary, and to the extent that it was not authorised and specifically anchored in the empowering legislation, it was unconstitutional and a violation of article 31 of the Constitution of Kenya, 2010 (Constitution).
While the Nubian Rights Forum case was pending determination, Parliament enacted the Data Protection Act, No. 24 of 2019 whose date of commencement was November 25, 2019. The court in the Nubian Rights Forum case took judicial notice of that development and directed that the processing of data collected pursuant to the amendment of the Registration of Persons Act should not be undertaken before the Data Protection Act was operationalised and a regulatory framework put in place.
In a press statement made on November 18, 2020, the 2nd respondent announced the rollout of the identity card, commonly referred to as Huduma Card, that was issued to a data subject apparently after the collection and processing of personal data of the data subject. The applicants were aggrieved by the rollout or the launch of the Huduma Card and filed the instant judicial review application for orders of certiorari, mandamus and prohibition all aimed at the rollout of Huduma Card.
The interested party filed a preliminary objection to the effect that there existed an alternative remedy in sections 56 and 64 of the Data Protection Act, 2019 and regulations 23(5) and (6) of the Data Protection (Civil Registration) Regulations, 2020 available to the applicants. The interested partys position was that parties ought to have exhausted the available mechanisms for resolution of the instant dispute before invoking judicial review proceedings.
- Whether a judicial review court could entertain a judicial review application where an applicant filed a judicial review application before exhausting statutory dispute resolution mechanisms.
- Whether a constitutional research, policy and litigation institute established to further the implementation of the Constitution could lodge a complaint to the Data Commissioner.
- Whether the Data Protection Act applied retrospectively to such an extent or to such a time as to cover any action that could be deemed to affect the right to privacy.
- What was the effect of collection and processing of personal data without there being a legal framework for protection of the right to privacy?
- Whether the collection and processing of personal data under the National Integrated Identity Management System was subject to the Data Protection Act.
Relevant provisions of the law
Data Protection Act, No 24 2019
Section 31 - Data protection impact assessment
(1). Where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall, prior to the processing, carry out a data protection impact assessment.
(2) A data protection impact assessment shall include the following
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller or data processor;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects;
- the measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, taking into account the rights, and legitimate interests of data subjects and other persons concerned.
(3) The data controller or data processor shall consult the Data Commissioner prior to the processing if a data protection impact assessment prepared under this section indicates that the processing of the data would result in a high risk to the rights and freedoms of a data subject.
(4) For the purposes of this section, a "data protection impact assessment" means an assessment of the impact of the envisaged processing operations on the protection of personal data.
(5) The data impact assessment reports shall be submitted sixty days prior to the processing of data.
(6) The Data Commissioner shall set out guidelines for carrying out an impact assessment under this section.
- From a reading of section 56 of the Data Protection Act, a mechanism for internal dispute resolution had been provided to a data subject who was aggrieved by a decision of any person under the Act. Such person could lodge a complaint with the Data Commissioner. The form the complaint took, the manner in which it could be lodged and procedure for the resolution of the complaint were all matters that had been catered for in sections 56 and 57 of the Data Protection Act.
- Whether there was a remedy alternative to judicial review, which was equally convenient, beneficial and effective was one of the factors that a judicial review court would consider in exercising its discretion to grant or not to grant orders for judicial review. The alternative remedy could take one of several forms, one of which was the right of appeal which was the right encapsulated in section 56(1) of the Data Protection Act. According to that section, it was only where one was aggrieved by a decision made under the Act, that he could lodge a complaint to the Data Commissioner. The complaint in that context would be an appeal against the decision by which the data subject was aggrieved.
- Where there was an alternative remedy and Parliament had prescribed a particular form of procedure for resolution of a complaint, that procedure ought to be followed. Section 9(2) of the Fair Administrative Action Act implied that where there existed internal mechanisms for resolution of the dispute which, inevitably, would yield an alternative remedy, it was no longer a matter of the courts discretion to entertain, let alone grant, an application for judicial review. In that event, the court would not review the administrative action until the internal mechanism had been exhausted.
- The mechanism set up in sections 56 and 57 of the Data Protection Act would qualify as one of those internal mechanisms for appeal or review and all remedies available under any other written law which the Legislature had in mind in section 9(2) of the Fair Administrative Action Act and which had to be exhausted in any particular case before one invoked the jurisdiction of a judicial view court.
- The applicants could have had sufficient reasons not to lodge their respective complaints with the Data Commissioner and they instead went directly to the court. The 1st applicant could have a point there but not the 2nd applicant. The internal mechanism under the Data Protection Act was available only to data subject of which the 1st applicant was not. The 1st applicant was a constitutional research, policy and litigation institute established to further implementation of Kenyas Constitution and generally to seek the development of a culture of constitutionalism in Kenya. Not being a data subject, the burden upon the 1st applicant was to demonstrate how it was affected by a decision by any person under the Data Protection Act.
- The 1st applicant might not have been a public-spirited citizen raising a serious issue of public importance but it was, for all intents and purposes, a public-spirited entity raising an issue of public interest. It could also be recognised as a pressure group in the implementation of Kenyas Constitution and which generally sought the development of a culture of constitutionalism in Kenya. The 1st applicant lacked standing to lodge a complaint to the Data Commissioner under section 56 of the Data Protection Act, but it certainly had the necessary locus to lodge the instant proceedings because of sufficiency of interest.
- The 2nd applicants position was shaky, he was bound to comply and follow the prescribed procedure set out in in the Data Protection Act. He could have had good reasons to avoid those procedures but it was for that reason that section 9(4) of the Fair Administrative Action Act provided a window for exemption from the internal mechanisms but only after the applicant moved the court and sought for such exemption.
- The reasons given by the applicant for sidestepping the internal dispute resolution mechanisms put in place could only have been considered in the context of the application for exemption; it was not open to the applicants, or any of them, to decide unilaterally that the 2nd applicant needed not comply with section 56 of the Data Protection Act and section 9(2) of the Fair Administrative Action Act but instead directly invoked the jurisdiction of the instant court to determine his complaint.
- Legislation could be retrospective in its application and such an intention had to be either apparent from the statute in question or could be implied, as a matter of necessity. From the preamble of the Data Protection Act, it was created to give effect to the right to privacy guaranteed under part (c) and (d) of article 31 of the Constitution. Section 3 of the Act, on the object and purpose of the Act, shed more light on how the right to privacy was to be protected.
- From a reading of the preamble to the Data Protection Act together with section 3 thereof on the Acts object and purpose, the Act was intended to be retrospective to such an extent or to such a time as to cover any action taken by the State or any other entity or person that could be deemed to affect, in one way or the other, the right to privacy under article 31(c) and (d) of the Constitution.
- The need to protect the constitutional right to privacy did not arise from the enactment of the Data Protection Act; the right accrued from the moment the Constitution was promulgated. It would be unreasonable, in the circumstances, to argue that the obligation to protect the individual rights under article 31 of the Constitution was a new obligation or duty imposed on the State only when the Data Protection Act came into force and that for that reason, section 31 of the Data Protection Act could not be said to be retrospective.
- The amendments introduced in section 9 of the Registration of Persons Act cap.107 and the events that followed pursuant to those amendments, more particularly the nationwide collection of personal and biometric data in March 2019, would in some way impact on the right to privacy under article 31 of the Constitution. It was because of such likely impact that section 3 of the Data Protection Act stated that the Act was intended to regulate the processing of such personal data; that the processing of the personal data of a data subject was guided by certain principles whose import was to protect an individuals right to privacy; that the Act was intended to protect the individuals personal data and, that the Act was also intended to provide data subjects with rights and remedies whenever their right to privacy was infringed.
- Owing to the likely impact of the amendments to section 9 of the Registration of Persons Act and the exercise of collection and processing of personal data on the individuals right to privacy, it would have been prudent, if not for anything else, for good order, for the State to ensure that the legal framework for protection of the right to privacy was in place before taking action likely to infringe the individuals right under article 31 of the Constitution. Considering the object and purpose of the Data Protection Act, and more importantly, considering that the Act was intended to give effect to article 31(c) and (d) of the Constitution, it would have been reasonable to have the Act in place before the purported amendment to section 9 of the Registration of Persons Act and before the collection and processing of personal data.
- Since the State chose to put the cart before the horse, so to speak, it had to live with the reality that there existed legislation against which its actions had be weighed irrespective of when they were taken as long as those actions touched on the individuals right under article 31 of the Constitution. There was no other scale upon which to weigh the actions of the State to collect and process personal data except that provided by the Data Protection Act, at least to the extent that it was an Act meant to put into effect the constitutional right to privacy under article 31 of the Constitution.
- There was always the duty on the part of the State to ensure that the Bill of Rights under Chapter IV of the Constitution, including the right to privacy under article 31 of the Constitution was respected and protected. Section 31 of the Data Protection Act did not impose any more obligation or duty on the State than that which the State hitherto had to bear. If anything, it was the individuals constitutional rights and which, for all intents and purposes, were vested rights, that were under threat by the excesses of the State in collecting and processing data without an existing legal framework to ensure that even as the State embraced a new system of identification, the right to privacy was protected. That was why section 31 was retrospective in its application. It was more of a bulwark against the excesses of the State than a tool imposing new obligations or duties on the State.
- How the single question of fairness would be answered in respect of a particular statute would depend on the interaction of several factors, each of them capable of varying from case to case. Thus, the degree to which the statute had retrospective effect was not a constant. Nor was the value of the rights which the statute affected, or the extent to which that value was diminished or extinguished by the retrospective effect of the statute.
- The unfairness of adversely affecting the rights, and hence the degree of unlikelihood that that was what Parliament intended, would vary from case to case. So also, would the clarity of the language used by Parliament, and the light shed on it by consideration of the circumstances in which the legislation was enacted. All those factors had to be weighed together to provide a direct answer to the question whether the consequences of reading the statute with the suggested degree of retrospectivity were so unfair that the words used by Parliament could not have been intended to mean what they could appear to say.
- Fairness was in interpreting section 31of the Data Protection Act as being retrospective in its application. There was the judgment of the court in the Nubian Rights Forum case where the court held that while the Data Protection Act had included most of the applicable data protection principles, the Registration of Persons Act was not one of the Acts to which the Data Protection Act applied as part of the consequential amendments. That notwithstanding, since one of the objectives of the Data Protection Act was the regulation of the processing of personal data, whose definition included biometric data collected by NIIMS, it also applied to the data collected pursuant to the impugned amendments.
- It was never suggested that the Nubian Rights Forum case judgment had been overturned or challenged. The finding that the collection and processing of personal data in March 2019 was subject to the Data Protection Act stood and the interested party and the respondents were estopped from denying that they were bound by that judgment, being judgment in rem.
- The 1st applicant had made out a case against the respondents for the judicial review orders of certiorari and mandamus mainly on the ground of illegality. The respondents had not appreciated the import and the extent of the application of the Data Protection Act, with respect to collection and processing of data collected under the NIIMS. If they did, they would have given effect to section 31 of the Data Protection Act and conducted a data impact assessment before processing personal data and rolling out the Huduma Cards.
- The NIIMS was grounded in section 9A of the Registration of Persons Act which in turn came about as a result of Miscellaneous Amendments Act. It was as a result of the amendment that the first two respondents embarked on a nationwide collection of personal data; in other words, section 9A, the newly introduced provision of the law in the Registration of Persons Act was the legal basis of the nationwide exercise to collect data. The Miscellaneous Amendments Act was nullified by a three-judge bench of the court in Petition No. 284 of 2020, Speaker of the Senate and 5 others v Speaker of the National Assembly & another, amongst other laws that were purportedly enacted by the National Assembly without involving the Senate contrary to the Constitution. The respondents filed an appeal against Petition No. 284 of 2020 but the instant court was not so certain about the status of the appeal.