Introduction and Background:
1.As its name suggests, the Statute Law (Miscellaneous Amendments) Act, No 18 of 2018 (which i will hereinafter refer to as ‘the Miscellaneous Amendments Act’) amended several Acts of Parliament for one reason or the other. Amongst the amended Acts was the Registration of Persons Act, cap 107. The nature of the amendment of this Act was described in the omnibus law as follows:
2.Generally speaking, the amendment introduced the National Integrated Identity Management System which is a new system of identification for both citizens of Kenya and foreigners registered as residing in this country. The reasons for the introduction of this system are in the nature of functions set out in the newly amended section and are, by and large, self-explanatory.
3.The amendment came into force on 18 January 2019 which, of course, is the same date that the Miscellaneous Amendments Act commenced.
4.Following this amendment, and more particularly in March 2019, the 1st and 2nd respondents embarked on a nationwide exercise of collection of personal and biometric data.
5.The amendment and its implementation were, however, challenged before this honourable court in constitutional petitions respectively filed as Petition Nos 56, 57 and 59 of 2019 by the Nubian Rights Forum, Kenya Human Rights Commission and the Kenya National Commission on Human Rights. The three petitions were consolidated and determined together by a three judge bench of this honourable court. The respondents in the present suit were amongst the seven respondents who were sued in those consolidated petitions.
6.In its decision rendered on 30 January 2020, the court ordered as follows:
7.While the Nubian Rights Forum case was pending determination, Parliament enacted the Data Protection Act, No 24 of 2019 whose date of commencement was 25 November 2019.
8.In its preamble the Act is said to be:
9.And its objects are set out in section 3 thereof; this section states as follows:
10.The court in the Nubian Rights Forum took judicial notice of this development and perhaps minding the impact this new Act had on the suit before it, the court directed that the processing of data collected pursuant to the amendment of the Registration of Persons Act should not be undertaken before the Data Protection Act is operationalised and a regulatory framework put in place. The regulatory framework was to, among other things, address the concerns raised in the suit on the individual’s constitutional right to privacy in view of the somewhat intrusive nature of the new identification system.
11.In a press statement made on 18 November 2020, the 2nd respondent announced the rollout of the identity card, commonly referred to as ‘Huduma Card’, that is issued to a data subject (who is defined in section 3 of the Data Processing Act as ‘an identified or identifiable natural person who is the subject of personal data’) apparently after the collection and processing of personal data of the data subject. The statement read in part:
14.The applicants were aggrieved by the rollout or the launch of Huduma Card and so by a motion dated 24 November 2020 filed under articles 23(3)(f) and 47 of the Constitution; section 7 and 8 of the Fair Administrative Action Act, 2015; section 8 and 9 of the Law Reform Act; and order 53 of the Civil Procedure Rules, 2010 they have asked this honourable court for judicial review orders of certiorari, mandamus and prohibition all aimed at the rollout of Huduma Card. The prayers for these orders have been framed as follows:
15.The 1st applicant has been described in the statement of facts as “a constitutional research, policy and litigation institute established to further implementation of Kenya’s 2010 Constitution and generally to seek the development of a culture of constitutionalism in Kenya.” It filed the application for, among other reasons, the interest of the public. The 2nd applicant has sued in “his own name as a registrant in NIIMS and a person whose personal data is in question”. In terms of section 3 of the Data Protection Act, he is a data subject.
16.In general terms, the applicants’ major bone of contention in this application is that the Huduma Card has been launched without a data impact assessment, contrary to the provisions of section 31 of the Data Protection Act and is also in defiance of the orders and direction of this honourable court in the Nubian Rights Forum case.
17.The application is opposed; to this end, the 1st respondent filed a replying affidavit; the 3rd respondent filed grounds of objection while the interested party filed a replying affidavit and a further affidavit. She also filed a notice of preliminary objection dated 5 March 2021. The 2nd respondent did not file any response.
18.Directions on the disposal of the applicant’s motion were taken on 27 January 2021 to the effect that the motion was to be disposed of by way of written submissions and, to that end, parties were to file and exchange their respective submissions within prescribed timelines. When the interested party subsequently filed her notice of preliminary objection to the hearing of the applicant’s application, the court directed that objection and the main motion shall be disposed of simultaneously; this was on 8 March 2021.
Interested Party’s Preliminary Objection:
19.The interested party’s preliminary objection is to the effect that there exists an alternative remedy in sections 56 and 64 of the Data Protection Act, 2019 and regulations 23(5) & (6) of the Data Protection (Civil Registration) Regulations, 2020 available to the applicants. Consequently, these proceedings contravene section 9(2) of the Fair Administrative Action Act, 2015 which provides that the high court shall not review an administrative action or decision under the Act unless the mechanisms including internal mechanisms for appeal or review and all remedies available under any other written law are first exhausted. The interested party’s position is that parties ought to have exhausted the available mechanisms for resolution of the instant dispute before invoking Judicial Review proceedings.
20.No doubt, the preliminary objection is questioning the jurisdiction of this honourable court to determine this suit. Paragraph 36 of the 1st interested party’s submissions casts away any doubt on the crux of the preliminary objection; it states as follows:
21.As always, the question whether the court has the requisite authority to determine any particular matter is an issue that calls for the court’s immediate attention whenever it is raised. It has been explained that without such authority the cannot take any step further in the determination of the dispute before it. (see the Owners of the Motor Vessel Lilian "S" vs. Caltex Kenya Limited (1989) KLR).
22.The learned counsel for the interested party has made fairly lengthy arguments on this question of jurisdiction. He submits that section 9 (2) of the Fair Administrative Action Act bars this honourable court from reviewing an administrative decision unless the dispute resolution mechanism and remedies available under any other statute are first exhausted.
23.It is the counsel’s position that there are inbuilt resolution mechanisms within the Data Protection Act for resolution of the sort of dispute that has been presented before this honourable court. Counsel made reference to regulation 23 (5) & (6) of the Data Protection (Civil Registration) Regulations, 2020 which is to the effect that any data subject aggrieved by the manner in which their personal data is processed can lodge a complaint with the civil registration entity, which will investigate, make a determination on the complaint and inform the data subject on their right of appeal to the Data Commissioner.
24.As far as section 56 of Data Protection Act, 2019is concerned, counsel urged that this provision of the law requires a data subject who is aggrieved by the decision of any person under the Act to lodge a complaint with the data commissioner. The Data Commissioner is, in turn, enjoined by the Act to investigate any complaint and make a determination within ninety days. This section goes further to prescribe various remedies in cases where there the Data Commissioner finds that there is a violation or threat of violation of the provisions of the Act.
25.Section 64 of the Act, on the other hand, provides that a person against whom any administrative action is taken by the Data Commissioner, including enforcement and notices, may appeal to this honourable court.
26.It is the interested party’s position that since the Act and the Regulations made thereunder not only provide for mechanisms for resolution of disputes but also prescribe remedies to address any violation or threat of violation of the Act, there is no need for this honourable court’s intervention.
27.Counsel for the interested party cited Republic vs National Environmental Management Authority (2011) eKLR where it was held that the availability of an alternative remedy was not, by itself, a bar to commencement of Judicial Review Proceeding because by their very nature, Judicial Review remedies are concerned with the process by which a decision is arrived and not the merits of the impugned decision. But where there is an alternative remedy, the applicant is bound to explain why he would prefer the order for judicial review.
28.In the instant case, the applicants failed to disclose the existence of an alternative dispute resolution mechanism and also failed to explain why that alternative remedy was not efficacious. Again, the applicants have failed to explain exceptional circumstances that would entitle them to sidestep the internal dispute resolution mechanisms and invoke the jurisdiction of a judicial review court instead.
30.The interested party submitted that the Data Protection Commissioner having assumed office on 16 November, 2020, before the present suit was filed, could easily have investigated, heard and determined any complaint, including the applicants’ complaint within the confines of the Data Protection Act, 2019. The learned counsel for the interested party urged this honourable court “to exercise restraint in interfering with such statutory dispute resolution mechanisms as those set out in sections 56 and 64 of the Act, so as to facilitate administrative autonomy and institutional capacity building of novel statutory bodies such as the Office of the Data Protection Commissioner.”
31.In response to the interested party’s submissions, Mr. Ochiel, the learned counsel for the applicants invoked article 23 of the Constitution cited Mark Ndumia Ndung’u v Nairobi Bottlers Ltd & another  eKLR and Dawda K Jawara v Gambia ACmHPR 147/95-149/96 and urged that remedies for violation of rights including the right to fair administrative action must be appropriate. The respondents, according to the learned counsel, bear the burden of proving that an alternative remedy is adequate and that where the availability of a remedy is not evident, it cannot be invoked to the detriment of a petitioner.
33.The applicants admitted that the suit was filed after the interested party had assumed office but that she did not produce any evidence “that she had a desk, an address, or working space or was able to handle or receive complaints within 48 hours of her appointment into a newly created office.”
34.The interested party is said to have adopted a rigid policy and a complaint to her would be rendered futile. Again, the interested party was incapable of determining whether the respondents had violated the order made in the Nubian Rights Forum case. In any event, like the respondents, the interested party’s interpretation of section 31 of the Act is contrary to the applicants’ own interpretation of this provision of the law.
35.The applicants’ counsel also urged that the 1st applicant is not a data subject and therefore lacks standing under regulation 23(5) and (6) and its only avenue is article 22 of the Constitution. Nonetheless, according to section 9(3) of the Fair Administrative Action Act, this honourable court can direct an applicant to first exhaust an alternative remedy before instituting proceedings; including by referring the issue to that forum. The remedy would, however, be unsuitable to the present case.
36.Section 56 and 64 of the Data Protection Act which the interested party has invoked read as follows:
37.Of course the interested party has also invoked the regulation on the procedure on determination of complaints but before delving into those procedures it is necessary that we consider the parent law.
38.As I understand the applicants, they do not dispute the fact that there are alternative dispute resolution mechanisms in place under the Data Protection Act. Their problem with those mechanisms is that first, at the time of filing suit, the Data Commissioner did not have the necessary physical infrastructure to handle their dispute; she neither had a physical address nor office facilities necessary to enable her undertake the tasks imposed upon her by the law.
39.The second limb of the applicant’s answer to the preliminary objection is that the 1st applicant is not data subject and therefore the option of the alternative dispute resolution is not open to it.
40.Third, the applicants urge that as much as there is an alternative resolution mechanism open, at least to the 2nd applicant, that option is not as efficacious and convenient as a court remedy or remedies would be. Furthermore, the Data Commissioner has no capacity to determine the questions presented before court and that it is only this honourable court that can give proper guidance on such questions.
41.Last but not least, while the alternative dispute mechanism may be open to the 2nd applicant who is recognised as a data subject under the Act, no such mechanism is open to such parties as the 1st applicant.
42.It is apparent from section 56 of the Act that indeed a mechanism for internal dispute resolution has been provided to a data subject who is aggrieved by a decision of any person under the Act. Such person may lodge a complaint with the Data Commissioner. The form the complaint takes, the manner in which it may be lodged and procedure for the resolution of the complaint are all matters that have been catered for in sections 56 and 57 of the Act.
43.Whether there is a remedy alternative to judicial review, which is equally convenient, beneficial and effective is one of the factors that a judicial review court would consider in exercising its discretion to grant or not to grant orders for judicial review. The alternative remedy may take one of several forms but one with which were are concerned at the moment is the right of appeal which, in my humble view, is the right encapsulated in section 56 (1) of the Act. I say so because, according to that section, it is only where one is aggrieved by a decision made under the Act, that he may lodge a complaint to the Data Commissioner. The complaint in this context would be an appeal against the decision by which the subject data is aggrieved.
44.Cases now abound for the that position that where there is an alternative remedy and parliament has prescribed a particular form of procedure for resolution of a complaint that procedure ought to be followed.
46.Section 9(2) of the Fair Administrative Action Act goes a step further to imply that in fact, where there exist internal mechanisms for resolution of the dispute which, inevitably, would yield an alternative remedy, it is no longer a matter of the court’s discretion to entertain, let alone grant, an application for judicial review. In that event, the court will not review the administrative action until the internal mechanism has been exhausted.
47.Due to its import in the disposal of the question at hand, it is necessary that I reproduce the entire section here; it reads as follows:
48.The mechanism set up in sections 56 and 57 of the Act would, in my humble view, qualify as one of those “internal mechanisms for appeal or review and all remedies available under any other written law” which the legislature had in mind in section 9 (2) of the Fair Administrative Action Act and which have to be exhausted in any particular case before one invokes the jurisdiction of a judicial view court.
49.Now, it could be true, as the applicants have contended, that they had what, in their respectable view, sufficient reasons not to lodge their respective complaints with the Data Commissioner but instead chose to come directly to this honourable court. For reasons that will become apparent in due course, the 1st applicant may have a point here but not the 2nd applicant.
50.The internal mechanism under the Data Protection Act is available only to data subject of which the 1st applicant is not. As earlier noted, the 1st applicant is “a constitutional research, policy and litigation institute established to further implementation of Kenya’s 2010 Constitution and generally to seek the development of a culture of constitutionalism in Kenya.” Not being a data subject, the burden upon the 1st applicant was to demonstrate how it is affected by a decision by any person under the Act. This then takes us to the question whether the 1st applicant has standing or ‘sufficient interest’ to lodge the present application.
51.Halsbury’s Law of England, Judicial Review Vol 61 (2010) 5th Edition at paragraph 656, speaks of ‘sufficient interest’ in the following terms:
52.The 1st applicant falls into any of these categories; it may not be ‘a public spirited citizen raising a serious issue of public importance’ but it is, for all intents and purposes, a public spirited entity raising an issue of public interest. It can also be recognised as a pressure group in the ‘implementation of Kenya’s 2010 Constitution and generally to seek the development of a culture of constitutionalism in Kenya’.
54.In the Word Development Movement Ltd case, the applicant was a renowned pressure group and it was described in the judgment in the following terms:
55.In that case, the applicant applied for judicial review of two decisions of the Secretary of State for Foreign Affairs in relation to aid to fund the Pergau dam in Malaysia. Earlier, in 1994 there were proceedings in public before the House of Commons Public Accounts Committee and the Foreign Affairs Committee which led the applicants' solicitors to seek an assurance from the Secretary of State that no further funds would be furnished. On 29 April 1994 the Foreign Secretary refused to give such an assurance. The refusal triggered the application.
56.By the notice of motion, the applicants sought to have both decisions quashed and an order preventing further payments from being made.
57.One of the issues that arose in the course of the hearing before the Divisional court was whether the applicants had standing to make the application.
58.While allowing the application, Rose LJ held that where standing is questioned in circumstances such as the applicant found itself in, the merits of the challenge are an important, if not dominant, factor when considering standing. The learned judge quoted Professor Sir William Wade's words in Administrative Law (7th edn, 1994) p 712 that:
59.Amongst other factors that influenced the decision of the court was the importance of vindicating the rule of law, as Lord Diplock emphasised in IRC v National Federation of Self-Employed and Small Businesses Ltd  2 All ER 93 at 107,  AC 617 at 644; the importance of the issue raised; the likely absence of any other responsible challenger; and the nature of the breach of duty against which relief is sought. All these factors, noted the learned judge, pointed to the conclusion that the applicants had a sufficient interest in the matter to which the application related.
60.While referring to a similar case that had been decided earlier, the learned judge noted further that:
61.I would say the same of the 1st applicant. It is true, as the interested party submitted, the 1st applicant lacked standing to lodge a complaint to the Data Commissioner under section 56 of the Data Protection Act, but it certainly had the necessary locus to lodge these proceedings because of sufficiency of interest.
62.The 2nd applicant’s position is shaky; for reasons that have been given earlier in this judgment, he was bound to comply and follow the prescribed procedure set out in in the Act. He might have had good reasons to avoid those procedures but I suppose it is of that reason that section 9(4) of the Fair Administrative Action Act provides a window for exemption from following the internal mechanisms but only after the applicant moves the court and seeks for such exemption. It is worth reproducing this subsection here for emphasis; it reads as follows:
63.The reasons given by the applicant for sidestepping the internal dispute resolution mechanisms put in place could only have been considered in the context of the application for exemption; needless to say, it was not open to the applicants, or any of them, to decide unilaterally that the 2nd applicant need not comply with section 56 of the Data Protection Act and section 9(2) of the Fair Administrative Action Act but instead directly invoke the jurisdiction of this honourable court to determine his complaint.
64.In short, the 2nd applicant’s application is misconceived and, for this reason, I would sustain the interested party’s objection against the 2nd applicant’s application. The objection is, however, overruled with respect to the 1st applicant’s application. For the reasons I have given, I am satisfied that the 1st applicant has properly invoked the judicial review jurisdiction of this honourable court and therefore its application is tenable and deserves to be considered on its own merits.
The 1st applicant’s case:
65.By and large, the applicant’s application is pegged on what, in the applicant’s view is the respondents’ non-compliance with section 31 of the Data Protection Act and for this reason it calls for a deeper attention by this honourable court. The section is relatively lengthy but owing to its import in the determination of this application, it is necessary that I reproduce it here; it states as follows:
66.The applicant’s case is that the by launcourt in the Nubian Rights Forum case. I gather from the judgment of this latter case that the order in issue was order no. III which stated thus:
67.The applicant’s argument, as I understand it, is that this particular order is consistent with section 31 of the Data Protection Act since both point to the requirement that a data impact assessment ought to be conducted before the processing of personal data and embarking on such activities as rolling out or launching of the Huduma Card. Thus, the nature of the violations by the respondents is simply that they processed data and launched the Huduma card without first complying with this condition precedent.
68.One of the arguments that have arisen in the submissions from the parties is whether section 31 of the Data Protection Act is applicable to the data collected under the NIIMS. According to the applicant, it is not just section 31 of the Act that applies; the respondents’ actions in collection and processing of data are subject to the entire Data Protection Act and therefore any decision made or action taken outside any of the provisions of the Act would be ultra vires the Act.
69.In support of its arguments, the 1st applicant cited the Nubian Rights Forum case and urged as follows:
71.According to the applicant, the question whether the Data Protection Act, in particular section 31 thereof is applicable to the respondents’ actions is fait accompli.
72.The applicant has urged, in the alternative, that even if the question of the application of the Data Protection Act was still open for debate, the court would still find that the Act was meant to apply retrospectively to all data collected under NIIMS.
73.According to the applicant, the Data Protection Act is a normative derivative of article 31 of the Constitution and that the rights to privacy protected under article 31 were guaranteed the moment the Constitution was promulgated. The rights are conferred by the Constitution and not by Data Protection Act; this Act only provides the structure of the implementation of the rights. On this point, counsel for the applicant urged that lack of a legislative framework to elaborate on a right can never be a legitimate reason why the duty bearer should not undertake reasonable steps to ensure that the right is fully facilitated. In this regard counsel cited Nairobi Law Monthly Company Limited v Kenya Electricity Generating Company & 2 others  eKLR where it was held that lack of legislation cannot be a reason to suspend the implementation of a constitutional right.
74.It was also urged that failure to conduct Data Protection Impact Assessment would amount to continuing violation of the law and the Constitution and that the only remedy in these circumstances would be to comply with the Act and conduct the requisite impact assessment.
75.It was also submitted that there is no legal bar to the retroactive application of the Data Protection Act and in this regard counsel relied on Samuel Kamau Macharia and Another v Kenya Commercial Bank Ltd and 2 Others  eKLR, where the Supreme Court addressed the question of retrospective application of a statute in the following terms:
76.It was submitted further on behalf of the applicant that since this honourable court found in Nubian Rights Forum case that one of the objects of the Data Protection Act is to regulate the processing of personal data and which, by definition, includes biometric data collected by NIIMS, the intention of the Act was that the Act would apply to the processing of data collected under NIIMS. And on this question of legislative intent counsel cited the Court of Appeal decision in Commissioner of Income Tax v Pan African Paper Mills (E.A) Limited (2018) eKLR where it was held:
77.Again, the court’s record showed that in Nubian Rights Forum, the respondents filed the Data Protection Bill in court as a response to the claim that there was no legislation on data protection; this in itself showed that they were in agreement that the intention of the Act was to apply retrospectively. Thus, the court’s order of 30 January 2020 would apply retrospectively to such a time as when the respondents began to collect or process data under NIIMS. On this point counsel relied on Mary Wambui Munene v Peter Gichuki King’ara & 2 others (2014) eKLR where the Supreme Court held that judicial decisions have retrospective effect because the wrong being remedied occurred before the case was instituted.
78.It was ironical, so urged the applicant’s counsel, that the interested party would rely on the provisions of the Data Protection Act to contest the sustainability of the applicants’ suit and at the same time argue that the Act was not applicable to the suit.
The Respondents’ and the Interested Party’s Case:
79.In response to this question of the applicability of section 31 of the Act, the respondents and the interested party urged that it is not in dispute that the respondents rolled out the mass collection of personal data under the National Integrated Identity Management System sometimes in March, 2019. It is further not in dispute that the Data Protection Act, 2019 was enacted by Parliament and assented to by the President on 8 November, 2019 and that commencement date of the said Act was 25 November, 2019. That being case, it was urged that at the commencement date of the Data Protection Act, 2019, the mass collection of personal data under NIIMS had already been completed.
80.While it is true that section 31 of the Act requires a Data Protection Impact Assessment to be carried out where processing of personal data is likely to result in high risk to rights and freedoms of the data subject, at the time personal data under NIIMs was being collected, a Data Protection Impact Assessment was not a requirement prior to the processing of the personal data. Rather section 31 of the Act imposes a new duty or obligation on the respondents after the collection of personal data under NIIMS had already been completed.
81.The interested party therefore urged that the fact that section 31 of the Act imposes a new duty or obligation that was not there before and during the collection of personal data under NIIMS means that the same cannot apply retrospectively. Counsel for the interested party relied on the Supreme Court decision in SK Macharia & another v Kenya Commercial Bank Limited & Others, SCK Application No 2 of 2011 where the Supreme Court stated that a retroactive law is not unconstitutional unless it inter-alia impairs obligations under contracts, divests rights or is constitutionally forbidden. The court noted that a statute which takes away or impairs vested rights acquired under existing laws, or creates new obligations or imposes a new duty in respect of transaction already past must be presumed to be intended not to have retrospective operation. The case of Municipality of Mombasa v Nyali Limited (1963) EA was also cited in support of the same point.
82.It was also urged that there is no provision under the Act that expressly provides that the said Act should apply retrospectively and, in any event, the applicants did not demonstrate that it was the intention of Parliament that section 31 of the said Act should apply retrospectively.
83.Finally, the interested party contested the applicants’ line of argument that it is the interested party’s case that that Act does not apply to the applicants’ suit. It was urged that the interested party’s case was that as at the time the personal data under NIIMS was being collected, section 31 of the Act did not apply.
Analysis and Determinations:
84.If the interested party’s argument is that save for section 31 of the Data Protection Act, the rest of the Act would apply to the applicant’s suit then I am unable to understand her argument against retrospective application of the Act. Following the interested party’s argument has not been that easy; it is, at best, confusing.Sample this.
85 .The interested party argues that it is not true, as suggested by the applicants, that the entire Act does not apply to the applicants’ suit and that it is only section 31 of the Act that does not apply retrospectively. To quote the learned counsel’s submission on this point, he said as follows:
86.But again he argues, apparently against the retrospective application of the entire Act, and states:
87.This to me appears to be a clear case of approbate and reprobate; on the one hand, the interested is approving that the Act is retrospective but, on the other hand, she is saying that it is not and that it only applies from the date of commencement. This the interested party cannot do; she is bound to elect and pursue either of the two alternatives; it is either the Act applies retrospectively or it does not.
88.But the interested party’s argument in support of the preliminary objection in which she sought to have the applicants held to account on compliance with certain provisions of the Data Protection Act, in particular, sections 56 and 64 of the Act and the Regulations made thereunder would betray her stance against the retrospective application of the Act. It certainly cannot be the case, and indeed not authority has been presented to this honourable court to support the argument that the Act is severable or is severable to such an extent that only certain provisions that are favourable to the interested party’s case are retrospective but those against it are not.
89.Something about the rule against retrospectivity in legislation.
90.In an article titled “The Rule Against Retroactive Legislation: A Basic Principle of Jurisprudence” published in the 1936 Minnesota Law Review. 1258, Elmer E. Smead traces the rule against retroactive legislation in ancient Greece in a case of Timokrates and the Athenian Ambassadors. There the Ambassadors had withheld money owed to the city-state, and were condemned to repay twice the amount. Timokrates succeeded in securing the enactment of a law to relieve the Ambassadors of this penalty, but as a consequence of the efforts of Demosthenes, the law was held to be invalid because it was retroactive.
91.This was the rule which the English common law later declared applicable as a guide to the construction of statutes. It was a rule that was in opposition to construing a statute so as to make it apply to cases arising prior to the enactment of the statute or acts from a time anterior to passage.
92.It was, however, acknowledged that as much as the courts viewed this rule as a guide in interpretation of statutes, Parliament could, if it so desired, pass a statute to apply to a past time. Thus, this principle in the English common law meant that the courts, in the exercise of their function of interpreting the law in cases which came before them, viewed themselves as bound by the rule of construction that no law should be given an operation from a time prior to its enactment unless Parliament had expressly provided that it should have such an effect (See Gillmore vs Shooter (1678) 2 Mod Rep 310) or unless the words of the Act could have no meaning except by the application to this past time. (See Blackstone Comm. 46).
93.This point was taken by the House of Lords in Wilson & others vs Secretary of State for Trade and Industry (2003) UKHL40 where Lord Scott of Foscote stated at paragraph 153 of the judgment as follows:
94.The exact words of Maxwell on the Interpretation of Statutes, 12th Edition (1969), at page 215 which the learned judge made reference to are as follows:
95.It is therefore beyond doubt that legislation can be retrospective in its application only that such an intention has to be either apparent from the statute in question or can be implied, as a matter of necessity.
96.The question posed in the instant suit is whether the Data Protection Act and in particular, section 31 was intended to have retrospective effect. This question can be answered adequately when one considers the circumstances surrounding the enactment of the Data Protection Act. The most obvious and certainly crucial background is that it was enacted against the backdrop of article 31 of the Constitution; as matter of fact, it is clearly indicated in the Act itself that it is meant to give effect to article 31 of the Constitution. That article reads as follows:
97.It is apparent from the preamble of the Act that it is created to give effect to the right to privacy guaranteed under part (c) and (d) of this Article of the Constitution; for the sake of emphasis, it is worth reproducing the preamble here again; its states as follows:
98.Section 3 of the Act, on the object and purpose of the Act, sheds more light on how the right to privacy is to be protected; the section has been produced earlier in this judgment but again it deserves to be reproduced here; it reads as follows:
99.Reading the preamble to the Act together with section 3 thereof on the Act’s object and purpose, it is clear that the Act was intended to be retrospective to such an extent or to such a time as to cover any action taken by the state or any other entity or person that may be deemed to affect, in one way or the other, the right to privacy under article 31(c) and (d) of the Constitution.
100.Needless to say, the need to protect the constitutional right to privacy did not arise with the enactment of the Data Protection Act; the right accrued from the moment the Constitution was promulgated. It would be unreasonable, in these circumstances, to argue, as the 1st interested party suggests, that the obligation to protect the individual rights under article 31 of the Constitution is a new obligation or duty imposed on the state only when the Data Protection Act came into force and that for this reason, section 31 of the Data Protection Act cannot be said to be retrospective.
101.There should not be any doubt that the amendments introduced in section 9 of the Registration of Persons Act cap 107 and the events that followed pursuant to these amendments, more particularly the nationwide collection of personal and biometric data in March 2019, would in some way impact on the right to privacy under article 31 of the Constitution. It is because of such likely impact that section 3 of the Data Protection Act states, in clear and unambiguous terms, that the Act is intended to regulate the processing of such personal data; that the processing of personal data of a data subject is guided by certain principles whose import is to protect an individual’s right to privacy; that the Act is intended to protect the individual’s personal data and, that the Act is also intended to provide data subjects with rights and remedies whenever their right to privacy is infringed.
102.Owing to the likely impact of the amendments to section 9 of the Registration of Persons Act and the exercise of collection and processing of personal data on the individual’s right to privacy, it would have been prudent, if not for anything else, for good order, for the state to ensure that the legal framework for protection of the right to privacy was in place before taking action likely to infringe the individual’s right under article 31.
103.To be precise, considering the object and purpose of the Data Protection Act, and more importantly, considering that the Act is intended to give effect to article 31 (c) and (d) of the Constitution, it would have stood to reason to have this Act in place before the purported amendment to section 9 of the Registration of Persons Act and before the collection and processing of personal data.
104.But since the state chose to put the cart before the horse, so to speak, it has to live with the reality there now exists legislation against which its actions must be weighed irrespective of when they were taken as long as those actions touch on the individual’s right under article 31 of the Constitution. To put it straight, there is no other scale upon which to weigh the actions of the state to collect and process personal data except that provided by the Data Protection Act, at least to the extent that it is an Act meant to put into effect the constitutional right to privacy under article 31 of the Constitution.
105.There was the argument there is a presumption against retrospective legislation in that it ousts vested rights and imposes new obligations and duties; to quote the learned counsel for the interested party:
106.To this argument I would reiterate that there was always the duty on the part of the state to ensure that Bill of Rights under Chapter IV of the Constitution, including the right to privacy under article 31 of the Act is respected and protected. Section 31 of the Act does not impose any more obligation or duty on the state than that which the state or the respondents, for that matter, have hitherto had to bear.
107.If anything, it is the individual’s constitutional rights and which, for all intents and purposes, are vested rights, that were under threat by the excesses of the state in collecting and processing data without prior legal framework to ensure that even as the state embraces a new system of identification, the right to privacy is protected. This is the more reason why section 31 of the Data Protection Act appeals to me to be retrospective in its application. It is more of a bulwark against the excesses of the state than a tool imposing new obligations or duties on the state.
108.In this regard, I would adopt the words of Lord Mustill in L’Office Chefrien v Yamashita-Shinnihon Steamship Co Ltd (1994) 1 AC 486 at page525F- where he noted:
109.Staughton LJ was of similar view in Secretary of State for Social Security v Tunnicliffe  2 All ER 712, 724f –g where he noted:
110.The question would be, where does fairness lie in terms of protection of the individual right to privacy? Is it in retrospective application of section 31 of the Data Protection Act or in the rule against such application? I would stand with the individual or the citizen against the might of the state and hold that fairness is in interpreting section 31 as being retrospective in its application.
111.Aside from my interpretation of the law on why section 31 of the Data Protection Act must be taken to have retrospective effect, there is the judgment of this honourable court in the Nubian Rights Forum Case and here, I need not say anything more than reproduce what the court said on the extent of the application of the Data Protection Act; at paragraph 852 of its judgment which the learned counsel for the applicant referred me to, the court noted as follows:
112.It was never suggested that this judgment has been overturned or challenged. The finding that the collection and processing of personal data in March 2019 is subject to the Data Protection Act still stands and here, I would agree with counsel for the applicants that the interested party and the respondents are estopped from denying that they are bound by that judgment, being judgment in rem.
113.In the final analysis I am satisfied that the 1st applicant has made out a case against the respondents for the judicial review orders of certiorari and mandamus mainly on the ground of illegality. This ground of judicial review was explained by Lord Diplock in Council of Civil Service Unions versus Minister for the Civil Service  AC 374,410 where he stated as follows:
114.The respondents, in my humble, have not appreciated the import and the extent of the application of the Data Protection Act, with respect to collection and processing of data collected under the National Integrated Identity Management System. If they did, they would have given effect to section 31 of the Data Protection Act and conducted a data impact assessment before processing personal data and rolling out the Huduma Cards.
115.Talking of the National Integrated Identity Management System, it is grounded, as earlier noted in section 9A of the Registration of Persons Act which in turn came about as a result of Miscellaneous Amendments Act, No 18 of 2018.
116.It is as a result of the amendment that the 1st two respondents embarked on a nationwide collection of personal data; in other words, section 9A, the newly introduced provision of the law in the Registration of Persons Act was the legal basis of the nationwide exercise to collect data.
117.Lest we forget, Miscellaneous Amendments Act, No 18 of 2018 was nullified in by a three judge bench of this honourable court in Petition No 284 of 2020, Speaker of the Senate & 5 Others v The Speaker of the National Assembly & another, amongst other laws that were purportedly enacted by the National Assembly without involving the Senate contrary to the Constitution. The bench, which I was privileged to preside over, held inter alia as follows:
118.I am aware that the respondents filed an appeal against this decision but I am not so certain about the current status of the appeal. Assuming the appeal is pending for determination, could the respondents proceed and act on the Statute Law (Miscellaneous Amendments) Act, No 18 of 2018 as if it is valid? Again, assuming the decision of this honourable court in Petition No 284 of 2020, Speaker of the Senate v The Speaker of the National Assembly & another is upheld by the Court of Appeal, what would be the effect of sustaining the decision on any action taken on the basis of the Statute Law (Miscellaneous Amendments) Act, No 18 of 2018 including the amendment to the Registration of Persons Act and entire exercise of collection and processing of data? These questions are certainly not before court but I only ask them because the applicants made reference to the decision in Petition No 284 of 2020 in their submissions. I shudder to think all these efforts including the efforts put in these proceedings, could be rendered of no legal consequence in the future.
119.Regardless of what the future portends for the appeal against this honourable court’s decision in Petition No 284 of 2020, the 1st applicant in the motion dated 24 November 2020 merits the orders of certiorari and mandamus. To be precise, and for the avoidance of doubt, I hereby order as follows:
120.It has been a while since the rollout or the launch of the Huduma Card and it is not clear whether it is still on or has been concluded; it would be speculative to allow prayer (a) for the Order of Prohibition in these circumstances. In any event, having granted prayers (b) and (c) prayer (a) is as good as moot.
121.Owing to the fact that this suit of substantial public interest, I will not make any order on costs. It is so ordered.
Signed, dated and delivered on 14 October 2021Ngaah JairusJUDGE