The Aadhaar Act affords unique identity to individuals to ensure that such government subsidies, benefits and services reach only the intended beneficiaries and thus upholds the concept of limited government, good governance and constitutional trust
August 16, 2019
K S Puttaswamy (Retd.) & another v Union of India & others
Writ Petition (Civil) No. 494 of 2012
Supreme Court of India
D Misra, CJI; A Bhushan, A Khanwilkar, A Sikri, SJJ
September 26, 2018
Reported by Faith Wanjiku
Constitutional Law-fundamental rights and freedoms-right to privacy and education- authentication of Aadhaar number and proof of Aadhaar number necessary for receipt of certain subsidies, benefits and services- children not under legal capacity to provide any consent under the law and if they could be brought within the sweep of sections 7 and 8 of the Aadhaar Act for the purposes of utilising any of the benefits thereunder-whether the Aadhaar Act violated right to privacy and education in the context of sections 7 on authentication of Aadhaar number and 8 on proof of Aadhaar number necessary for receipt of certain subsidies, benefits and services and was thus unconstitutional- Constitution of India, 1949, article 21,21A; Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, sections 7 and 8; European Convention on Human Rights, article 8
Constitutional Law-information privacy- data –protection, collection and storage-whether the Aadhaar project created or had tendency to create a surveillance state and was thus unconstitutional in that the Aadhaar Act and its Rules did not provide protection, in respect of data minimisation, purpose limitation, time period for data retention and data protection and security
Statutes-interpretation of various statutory provisions of the Aadhaar Act and its Regulations-whether those various provisions defied the concept of limited government, good governance and constitutional trust and thus suffered from the vice of unconstitutionality - Constitution of India, 1949; Aadhaar Act and its Regulations-sections 2(c) and 2(d),32,2(h),10 of CIDR, 2(l) read with regulation 23, 2(v), 3, 5, 6, 8, 9, 11 to 23, 54, 23(2)(g) read with Chapter VI & VII –regulations 27 to 32; 29,33, 47, 48, 57, 59
The petition was based on Aadhaar, a word associated with the card that was issued to a person from where he/she could be identified. It was described as an ‘Unique Identity’ and the authority which enrolled a person and at whose behest the Aadhaar Card was issued was known as Unique Identification Authority of India (UIDAI or Authority). UIDAI claimed that not only it was a foolproof method of identifying a person; it was also an instrument whereby a person could enter into any transaction without needing any other document in support. Thescheme was conceptualised in the year 2006 and launched in the year 2009 with the creation of UIDAI.
The petitioners claimed that Aadhaar was a serious invasion into the right to privacy of persons protected under article 21 of the Constitution of India and it had the tendency to lead to a surveillance state where each individual could be kept under surveillance by creating his/her life profile and movement as well on his/her use of Aadhaar. They were demanding scrapping and demolition of the entire Aadhaar structure which, according to them, was an anathema to the democratic principles and rule of law, which was the bedrock of the Indian Constitution. The petitioners further challenged its shield of statutory cover, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the AadhaarAct) as being constitutionally impermissible.
i Whether the Aadhaar project created or had tendency to create a surveillance state and was thus unconstitutional in that the Aadhaar Act and its Rules did not provide protection, in respect of data minimisation, purpose limitation, time period for data retention and data protection and security
ii Whether the Aadhaar Act violated right to privacy in the context of sections 7 on authentication of Aadhaar number and 8 on proof of Aadhaar number necessary for receipt of certain subsidies, benefits and services and was thus unconstitutional.
iii Whether children who were not under legal capacity to provide any consent under the law could be brought within the sweep of sections 7 and 8 of the Aadhaar Act for the purposes of utilising any of the benefits thereunder?
iv Whether the following provisions of the Aadhaar Act and Regulations defied the concept of limited government, good governance and constitutional trust and thus suffered from the vice of unconstitutionality:
Sections 2(c) and 2(d) read with section 32; section 2(h) read with section 10 of CIDR; section 2(l) read with regulation 23; section 2(v); section 3; section 5; section 6; section 8; section 9; sections 11 to 23; sections 23 and 54; section 23(2)(g) read with Chapter VI & VII –regulations 27 to 32; section 29; section 33; section 47; section 48; section 57; section 59 Relevant Provisions of the Law
The Constitution of India, 1949
Article 21- Protection of life and personal liberty.-
No person shall be deprived of his life or personal liberty except according to procedure established by law.
Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016
Section 7- Proof of Aadhaar number necessary for receipt of certain subsidies, benefits and services, etc.—
The Central Government or, as the case may be, the State Government may, for the purpose of establishing identity of an individual as a condition for receipt of a subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India, require that such individual undergo authentication, or furnish proof of possession of Aadhaar number or in the case of an individual to whom no Aadhaar number has been assigned, such individual makes an application for enrolment:
Provided that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service.
Section 8- Authentication of Aadhaar number—
(1) The Authority shall perform authentication of the Aadhaar number of an Aadhaar number holder submitted by any requesting entity, in relation to his biometric information or demographic information, subject to such conditions and on payment of such fees and in such manner as may be specified by regulations.
(2) A requesting entity shall—
(a) unless otherwise provided in this Act, obtain the consent of an individual before collecting his identity information for the purposes of authentication in such manner as may be specified by regulations; and
(b) ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication.
(3) A requesting entity shall inform, in such manner as may be specified by regulations, the individual submitting his identity information for authentication, the following details with respect to authentication, namely—
(a) the nature of information that may be shared upon authentication;
(b) the uses to which the information received during authentication may be put by the requesting entity; and
(c) alternatives to submission of identity information to the requesting entity.
(4) The Authority shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information excluding any core biometric information.”
Held 1. The enrolment and authentication processes were strongly regulated so that data was secure. The enrolment agency, which collected the biometric and demographic of the individuals during enrolment, was appointed either by UIDAI or by a registrar. The registrars were appointed through MoUs or agreements for enrolment and were to abide by a code of conduct and processes, policies and guidelines issued by the Authority. They were responsible for the process of enrolment. Categories of persons eligible for appointment were limited by the regulations. The agency employed a certified supervisor, an operator and a verifier under Enrolment and Update Regulations. Registrars and the enrolling agencies were obliged to use the software provided or authorized by UIDAI for enrolment purpose.
2. The standard software had security features as specified by the Authority. All equipment used was as per the specification issued by the Authority. The registrars were prohibited from using the information collected for any purpose other than uploading the information to Central Identities Data Repository (CIDR). Sub-contracting of the enrolment function was not allowed. The Code of Conduct contained specific directions for following the confidentiality, privacy and security protocols and submission of periodic reports of enrolment. Not only were there directions prohibiting manipulation and fraudulent practices but the Act contained penal provisions for such violations in Chapter VII of the Regulations. The enrolment agencies were empanelled by the Authority. They were given an enrolling agency code using which the registrar could onboard such agency to the CIDR. The enrolment data was uploaded to the CIDR certified equipment and software with a digital signature of the Registrar/enrolling agency. The data was encrypted immediately upon capture. The decryption key was with the UIDAI solely.
3. Requesting entities were appointed through agreement. Whatever identity information was obtained by the requesting entity was based on a specific consent of the Aadhaar number holder. Such data could not be shared and had to be stored in encrypted form. The biometric information used was not permitted to be stored. Only the logs of authentication transactions were maintained for a short period. Full identity information was never transmitted back to the requesting entity. Anyone trying to unlawfully gain access into the system was liable to be punished with 10 years’ imprisonment and fine. The storage involved end to end encryption, logical partitioning, firewalling and anonymisation of decrypted biometric data. Breaches of penalty were made punitive by Chapter VII of the Act.
4. Biometric information was deemed to be an electronic record, and sensitive personal data or information under the IT Act. Demographic information, both mandatory and optional, and photographs did not raise a reasonable expectation of privacy under article 21 of the Constitution of India (the Constitution) unless under special circumstances such as juveniles in conflict of law or a rape victims’ identity. Today, all global ID cards contained photographs for identification along with address, date of birth, gender etc. The demographic information was readily provided by individuals globally for disclosing identity while relating with others and while seeking benefits whether provided by government or by private entities, be it registration for citizenship, elections, passports, marriage or enrolment in educational institutions. Email ids and phone numbers were also available in public domain, for example in telephone directories. Aadhaar Act only used demographic information which was not sensitive and where no reasonable expectation of privacy existed – name, date of birth, address, gender, mobile number and e-mail address. Section 2(k) specifically provided that in the Regulations, demographic information could not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history. Thus, sensitive information specifically stood excluded.
5. Regulation 27 of the Authentication Regulations required the UIDAI to retain the authentication transaction data (which included the metadata) for a period of 6 months and to archive the same for a period of 5 years thereafter. Regulations 18(3) and 20(3) allowed requesting entities (RE) and Authentication Service Agencies to retain the authentication logs for a period of 2 years and then archive them for 5 years. It was required to be deleted only after 7 years unless retained by a court. The right of the citizen to erasure of data or right to be forgotten was severely affected by such regulation. There was no provision to delete the biometric information in any eventuality once a person was enrolled. There was no reason for archiving the authentication transaction data for a period of five years. Retention of that data for a period of six months was more than sufficient after which it needed to be deleted except when such authentication transaction data were required to be maintained by a Court or in connection with any pending dispute. Regulations 26 and 27 would, therefore, be amended accordingly.
6. Section 7 of the Aadhaar Act was aimed at offering subsidies, benefits or services to the marginalised section of the society for whom such welfare schemes had been formulated from time to time. That also became an aspect of social justice, which was the obligation of the State stipulated in Para IV of the Constitution. The rationale behind section 7 lay in ensuring targeted delivery of services, benefits and subsidies which were funded from the Consolidated Fund of India.
7. The State had come forward in recognising the rights of deprived section of the society to receive such benefits on the premise that it was their fundamental right to claim such benefits. It was acknowledged by the respondents that there was a paradigm shift in addressing the problem of security and eradicating extreme poverty and hunger. The shift was from the welfare approach to a rights based approach. As a consequence, right of everyone to adequate food no more remained based on Directive Principles of State Policy, though the said principles remained a source of inspiration. That entitlement had turned into a Constitutional fundamental right. The Constitutional obligation was reinforced by obligations under International Conventions. The Universal Declaration of Human Rights (Preamble, articles 22 & 23) and International Covenant on Economic, Social and Cultural Rights to which India was a signatory, also cast responsibilities on all State parties to recognize the right of everyone to adequate food.
8. By no stretch of imagination, therefore, could it be said that there was no defined State aim in legislating Aadhaar Act. The petitioners did not seriously question the purpose bona fides of the legislature in enacting that law. In a welfare State, where measures were taken to ameliorate the sufferings of the downtrodden, the aim of the Act was to ensure that those benefits actually reached the populace for whom they were meant. That was naturally a legitimate State aim. It was the instant Court which had been repeatedly insisting that benefits reach the most deserving and should not get frittered mid-way. That purpose of Aadhaar Act, as captured in the Statement of Objects and Reasons and sought to be implemented by section 7 of the Aadhaar Act, was to achieve the stated objectives. The Court was convinced by its conscience that the Act was aimed at a proper purpose, which was of sufficient importance.
9. Section 7, which provided for necessity of authentication for receipt of certain subsidies, benefits and services had a definite purpose and that authentication was to achieve the objectives for which Aadhaar Act was enacted, namely, to ensure that such subsidies, benefits and services reached only the intended beneficiaries. There was seen rampant corruption at various levels in implementation of benevolent and welfare schemes meant for different classes of persons. It had resulted in depriving the actual beneficiaries to receive those subsidies, benefits and services which got frittered away though on papers, it was shown that they were received by the persons for whom they were meant. By providing that the benefits for various welfare schemes would be given to those who possess Aadhaar number and after undergoing the authentication as provided in section 8 of the Aadhaar Act, the purpose was to ensure that only rightful persons received those benefits.
10. The legitimate expectation of privacy could vary from the intimate zone to the private zone and from the private to the public arenas. However, the privacy was not lost or surrendered merely because the individual was in a public space. One of the chief concerns was that while the web was a source of lawful activity both personal and commercial, concerns of national security intervened since the seamless structure of the web could be exploited by terrorists to wreak havoc and destruction on civilized societies. Privacy was the terrorist’s best friend. That formulation indicated that the State had legitimate interest when it monitored the web to secure the nation. Apart from national security, the State could have justifiable reasons for the collection and storage of data as where it embarked upon programs to provide benefits to impoverished and marginalized sections of society and for ensuring that scarce public resources were not dissipated and diverted to non-eligible recipients. Digital platforms were a vital tool of ensuring good governance in a social welfare State and technology was a powerful enabler.
11. Private life was a broad term covering physical and psychological integrity of a person. Storing of data relating to private life of an individual interfered with article 8 of the European Convention on Human Rights (ECHR). Article 8 of the ECHR, however protean, should not be so construed widely that its claims became unreal and unreasonable. Firstly, the threat to individuals’ personal autonomy had to attain a certain level of seriousness. Secondly, the claimant had to enjoy on the facts a reasonable expectation of privacy. Thirdly, the breadth of article 8(1) could in many instances be greatly curtailed by scope of justifications available to the State.
12. Needless to emphasise that when a law limited a constitutional right which many laws did, such limitation was constitutional if it was proportional. The law imposing restriction was proportional if it was meant to achieve a proper purpose, and if the measures taken to achieve such a purpose were rationally connected to the purpose and such measures were necessary. Such limitations should not be arbitrary or of an excessive nature beyond what was required in the interest of the public. Reasonableness was judged with reference to the objective which the legislation sought to achieve, and could not be in excess of that objective. Further, the reasonableness was examined in an objective manner from the standpoint of the interest of the general public and not from the point of view of the person upon whom the restrictions were imposed or abstract considerations.
13. The Aadhaar Act had struck a fair balance between the right of privacy of the individual with right to life of the same individual as a beneficiary. In the face of the all-pervading prescript for accomplished socio-economic rights, that needed to be given to the deprived and marginalised section of the society, as the constitutional imperative embodied in those provisions of the Act, it was entitled to receive judicial imprimatur.
14. The Act passed the muster of necessity stage as well when there could not be found any less restrictive measure which could be equally effective in achieving the aim. In a situation like that where the Act was aimed at achieving the aforesaid public purpose, striving to benefit millions of deserving people, it could not be invalidated only on the ground that there was a possibility of exclusion of some of the seekers of those welfare schemes. By no means, was the court accepting that if such an exclusion took place, it was justified. The court was only highlighting the fact that the Government seemed to be sincere in its efforts to ensure that no such exclusion took place and in those cases where an individual who was rightfully entitled to benefits under the scheme was not denied such a benefit merely because of failure of authentication. In that scenario, the entire Aadhaar project could not be shelved. If that was done, it would cause much more harm to the society.
15. The Government could not take umbrage under the section 7 to enlarge the scope of subsidies, services and benefits. Benefits should be such which were in the nature of welfare schemes for which resources were to be drawn from the Consolidated Fund of India. The expression benefit had to be read ejusdem generis with the preceding word subsidies. A benefit which was earned by an individual (e.g. pension by a government employee) could not be covered under section 7 of the Act, as it was the right of the individual to receive such benefit. The instant court hoped that the respondents would not unduly expand the scope of subsidies, services and benefits thereby widening the net of Aadhaar, where it was not permitted otherwise. Benefits and services as mentioned in section 7 should be those which had the colour of some kind of subsidies etc., namely, welfare schemes of the Government whereby Government was doling out such benefits which were targeted at a particular deprived class. The expenditure thereof had to be drawn from the Consolidated Fund of India.
16. Article 21A of the Constitution guaranteed right to education and made it a fundamental right of the children between 6 years and 14 years of age. Such a right could not be taken away by imposing requirement of holding Aadhaar card, upon the children. Admission of a child in his school could not be covered under section 7 of the Aadhaar Act as it was neither subsidy nor service. No doubt, the expression benefit occurring in section 7 was very wide. At the same time, it had to be given restrictive meaning and the admission of children in the schools, when they had fundamental right to education, would not be covered by section 7.
17. For the enrolment of children under the Aadhaar Act, it would be essential to have the consent of their parents/guardian. On attaining the age of majority, such children who were enrolled under Aadhaar with the consent of their parents, would be given the right to exit from Aadhaar, if they so chose. For availing the benefits of other welfare schemes which were covered by section 7 of the Aadhaar Act, though enrolment number could be insisted, it would be subject to the consent of the parents, as mentioned above. No child would be denied benefit of any of those schemes if, for some reasons, she was not able to produce the Aadhaar number and the benefit would be given by verifying the identity on the basis of any other documents.
18. Section 2(d) which pertained to authentication records, such records would not include metadata as mentioned in regulation 26(c) of the Aadhaar (Authentication) Regulations, 2016. Therefore, the provision in the present form was struck down. Liberty, however, was given to reframe the regulation, keeping in view the parameters stated by the Court.
19. Insofar as section 2(b) was concerned, which defined resident, the apprehension expressed by the petitioners was that it should not lead to giving Aadhaar card to illegal immigrants. The court directed the respondent to take suitable measures to ensure that illegal immigrants were not able to take such benefits.
20. Section 29 imposed a restriction on sharing information and was, therefore, valid as it protected the interests of Aadhaar number holders. However, apprehension of the petitioners was that the provision entitled Government to share the information for the purposes of as could be specified by regulations. The Aadhaar (Sharing of Information) Regulations, 2016 did not contain any such provision. If a provision was made in the regulations which impinged upon the privacy rights of the Aadhaar card holders that could always be challenged.
21. Section 33(1) of the Aadhaar Act prohibited disclosure of information, including identity information or authentication records, except when it was by an order of a court not inferior to that of a District Judge. The provision was to be read down with the clarification that an individual, whose information was sought to be released, would be afforded an opportunity of hearing. If such an order was passed, in that eventuality, he would also have right to challenge such an order passed by approaching the higher court. During the hearing before the concerned court, the said individual could always object to the disclosure of information on accepted grounds in law, including article 20(3) of the Constitution or the privacy rights etc.
22. Section 33(2) of the Aadhaar Act on disclosure of information in the interest of national security could not be faulted with. However, for determination of such an eventuality, an officer higher than the rank of a Joint Secretary should be given such a power. Further, in order to avoid any possible misuse, a judicial officer (preferably a sitting High Court judge) should also be associated with. Such provisions of application of judicial mind for arriving at the conclusion that disclosure of information was in the interest of national security, were prevalent in some jurisdictions. Section 33(2) of the Aadhaar Act in the present form was struck down with liberty to enact a suitable provision on the lines suggested above.
23. Section 47 of the Aadhaar Act which provided for the cognizance of offence only on a complaint made by the Authority or any officer or person authorised by it was concerned, it needed a suitable amendment to include the provision for filing of such a complaint by an individual/victim as well whose right was violated.
24. Section 57 was susceptible to misuse in as much as:
a. It could be used for establishing the identity of an individual for any purpose. Such a purpose had to be backed by law. Further, whenever any such law was made, it would be subject to judicial scrutiny.
b. Such purpose was not limited pursuant to any law alone but could be done pursuant to any contract to that effect as well. That was clearly impermissible as a contractual provision was not backed by a law and, therefore, first requirement of proportionality test was not met.
c. Apart from authorising the State, even any body corporate or person was authorised to avail authentication services which could be on the basis of purported agreement between an individual and such body corporate or person. Even if the court presumed that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and demographic information by the private entities. Thus, that part of the provision which enabled body corporates and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. That part of the section, thus, was declared unconstitutional.
25. Other provisions of Aadhaar Act were held to be valid, including section 59 of the Act which saved the pre-enactment period of Aadhaar project, i.e. from 2009-2016.
26. The instant matter was examined keeping in view the fundamental principles of constitutionalism in mind including basic freedoms (private autonomy) and the right of political participation (public autonomy and more particularly the principle that the concept of limited government was applicable having regard to the fact that the three limbs of the State were to act within the framework of a written Constitution which assigned specific powers to each of the wing of the State. That presupposed that the sovereign power of the Parliament was circumscribed by the provisions of the Constitution and the legislature was supposed to Act within the boundaries delineated by the Constitution. The constitutionalism, which was the bedrock of rule of law, was to be necessarily adhered to by the Parliament. Further, the power of judicial review which was accorded to the courts could be exercised to strike down any legislation or executive action if it was unconstitutional.
27. It was difficult to agree with the sweeping proposition advanced by the petitioners that the Aadhaar project was destructive of limited government and constitutional trust. Those submissions were premised on the architecture of the Aadhaar being constitutionally intrusive which threatened the autonomy of individuals and had a tendency of creating a surveillance state. In support, the petitioners referred to certain provisions of the Aadhaar Act. Some provisions which were found offending were struck down, some others had been read down and some were tweaked with. The statutory regime that would now govern the citizenry warded off such a danger, if any.
Petition partly allowed.
i The requirement under Aadhaar Act to give one’s demographic and biometric information did not violate fundamental right of privacy.
ii Collection of data, its storage and use did not violate fundamental Right of privacy.
iii Aadhaar Act did not create an architecture for pervasive surveillance.
iv Aadhaar Act and Regulations provided protection and safety of the data received from individuals.
v The court directed the respondent to take suitable measures to ensure that illegal immigrants were not able to take such benefits under section 2(b) which defined resident.
vi Regulation 26(c) of the Aadhaar (Authentication) Regulations, 2016 which would include metadata in authentication records was struck down.
vii Section 7 of the Aadhaar was constitutional. The provision did not deserve to be struck down on account of denial in some cases of right to claim on account of failure of authentication.
viii The State while enlivening right to food, right to shelter etc. envisaged under article 21 could not encroach upon the right of privacy of beneficiaries nor former could be given precedence over the latter.
ix Provisions of section 29 were constitutional and did not deserve to be struck down.
x Section 33 could not be said to be unconstitutional as it provided for the use of Aadhaar data base for police investigation nor it could be said to violate protection granted under article 20(3) of the Constitution.
xi Section 47 of the Aadhaar Act could not be held to be unconstitutional on the ground that it did not allow an individual who found that there was a violation of Aadhaar Act to initiate any criminal process.
xii Section 57, to the extent, which permitted use of Aadhaar by the State or any body corporate or person, in pursuant to any contract to that effect was unconstitutional and void. Thus, the last phrase in main provision of section 57, i.e. or any contract to that effect was struck down.
Relevance to the Kenyan Situation
The right to privacy is heavily guarded under article 31 of the Constitution of Kenya, 2010 in that every person has the right to privacy, which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed.
The Access to Information Act No. 31 of 2016 provides in section 6(1) that the right of access to information under article 35 of the Constitution shall be limited in respect of information whose disclosure is likely to involve the unwarranted invasion of the privacy of an individual, other than the applicant or the person on whose behalf an application has, with proper authority, been made.
The Data Protection Bill No. 44 of 2019 if passed by Parliament will play a big role in order to give effect to article 31(c) and (d) of the Constitution; establish the office of the Data Protection Commissioner; to make provision for the regulation of the processing of personal data; to provide for the rights of data subjects and obligations of data controllers and processors. It will contain provisions such as registration of data controllers and data processors in part III, principles and obligations of personal data protection in part IV and grounds for processing of sensitive personal data in part V.
In Kenya, a few months ago, citizens underwent registration of the Huduma Namba through the use of both demographic and biometric information. The purposes of the Huduma Namba as the Government of Kenya put them are:
a. Coordinated registration of persons which will avoid different institutions capturing different data parameters of the same individual with unnecessary duplication amounting to inefficiency in utilization of public resources.
b. Registration of persons which is not paper-based thus inexpensive and time effective.
c. There is also lack of a single identity document for persons accompanied by limited public access to national identification data.
In addition, the Government has cited its move to establish a National Master Database through Huduma Namba addresses the constitutional requirement on access to public information and fulfils the Big 4 Agenda which comprises of Food Security; Affordable Housing; Manufacturing and Affordable Healthcare.
In Nubian Rights Forum & 2 others v Attorney-General & 6 others; Child Welfare Society & 8 others(Interested Parties); Centre For Intellectual Property & Information Technology(Proposed Amicus Curiae)  eKLR, the petitioners filed the petition based on amendments to the Registration of Persons Act establishing a National Integrated Information Management System (NIIMS) that was intended to be a single repository of personal information of all Kenyans as well as foreigners resident in Kenya, introduced new definitions of biometric and global positioning systems coordinates, among others. They sought to suspend the amendments arguing, among others, that the impugned amendments were unconstitutional because the correct procedure for amendment was not followed; that there was no public participation and that the amendments threatened violations of their rights and of the public and especially as regards the right to privacy, in light of the nature of personal information that would be collected in the NIIMS and the lack of any security in the manner of storage of and access to the collected data.
The Court held that at least one of the laws cited by the respondents as providing protection for data, the Computer Misuse and Cyber Crimes Act, 2018 had been suspended. As matters stood, there was no or no specific legislation that provided for the collection, storage, protection and use of data collected by or held by government or other entities. It went on to state that it was in the public interest to have an efficient and organised system of registration of persons, and the responsible use of resources in the process, in light of the socio-economic gains of the system that had been illustrated by the respondents. There was, however, also a public interest in ensuring that the said system did not infringe on fundamental rights and freedoms.
The Court partly allowed the petition and held that the respondents were at liberty to proceed with the collection of personal information and data under the National Integrated Information Management System (NIIMS) pursuant to the operational provisions of the Registration of Persons Act. However, pending the hearing and determination of the consolidated petitions, the respondents were not to:
a. Compel any member of the public to participate in the collection of personal information and data in NIIMS.
b. Set any time restrictions or deadlines as regards the collection of the said personal information and data in NIIMS.
c. Set the collection of personal information and data in NIIMS as a condition precedent for the provision of any government or public services, or access to any government or public facilities.
d. Share or disseminate any of the personal information or data collected in NIIMS with any other national or international government or non-governmental agencies or any person.
However, the Government has gone ahead to make it mandatory for registration of the Huduma Namba, given deadlines for registration and in addition that one would not access any government or public services without it. Further to that, there will be an enactment of the Huduma Act, to guide on use of the Huduma Namba. The Supreme Court of India judgment will thus be a crucial guiding precedent should there be a challenge in courts over the said incoming Act.