By gatuyu, j.t

The High Court has issued an induction for issuance of the Huduma cards on reasoning such exercise is in conflict with Data Protection Act and the Ministry ought to have conducted an impact assessment before issuing the Huduma Cards. The Judge ordered the conduct of the assessment before the rollout.

The judgement stands as a miss, in terms of appreciating the legislative process, the policy on identity system and the substance of data protection, and leaves a lot to be desired. This essay highlights these misses.

• 

1. Retrospectivity of statutes

The court held that the Data Protection Act applies retrospectively. However, there was no clarity whether in doing so, the retroactive date would be the date of the judgement in the Nubian case on Huduma Namba or the effective date of the Constitution, 2010. Whichever the case, this is a very sad conclusion. Seemingly, the judge created an impression as if the Data Protection Act was enacted only to police the personal data handing process for the Huduma Namba.

Yet, this is a statute that applies for both the public sector and doesn’t not in any way in principle between the data controllers or data processors in the public or private sectors. As such, any obligation imposed by a judicial principle cuts across, if the law has to be applied uniformly. When the Act is to be applied retrospective, how would this be reconciled with business models in the private sector where business decision has been made in the past on account of having no such law?

If one data controller, the Ministry of Interior, should comply for previous Act, shouldn’t that be so, for every other data controller and data processor? And where there were past grievances, is the Data Commissioner now required to embark on discerning historical privacy injustices?  Will the private entities, for instances Telcos, or other government agencies processing personal data in large scale, also halt their operations to remedy past instances of perceived non-compliance? Or it has now been be a guided missile or the ministry of Interior Huduma Namba project?

There is wisdom behind the established  presumption that statutes should not have a retrospective effect unless it is mere matters of legal procedure or exceptional circumstances. This is to ensure legal certainty which informs the taking of positions as well as restructuring behavior.  It is correct that a constitutional right should not be denied in absence of a law. However, this summation is more intricate in handling the ordinary legislative process. Because most of the constitutional provisions are not self-executing, hence the reason parliament has to make a law to implement them.

2. The maturation of a legislation

The provisions of the Constitution are given effect majorly through statutes. Where the Constitution enshrines the right to privacy, a legislature has to unpack and contextualize this guarantee enacting a legislation. Further, an Act of Parliament has to undergo motions of implementation, including establishing any requisite institution necessary to oversee legislation, allocation of resources mainly through budgetary process under public finances to provide resources to actualize legislative imperatives and lastly, where legislature delegated formulation of statutory instrument, the making of such which are majorly in form of regulations.

At the end of this process is when an constitutional provision could be said to have been offered a full breath of life and legal regime in that area is certain and enforceable. In the case of the right to privacy, constitutional imperative. The National Assembly determined the protection of personal data as the main ingredient to further this right and subsequently enacted the Data Protection Act. But if Parliament so wishes, numerous statutory enactments could be made still to give effect to other features of privacy, such as making bespoke law to limit physical surveillance, unwarranted searches, wire traps, among others.

However, after enacting the Data Protection Act, parliament delegated to the Cabinet Secretary mandate of unpacking certain provisions, including issues such as conducting of data protection impact assessment. This because the legislature has neither time nor expertise to handle administrative nitty-gritty hence delegating.

It is at the juncture in legislative process where practical guidance is offered, by delving on what practically the legislative provision means, how to conduct it, which forms to fill, if any, and the interaction between the assigned regulator. The Parliament, once again, must review them and accede the made statutory instrument or annul it, if dissatisfied.

Lastly, after the formal law has been made, the assigned implementer of that statute, in this instance the Office of the Data Protection Commissioner, has to administrative discretion on how efficient to implement the statute. This would include creating public awareness, establishing administrative mechanisms for complaints lodging and resolution as well as spearheading the creation of functional technical expertise in the industry.

These aspects, usually take time, in view of imposed legal and constitutional deliverables such as public participation on every aspect as well ensuring statutory instruments is appropriately made. That is why implementation of a statute is a continuous and organic process.

On this account, applying a law retrospectively is hugely inapposite. This is on account certain position have bene arrived out of hard bargain among the stakeholders and consensus positions which may not be optimal for everyone. Adjustments are made to suit the legal positions as at then. However, were laws to be caused to apply retrospectively, as the judge held, law making process would be a nightmare as stakeholders would only push the documentation of legal scenarios that suit their present circumstances, unless a retroactive legislation comes to haunt them.

That is why on technical legislative drafting practice, only matters of mere procedure or form, or substance that offer an advantage to an individual, are offered retrospective application. On the same vein, the High Court determined that substantive tax statute that allowed the Finance Acts to be offered a retroactive date to be unconstitutional, which is sober determination. A order that the Data Protection Act is applied retrospectively is a very unfortunate determination.

3. Overrating the Data Impact Assessment

The main grievance underlying the suit was that a data protection impact assessment (DPIA) ought to have been a condition precedent to issuing the Huduma cards. On this, the petitioners and the court broadly overrated the import of DPIA in privacy regime. A DPIA is one of the main tools to ensure the safeguarding of the rights of a data subject when the processing activity is likely to involve “a high risk” to other people’s personal information.

The actual criteria of what amounts to a high risk is regularity aspect requiring unbundling through subsidiary legislation. A parallel could be drawn to the environmental impact assessment that evaluates the likely environmental impacts of a proposed project or development.  A DPIA therefore facilitates the managing of the risks to the rights and freedoms of a data subject resulting from the processing activity where a prospective data controller demonstrates how data protection principles would be implemented.

Ordinarily, the DPIA require to be conducted before processing of personal data. Processing constitutes series of activities in handling personal data from the collection, storage, use, transfer and disclosure. Requiring the DPIA to be conducted after personal data has been collected is analogous to imposing environment impact assessment on road project after earth excavations.

That said, the courts and the petitioners apotheosed the requirement for a DPIA as if it is the boss of other obligations of the data controllers or data processors. There are other requirements imposed on data controllers or data processors, including implementing privacy by design or by default, obligations to report data breaches including communicating any of such breaches to concerned data subjects, requirement to register with the Data Commissioner either as a data controller or data processor, conditions relating to the transfer personal data out of the country, among others.

It noticeable that stipulations hold more promise of upholding data protection principles because they behoove actual compliance, unlike the impact statement, which majorly a self-assessment tool substantially abstractly. The enforcement of DPIA is mainly through compliance and audit in the regulatory enforcement by the Data Commissioner.

The dilemma arises of if the court injuncts a monumental government project on account of one of the obligations, will they keep on hearing suits and injuncting data controllers or data processors on non-compliance with other high-ranking obligations, such as registering with the Data Commissioner, making a privacy by design or by default, among others. Has it evolved that these statutory obligations would have to be implemented through judicial review remedies where a public entity is involved?

4. High Court, the new Lord!

This seems to be a judicial coup on the statutory functions of administrative agencies.  What s the ripple effect?  A person aggrieved by any person’s failure, for instance, to conduct an environmental impact assessment, need not launch a complaint to NEMA but may characterize that grievance as judicial review. The same would cut across the mandates of other agencies. It is not clear whether after supplanting administrative agencies, the court would be offering other statutory remedies including administrative fines.

But the recent literature enlightens on what happens where the court transcend from umpires to implementors. This has been more visible with the Kenyan and South Africa’s court experiment with structural interdicts, this being the judicial enforcement of economic and social rights. This experiment has witnessed unobservable success, for majorly it goes against separation of powers concerns, and courts do not have skills necessary to evaluate or alter policy choices as well as influence resource allocations. The court meddling with nuanced intricacies of administrative state is always bound to fail.

5. The Huduma Namba

The Huduma Namba, which the petitioners and the court seem to detest, is in furtherance of a policy to shift country’s identity model from the current federated identity system to a foundational identity system which assures that core personal data under one database is the backbone of identity regime and provide linkages to the ecosystem of civil registration. It is not clear why courts have expressed animus to this model, yet government, and the same ministry, has been undertaking civil registration which involves processing copious amounts of personal data for over a century.

For births and adoptions continue to be registered. A register of marriages is running. The registration of citizens, aliens and refugees is unabated. Death registration rolls on. Subsequently, required credentials including identity cards, passports, certificates and other token continue to be issued.

In the same vein, functional databases continue to operate, relying on the civil registration credentials. The IEBC is enrolling voters. KRA is registering tax payers. Educational institutions are enrolling learners. Educational loan fund is operating. Police officers continue to detail apprehended suspects. Even the judiciary holds on huge personal data on files. It is not clear whether, if presented with a prayer akin to the one made on Huduma Namba, on these other foundational or functional databases, if the court would issue the same order.

For instance, would the court order the National Registration Bureau or Department of Immigration to stop issuance of identity cards or passports until the data impact assessment is conducted? Doesn’t the purportedly retrospective applying Data Protection Act not equally meant to police these entities? Probably, the courts would not. It is why the judicial animus to the Huduma Namba is difficult to reconcile.

One of the often not cited provision of the Data Protection Act is the exemptions. Parliament exempted the application of the Act, save for certain aspects such as ensuring data quality and safeguarding the rights of the data subject.

6. Small print of the Exemptions.

If we take an in-depth application of the exemptions under the Act, it may be noted that one of the grounds from which the Act may be exempt is processing on account of national security or public interest. This means on such issues; observance of certain provisions may be dispensed with. By way of illustration, in reporting a missing person, personal data may be publicized even without consent of the data subject, out of the bigger intention of tracing that person. The similar case with the exercise of activities on matters of national security, such as investigating terrorism or crimes.

Does the National Integrated Identity Management System, the database that underpins the assignment of Huduma Namba, attain the threshold of one that is established for public interest or national security? This may be rhetoric. For the Constitution guarantees every citizen with the right to a Kenyan passport or any document of registration issued by the state. The Universal Declaration of Human Rights provides the recognition of all persons before the law offering a legal basis for registration of persons. Not having a legal identity is a barrier to inclusion and access to fundamental human rights. Civil registration and identity management goes to the root of statehood and national sovereignty and is a cornerstone in building a state.

Thus, the enrolment of citizens into the NIIMS for purpose of assignment of Huduma Namba is an exempt processing and the provisions of the Act are therefore exempted, save for the data protection principles relating to lawful processing, minimization of collection, data quality, and the requirement to adopt adequate security safeguards to protect personal data. To that extent, a DPIA is preferable, the creation of identity management system being a matter of public interest, could dispense with this requirement. 

7. We settle this.

Nevertheless, the State Department ought to apply prudence and explore this exemption in order to ensure the entire Act applies to their activities. This would include conducting the DPIA prior to the Phase II of the enrollment activity in recognition of this being a useful tool and practice that is helpful in ensuring the implementation of appropriate technical and organizational measures and enhance the integration of appropriate safeguards to ensure the adequate protection of personal data of data subjects.

However, the court was unfair to this policy aspirations and misconstrued legal principles to arrive at unfortunate finding, following the recent trend where avalanche of nullification of state activities on coerced constitutional questions identifiable pattern of judicial thought. Perchance, this may be not an umpire role but a trend of judicial marionetting of the executive bureaucracy, which hopefully the court of appeal or the Supreme Court will halt by setting clear principles.

The author is a columnist at gatuyu.com