State of Privacy Kenya

A study of privacy and surveillance issues in Kenya. The State of Privacy project was last updated on January 2019, unless otherwise provided on specific pages.

State of Privacy
Kenya

Table of contents

Introduction

Acknowledgement

The State of Privacy in Kenya is the result of an ongoing collaboration by Privacy International and the National Coalition of Human Rights Defenders - Kenya.

Key Privacy Facts

1. Constitutional privacy protections: Article 31 of the Kenyan Constitution specifically protects the right to privacy.

2. Data protection law: Kenya does not currently have a specific data protection law.

3. Data protection agency: Kenya does not have a specific data protection authority.

4. Recent scandals: Kenyan and international civil society groups report high levels of extrajudicial surveillance.

5. ID regime: The Integrated Population Registration System (IPRS) collects data from a dozen databases held by various government agencies.

Right to Privacy

The constitution

Article 31 of the Constitution specifically protects the right to privacy. It states:

"Every person has the right to privacy, which includes the right not to have—

(a) their person, home or property searched;

(b) their possessions seized;

(c) information relating to their family or private affairs unnecessarily required or revealed; or

(d) the privacy of their communications infringed."

Furthermore, Article 2 states that Kenya's international obligations, such as its commitment to the Universal Declaration of Human Rights and International Covenant on Civil and Political Rights, which include privacy rights, are part of Kenyan domestic law. It states:

“(5) The general rules of international law shall form part of the law of Kenya.

(6) Any treaty or convention ratified by Kenya shall form part of the law of Kenya under this Constitution.”

Regional and international conventions

Kenya is a signatory to or has ratified a number of international conventions with privacy implications, including:

Communication Surveillance

Introduction

The Communications Authority of Kenya (CA) regulates the telecommunications industry and collects statistics on the sector. Mobile penetration was recorded at 86.2 % in March 2017, with 39.1 million mobile subscriptions. There were an estimated 40.59 million internet users in Kenya in March 2017, representing an internet penetration rate of 89.4% according to the CA.

Social media is widely used in Kenya. Kenya is reported to have over 5 million active daily Facebook users, and 693,000 confirmed active users on Twitter, according to a study by Ogilvy, an advertising and public relations firm.

Surveillance laws

The Kenya Information and Communications Act (2009), penalises the unlawful interception of communications by service providers. Article 31 states:

“A licensed telecommunication operator who otherwise than in the course of his business—

(a) intercepts a message sent through a licensed telecommunication system; or

(b) discloses to any person the contents of a message intercepted under paragraph ; or

(c) discloses to any person the contents of any statement or account specifying the telecommunication services provided by means of that statement or account, commits an offence and shall be liable on conviction to a fine not exceeding three hundred thousand shillings or, to imprisonment for a term not exceeding three years, or to both.”

Article 83 states:

"(1) Subject to subsection (3), any person who by any means knowingly:—

(a) secures access to any computer system for the purpose of obtaining, directly or indirectly, any computer service;

(b) intercepts or causes to be intercepted, directly or indirectly, any function of, or any data within a computer system, shall commit an offence."

Article 93 (1) states:

"No information with respect to any particular business which—

(a) has been obtained under or by virtue of the provisions of this Act; and

(b) relates to the private affairs of any individual or to any particular business,

shall, during the lifetime of that individual or so long as that business continues to be carried on be disclosed by the Commission or by any other person without the consent of that individual or the person for the time being carrying on that business."

Section 15 (1) of the Kenya Information and Communications (Consumer Protection) Regulations (2010), states that:

“Subject to the provisions of the Act or any other written law, a licensee shall not monitor, disclose or allow any person to monitor or disclose, the content of any information of any subscriber transmitted through the licensed systems by listening, tapping, storage, or other kinds of interception or surveillance of communications and related data.”

However, several recent legal developments have eroded protections against surveillance and expanded the intelligence and law enforcement agencies' interception powers.

These include the National Intelligence Service (NIS) Act (2012), article 36 of which reads:

“(1) The right to privacy set out in Article 31 of the Constitution, may be limited in respect of a person suspected to have committed an offence to the extent that subject to section 42, the privacy of a person's communications may be investigated, monitored or otherwise interfered with.

(2) The Service shall, prior to taking any action under this section, obtain a warrant under Part V.”

Article 45 states:

“....an officer of the Service the power to obtain any information, material, record, document or thing and for that purpose – (a) to enter any place, or obtain access to anything; (b) to search for or remove or return, examine, take extracts from, make copies of or record in any other manner the information, material, record, document or thing; (c) to monitor communication; or (d) install, maintain or remove anything.”

The Prevention of Terrorism Act (2012) grants extensive powers to state authorities to limit fundamental freedoms and encroach on the right to privacy through surveillance. Article 35 states:

“(1) Subject to Article 24 of the Constitution, the rights and fundamental freedoms of a person or entity to whom this Act applies may be limited for the purposes, in the manner and to the extent set out in this section.

(2) limitation of a right or fundamental freedom under subsection (1) shall apply only for the purposes of ensuring —

(a) the investigations of a terrorist act;

(b) the detection and prevention of a terrorist act; or

(c) 'that the enjoyment of the rights and fundamental freedoms by an individual does not prejudice the rights and fundamental freedom of others.

(3)The limitation of a fundamental right and freedom under this section shall relate to 

(a) the right to privacy to the extent of allowing ...

(iii) the privacy of a person's communication to be investigated, intercepted or otherwise interfered with.”

The Security Laws (Amendment) Act (2014) states in article 69, which is an amendment of the Prevention of Terrorism Act, that:

“(1) The National Security Organs may intercept communication for the purposes of detecting, deterring and disrupting terrorism in accordance with procedures to be prescribed by the Cabinet Secretary.

(2) The Cabinet Secretary shall make regulations to give effect to subsection (1), and such regulations shall only take effect upon approval by the National Assembly.

(3) The right to privacy under Article 31 of the Constitution shall be limited under this section for the purpose of intercepting communication directly relevant in the detecting, deterring and disrupting terrorism.”

These acts have been presented as a positive tool for tackling threats to national security in light of the 2013 terrorist attack on the Westgate shopping mall, and attacks by Al Shabaab in Mandera in 2014 and Garissa in 2015.

Data retention

The Kenya Information and Communications Act (2009) regulates the retention of electronic records and of “information in original form”. Section 83 states:

“Where any law provides that documents, records or information shall be retained for any specific period, then that requirement shall be deemed to have been satisfied where such documents, records or information are retained in electronic form if:

(a) the information contained therein remains accessible so as to be usable for subsequent reference;

(b) the electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received; and

(c) the details which will facilitate the identification of the original destination, date and time of dispatch or receipt of such electronic record are available in the electronic record...”

Surveillance actors

The principal intelligence agency of Kenya is currently the National Intelligence Agency (NIS). The NIS was established by the 2012 National Intelligence Service (NIS) Act; it is both the domestic and foreign intelligence agency of Kenya. Its precursor, the National Security Intelligence Service (NSIS), was created in 1998 as a successor of the Special Branch, which dated to the late colonial period. Until 1999, the NSIS had been joined to the police.

The NIS has a wide-ranging mandate. Its primary function is to gather, collect, analyse and transmit or share with the relevant state agencies any security intelligence and counter intelligence with an aim of detecting and identifying threats or potential threats to national security. It also advises the President and government of these threats, and transmits intelligence information to other agencies.

A National Security Council oversees intelligence operations in Kenya. The council is comprised of the President, Cabinet Secretaries including the Secretaries responsible for defence, foreign affairs, and internal security; the Attorney-General; the Chief of Kenya Defence Forces; the Director-General of the National Intelligence Service; and the Inspector-General of the National Police Service.

The Kenyan Police Service also has surveillance powers, established in the National Police Service Act (2011) and the National Police Service Commission Act 2011. The current Kenyan police force reports to the Inspector General of Police and is a department of Ministry of Interior and Coordination of National Government. The Directorate of Criminal Investigations of the Police Force was created in the 1920s. It has authority to “collect and provide criminal intelligence; undertake investigations on serious crimes including ...cyber crime”.

Surveillance capabilities

Direct access

A March 2017 investigation by Privacy International revealed that the NIS has direct access to Kenya’s telecommunications networks, which allows for the interception of both communications data and content. Direct access describes situations where state agencies have a direct connection to telecommunications networks which allows them to obtain digital communications content and data (mobile and/or internet) without prior notice or judicial authorisation and without the involvement of the telecommunications provider or internet service provider that owns or runs the network. 

Internet and social media monitoring

In March 2012, the telecommunications industry regulator, the then-Communications Commission of Kenya (CCK, the precursor to the Communications Authority), announced that it was setting up a system to allow the authorities to monitor incoming and outgoing digital communications. The CCK requested that all telecommunication service providers cooperate in the installation of internet traffic monitoring equipment; known as the Network Early Warning System (NEWS). The CCK cited a rise in cyber security threats as a justification for this move. NEWS is an initiative of the UN's International Telecommunication Union (ITU) to aggregate data on cybersecurity threats and disseminate it worldwide.

In January 2017, the Communications Authority (CA) announced a further three measures costing an estimated 2 billion KSh (15.2 million GBP) to monitor Kenyans’ communications and communications devices. Among these was a "device management system" to detect fraudulent devices and a social media monitoring project. According to an investigation published in March 2017 by Privacy International, in late 2016, the CA finalized a contract with Israeli ‘web intelligence’ firm webintPro, according to CA sources. 

Packet inspection

In January 2013, The Citizen Lab of the University of Toronto published a research brief in which it reported that researchers had discovered Blue Coat PacketShaper installations in countries including Kenya. Technologies from US-based Blue Coat allow for the the surveillance and monitoring of interactions on applications including Facebook, Gmail, Skype and Twitter, among others. It is unclear whether Blue Coat PacketShaper installations were in place in Kenya.

Technical research published in March 2017 by the Centre for Intellectual Property and Information Technology Law (CIPIT) at Kenya's Strathmore University indicated the presence of a middle-box on Safaricom's cellular network. According to CIPIT, middle-boxes assume dual-use character in that they can be used for legitimate functions (e.g., network optimisation) and can simultaneously be used for traffic manipulation, surveillance and aiding censorship. 

Mobile interception devices

Units of the NIS, the Directorate of Military Intelligence and Police Directorate of Criminal Investigations all have (or had) mobile devices used to track targets, collect communications data and listen into live communications for operational purposes, according to a March 2017 investigation by Privacy International.

Surveillance oversight, checks and balances

The telecommunications industry is regulated by the Communications Authority (CA), formerly known as the Communications Commission of Kenya (CCK). The CA was established in 1999 and is responsible for facilitating the development of the ICT sector including broadcasting, multimedia, telecommunications, electronic commerce, postal and courier services.

Surveillance case law

Privacy International is not aware of any court cases challenging or touching upon communications surveillance powers in Kenya. Please send any tips or information to: [email protected]

Examples of surveillance

According to the few civil society groups in Kenya who work on the issues, it is difficult to work on privacy and surveillance in the country as the issue is not widely deemed important. This is in part because an increased number of security threats has enabled a strong national security discourse to overshadow concerns about individuals' privacy. Privacy is often considered subsumed to other human rights issues.

There are nevertheless serious concerns over disproportionate and unlawful surveillance in Kenya. In 2012, Peace Brigades International stated in relation to human rights defenders (HRDs) in Kenya that “incidences of surveillance by state and non-state actors have been reported. Offices have been raided or burgled and computers hacked, and several organisations suspected that their phones were being tapped.” In October 2013, Human Rights Watch warned of the rising attacks on HRDs. Regular reports by the East and Horn of Africa Human Rights Defenders Project (EHAHRDP) and Front Line Defenders of HRDs and journalists being intimidated, attacked, arrested, tortured, killed, and kidnapped in Kenya demonstrate the significance of the issue.

During and in the aftermath of the March 2013 elections, the Kenyan government requested that mobile phone providers block text messages that were deemed to incite violence using a firewall that would detect messages containing key words, identified beforehand, to be further analysed. The National Steering Committee on Media Monitoring of the Ministry of ICT reportedly intercepted 300,000 texts messages daily during the 2013 elections.

In July 2015, it was revealed that agents of the Kenyan intelligence services had contacted intrusion malware company Hacking Team to ask them to shut down a critical blog as a 'proof of concept' for their surveillance tools. The Kenyan government appeared to be attempting to procure the Remote Control System tool that allows for remote hacking and control of target devices.

The combination of these trends raises serious concerns about the government's potential use of surveillance tools to further repress civil society and human rights defenders, especially in the context of the 'war on terror,' which the government has used as a legitimizing narrative to justify serious human rights violations.

Surveillance in counterterrorism operations

According to a March 2017 investigation by Privacy International, communications surveillance is being carried out by Kenyan state actors, essentially without oversight, outside of the procedures required by Kenyan law. Intelligence gained by intercepting phone communications, primarily by the NIS, is regularly shared with police units to carry out counter-terrorism operations, particularly the GSU-Recce company and Anti-Terrorism Police Unit (ATPU). These police units have well-documented records of abuses, including torture and extrajudicial killings. Information acquired from communications surveillance is central to the counterterrorism cycle - from surveilling, profiling, locating, tracking and arresting targets to abuse, torture, abduction and extrajudicial killing.

US government surveillance

In May 2014, The Intercept reported that a programme of the US National Security Agency (NSA) called MYSTIC secretly monitored the telecommunications systems of several countries including Kenya, where the system was known as DUSKPALLET. The programme was described in internal documents as a “program for embedded collection systems overtly installed on target networks, predominantly for the collection and processing of wireless/mobile communications networks.” Evidence provided to The Intercept shows that the programme dates back to 2013, and that data gathered through it has been used to generate intelligence reports. The Intercept states that “the operation in Kenya is ‘sponsored’ by the CIA, according to the documents, and collects ‘GSM metadata with the potential for content at a later date’." In some of the other countries where MYSTIC is implemented (The Bahamas, Mexico and the Philippines), MYSTIC required “contracted services for its ‘operational sustainment’”; this is not the case for Kenya however. It is unclear what - if any - role the government of Kenya, as well as telecommunication and communication providers, played in the deployment of MYSTIC.

Data Protection

Data protection laws

Kenya does not currently have specific data protection legislation. However, a Data Protection Bill was tabled in Parliament in 2015. The Bill has not yet passed. Once law, the Bill would give effect to Article 31(c) of the Constitution, which outlines the right of every person not to have “information relating to their family or private affairs unnecessarily required or revealed” and Article 31(d), the right not to have “the privacy of their communications infringed”. It would also regulate the collection, retrieval, processing, storing, use and disclosure of personal data. Yet the proposed legislation does not explicitly address the protection of data stored in the “cloud” (synchronised storage centres for digital data). Many cloud repository servers are based outside Kenya, which further troubles the proposed legislation.

In 2016, a draft Cyber Security and Protection Bill originating in the Senate was tabled and read. It was withdrawn in December.

Law enforcement access to stored data

Under section 31 of the Kenya Information and Communication Act (2010), a telecommunications provider is liable for prosecution if it "otherwise than in the course of [its] business -- (a) intercepts a message sent through a licensed telecommunication system; or (b) discloses to any person the contents of a message intercepted under paragraph (a); or (c) discloses to any person the contents of any statement or account specifying the telecommunication services provided by means of that statement or account".

In this vein, Section 15(1) of the Kenya Information and Communications (Consumer Protection) Regulations (2010), states that a licensee “shall not monitor, disclose or allow any person to monitor or disclose, the content of any information of any subscriber transmitted through the licensed systems by listening, tapping, storage, or other kinds of interception or surveillance of communications and related data”.

On 7 February 2014, the Kenya Information and Communications (Registration of Subscribers of Telecommunication Services) Regulations (2014) were published. Section 13 states:

“A licensee shall grant the Commission's officers access to its systems, premises, facilities, files, records and other data to enable the Commission inspect such systems, premises, facilities, files, records and other data for compliance with the Act and these Regulations.”

The CCK/Communications Authority has argued that their request to access personal information is in line with Article 35 of the Constitution that permits citizens the right to access information held by the State or by another person and is required for the exercise and protection of any rights or fundamental freedom. However, the Kenya High Court ruled that a company or agency is not a “natural person” and so could not enjoy the rights upheld by Article 35.

The Law Enforcement Disclosure annex of Vodafone’s transparency report, published in June 2014 noted that "local operators are legally prohibited… from implementing the technical requirements necessary to enable lawful interception" and that it had “not received any agency or authority demands for lawful interception assistance" in Kenya. Vodafone also noted that "the legal position is unclear regarding whether or not it would be lawful for Safaricom (Vodafone's local associate operator) or Vodafone to disclose statistics related to agency and authority communications data demands". 

Data Protection Bill 2018

Despite the existence of the Data Protection Bill 2018, in May 2018 the ICT Cabinet Secretary Joe Mucheru formed a taskforce to develop a Policy and Regulatory Framework for Privacy and Data Protection in Kenya.  The draft policy presents legislative proposals and recommendations for stakeholder consultation through a transparent process with the object of developing the draft policy and legislation for privacy and data protection.

The terms of reference for the Taskforce on the Development of the Policy and Regulatory Framework for Privacy and Data Protection in Kenya, includes to undertake a comprehensive audit of the existing legislation, regulation, policies, administrative procedures, sessional papers, Government guidelines and circulars relating to privacy and data protection frameworks in Kenya. They are to identify any gaps or inconsistencies in the existing frameworks and proposes specific review requirements. The taskforce is also supposed to propose any new policy, legal and institutional framework that may be required to implement the policy and regulatory framework for privacy and protection. 

Following the passing of Europe’s General Data Protection Regulation (GDPR) in May 2018, Kenya’s Data Protection Bill 2018 was presented before the Senate by Baringo County Senator, Gideon Moi the Chair of the Committee on Information, Communication and Technology; and released for public debate and scrutiny. The legislation specifically addressing data collection, processing and storage. However, the bill has its shortfalls which have been highlighted and tabled before Senate by civil society. The ICT taskforce which was tasked to prepare a report is yet to release the report to the public. 

Accountability mechanisms

Privacy International is not aware of any specific accountability mechanisms related to communications surveillance in Kenya. Please send any tips or information to: [email protected]

Data breaches: case law

In December 2016, the High Court in Nairobi declared unconstitutional a presidential directive seeking to collect names of people living with HIV, including names of school age children, among others. Along with other organisations, the Kenya Legal & Ethical Issues Network (KELIN) had filed a case against a directive, arguing that the creation of this list was in violation with Article 31 and 53(2) of the Constitution, respectively, the right to privacy and the position that the "child’s best interests are of paramount importance in every matter concerning the child."

Examples of data breaches

In December 2014, the Kenyan government arrested and expelled 77 Chinese citizens on suspicion of "preparing to raid the country's communication systems", according to the Police. Kenyan media reported that police raids had uncovered equipment capable of infiltrating bank accounts and government servers, as well as a popular banking system and ATM machines.

Reports from April 2016 indicate that hacker collective Anonymous breached the Kenyan Ministry of Foreign Affairs' servers and published 1 terabyte of files online. The Ministry later confirmed the hack as genuine and the result of junior staff members unknowingly giving access to the hackers by changing their passwords.

Identification Schemes

ID cards and databases

Population registration

In December 2012, a Ukrainian company, EDAPS, completed the creation of an Integrated Population Registration System (IPRS) for the Kenyan government. The IPRS collects data from a dozen databases held by various government agencies. It combines data from birth and death registers, the citizenship register, ID card register, aliens register, passport register and the marriage and divorce register as well as the elections register, tax register, drivers register, National Social Security Fund (NSSF) register, National Hospital Insurance Fund (NHIF) register and the Kenya National Bureau of Statistics (KNBS) register. Kenya has yet to adopt data protection legislation and the collection, centralisation and sharing of this type of data.

Biometric registration

In April 2014, the Kenyan government announced that it would be registering all Kenyans in a new national digital database that would include biometric details as well as information on land ownership, establishments and assets. The aim of the programme is to facilitate the identification of people holding forged or false identification documents. Under the Umoja Kenya Initiative, the government would collect all data pertaining to an individual including name, age, identities of relatives, property owned and residence.

In September 2015, it was announced that Pakistan’s government database and registration authority, the National Database and Registration Authority (Nadra), had won a contract to provide e-passport software for Kenya. NADRA's databases in Pakistan are among the world's biggest population registers.

In January 2019, President Kenyatta signed into law amendments to the Registrations of Persons Act, that facilitate the formation of a biometric ID card in Kenya. The possibility that this will contain DNA of Kenyans has been criticised. All Kenyans and foreigners residing in Kenya will be given a unique identity number, known as the Huduma Namba

Voter registration

The right to vote is guaranteed to all Kenyan citizens over the age of 18. The Independent Electoral and Boundaries Commission requires registrants to provide either a national Identity Card (ID) or a valid passport as a proof of identity.

The government conducted an exercise to biometrically verify voters for the August 2017 presidential elections. In March 2017, the government announced that it had awarded a 3.8 billion KSh contract for an elections management system to the French multinational defense and security company OT-Morpho. In September, the Supreme Court of Kenya annulled the August 2017 results, which saw President Uhuru Kenyatta reelected, over irregularities in the electronic transmission of the results from polling stations across the country. Kenyatta was re-elected in a fresh round of elections held on 26 October 2017.

In other election-related news, President Kenyatta's Jubilee party reportedly hired UK big data consulting firm, Cambridge Analytica, to assist in President Kenyatta's re-election campaign.

SIM card registration

Identification and registration of subscribers

In 2010, the Communications Commission of Kenya (CCK) (renamed the Communications Authority in 2014) announced that mobile phone subscribers would be required to register their details with operators or risk having their SIM cards deactivated. Subscribers have been obliged to provide the following personal information in order to register their SIM cards: full names, physical and postal addresses, dates of birth, and alternate contacts. When a minor is registered, the child’s guardian must produce an identification card.

The Kenya Information and Communications (Amendment) Act (2013) integrated some requirements already included in the Kenya Information and Communications (Registration of Subscribers of Telecommunication Services) Regulations (2012)

In January 2017, the Communications Authority announced three projects – one each to monitor radio frequencies, monitor social media platforms, and ‘manage devices’ – to prevent a repeat of the post-election violence of the 2007 election period. The telecommunications industry reacted strongly against the measures. CA authorities rushed to assure Kenyans that the projects would only be used to enforce regulatory compliance. Details of the Device Management System leaked to the press in March 2017, prompting a successful High Court challenge to the system which suspended its progress until May.

Policies and Sectoral Initiatives

Cybersecurity policy

Kenya’s cybersecurity initiatives rely heavily on foreign government assistance. The National Cybersecurity Strategy, also referred to as the National Cybersecurity Strategy and Master Plan, was first developed for the Ministry of Information and Communication (MOIC) over four months from July 2012 with a grant from the US Trade and Development Agency for Technical Assistance. Booz Allen Hamilton, a prominent American management firm with significant national security contracts, was contracted to help develop the plan. The resulting National Cybersecurity Strategy was unveiled in May 2014. The four goals of the strategy are to:

  • Enhance the nation’s cybersecurity to facilitate the country’s growth, safety, and prosperity;
  • Raise cybersecurity awareness and develop Kenya’s workforce to address cybersecurity needs;
  • Foster information sharing and collaboration among stakeholders to facilitate an information sharing environment; and
  • Provide national leadership by defining the national cybersecurity vision, goals, and objectives and coordinating cybersecurity initiatives at the national level. 

The National Computer Incident Response Team (KE-CIRT) was created in consultation with International Telecommunications Union. The CIRT is responsible for the implementation of the national Cybersecurity Strategy, among other tasks. It derives its mandate from the Kenya Information and Communications Act 1998. It has been operational since 2012. 

According to a 2017 Privacy International investigation, the Communications Authority shepherded the creation of a National Intrusion Detection System (NIDS) – since renamed the National Intrusion Detection and Prevention System (NIPDS). According to its draft project proposal, the new NIDS would “provide a cyber-early warning on any possible attacks on critical Government Internet infrastructure.” Particularly problematic, however, is the potential scale of monitoring that can be conducted, as well as the lack of transparency about what exactly will be visible and to whom.

Cybercrime

Kenya does not yet have a law dealing specifically with cybercrime, though public officials claim that rates of cybercrime are on the rise

An early 2014 draft Cybercrime and Computer Related Crimes Bill sought to equip law enforcement agencies with the legal and forensic tools to tackle cybercrime. Free speech advocacy group Article 19 warned that if enacted, the Bill would be devastating for freedom of expression online in Kenya because of its broad definition of speech offences, offences against computers and other computer-related offences.

The 2016 Computer and Cyber Crimes Bill, which replaces the 2014 draft, was approved by the Kenyan cabinet in April 2017. The bill has been criticised for having overly broad categories of offenses, which could potentially be used to prosecute free speech. Another draft 2016 Cybersecurity and Protection Bill was withdrawn in December 2016.

In May 2018, in an attempt to address cybercrime, cyber bullying, phishing, false news and cybersquatting in the country the Computer Misuse and Cybercrimes Bill was passed by parliament and assented to by President Uhuru Kenyatta. The new law contains stiff penalties on publishing false, misleading or fictitious data, child pornography, computer forgery, and espionage among others. The law imposes fines of ten to twenty million or to imprisonment for a term for twenty to twenty-five years, or to both. 

The motivation behind the passage of the law is to protect unreported cases from financial institutions who are major target of cybercrime activities and address cases of cyber bullying have also been reported in places like parliament with members of Parliament protesting the rate at which they were being targeted by the criminals. 

Following the assent of the Bill Bloggers Association of Kenya (BAKE) enjoined by Article 19 and Kenya Union of Journalists (KUJ) filed a petition in the High Court. In their petition, they argued that 26 sections of the law threaten the freedom of opinion, freedom of expression, freedom of the media, freedom and security of the person, right to privacy, right to property and the right to a fair hearing. They also noted that the membership of the National Computer and Cybercrimes Co-ordination Committee established under the law does not conform to the two-thirds gender rule as all the members will be all men. Subsequently the High Court granted their request to suspend 26 sections of the law.

Encryption

There are no specific regulations concerning citizens' use of encrypted communication methods.

Licensing of industry

Kenya has a diverse market of telecommunications and internet service providers. In June 2017, Safaricom dominated the market with 72.6% of mobile subscribers followed by Airtel, Telkom Kenya, Finserve and others. The Kenyan government owns 35% of Safaricom shares, while 40% are owned by Vodafone and 25% are freely floated. 

The top data providers in June 2017 are Safaricom (77.1%), Airtel (15.6%), and Telkom Kenya (6.2%). Kenya also has a broadband (fixed) internet penetration rate of 15.4%, corresponding to 34.2 million subscriptions.

Safaricom, which controls a large share of both the mobile telephony and internet market, is a stated partner of the Kenyan police service and has recently won a number of high-value state security contracts, including for a nationwide CCTV and emergency response monitoring centre.

E-governance/digital agenda

A variety of government services including business, marriage and land documentation are provided online through the eCitizen portal. The eCitizen services terms of use state that "No personally identifiable information is automatically collected about visitors who simply browse this site or who download information from it. eCitizen does not release any information about the collection of IP addresses to any third party, except under court order or as required by law."

National Education Management System (NEMIS )

The Ministry of Education is capturing data of every learner and putting in a web based platform (NEMIS). Registered students will have unique identification numbers that will track their performance from primary school, high school and tertiary levels to help the government formulate better plans and policies as well as enhanced transparency and accountability. 

However, information collected includes student and parents information which is detrimental given that collection of such data is being done in a vacuum as Kenya does not have a clear policy and data protection law(s). Therefore management and storage of such data is not clearly governed. At the same time information collected on any indiscretion remains a matter on record and can be used to profile the individual in adulthood.

Health sector and e-health

In 2011, the government of Kenya published a national e-Health strategy. The strategy is linked to the achievement of Vision 2030, a Kenyan government initiative whose overall goal is to have an "equitable and affordable healthcare at the highest achievable standard" for Kenyan citizens.

Safeguarding privacy and security is one principle of the strategy, which states that the government will aim to "[a]dhere to/put in place applicable legislation to protect consumer confidentiality as a mandatory part of the regulatory environment governing procedural or systems development processes to support e-Health. In addition, to providing basic system security and protect against unlawful access or malicious damage to information, every effort must be made to ensure that access is absolutely restricted to authorized persons in accordance with their rights and permissions profile."

In 2017, it was announced that Kenyan company BioSIM was launching two new biometric verification products designed to track pupil enrolment and attendance in schools (BioSIM for Education) and make healthcare service delivery more efficient (BioSIM for Health). The technology involves collecting clients' iris scans and using these to verify identity for access to services. BioSIM for Education has been reportedly taken up by a number of schools across Kenya.

Smart policing

In May 2014, the government announced that the partially state-owned Kenyan communications provider Safaricom had been awarded a government tender to set up a new surveillance system, known as the Integrated Public Safety Communication and Surveillance System, for the Kenyan Police.

When the surveillance system was made public, it was announced that the system would cost KES 12.3 billion (approximately US$ 140 million). There are two elements to the project. First, the system would link all security agencies in order to facilitate information sharing and public safety activities. Secondly, it would establish a surveillance camera system consisting of 1,800 CCTV cameras nationwide. These would be installed in Nairobi, the capital, and the coastal city of Mombasa and connected to 195 police stations through a secure 4G network. The system would have facial and movement recognition capacities in real time. The main organising hub for the system would be a monitoring centre in Nairobi where data collected would be retained and analysed. The system is now functional in Nairobi and Mombasa.

In June 2014, the Kenyan National Assembly's Committee on National Security had decided to suspend the contracting process for the new system on the basis that the procurement process had failed to meet necessary standards, following complaints from unsuccessful companies who bid for the contract. The final decision in May 2015 has been to award Safaricom the contract for the system.

The tender has since become the focus on a corruption scandal following the publication in Nairobi Law Monthly of details alleging improper procurement procedures and bribery by Safaricom and Huawei.

Transport

Kenya's National Transport and Safety Authority (NTSA) announced in July 2017 that it would begin issuing digital driving licenses. The ID, which bears a microchip, would reportedly contain driving histories and allow for direct payments to judicial services in the event of fines. It is unclear which authorities would have access to information held on the card.

Migration

Privacy International is not aware of any specific privacy issues related to migration in Kenya. Please send any tips or information to: [email protected]

Emergency response

Privacy International is not aware of any specific privacy issues related to emergency response in Kenya. Please send any tips or information to: [email protected]

Humanitarian and development programmes

Privacy International is not aware of any specific privacy issues related to humanitarian and development programmes in Kenya. Please send any tips or information to: [email protected]

Location
Related learning resources
More about our partner