Can CAK Install Systems for Monitoring Mobile Phones?

The Communications Authority of Kenya (CA) was installing all planning to install Device Management Systems (DMS) on the Communication Services Provider’s networks. Ostensibly, the DMS was meant to:
  1. Monitor fraudulent international calls such Sim boxing operators in Kenya terminating international traffic for neighbouring countries.
  2. Identify fake devices from their IMEI

But, the Kenya Human Rights Commission (KHRC) insisted that CA’s reason for installing the system was to give them direct access to confidential data in people’s phones. This, they argued, was against privacy laws.
The matter went to the High Court as a Constitutional Petition No 86 of 2017, Kenya Human Rights Commission vs Communications Authority of Kenya & 4 others, and was heard by, Justice John M Mativo.
Brief facts:
The petition challenged the introduction of a DMS into the networks of Telecommunication companies who provided voice, data, and mobile money transfer services to their customers because the device had the capacity to access customers’ information illegally.
Also, the device was introduced without public consultation or public participation and as such there was no guarantee that the information accessed would remain confidential. Furthermore, the intended purpose of its introduction, which was the blocking of fake and duplicate IMEI, was capable of being achieved without intruding into the privacy of Kenyans. Therefore, the Petitioner stated that the device created unjustified limitations to the right to privacy and also the rights guaranteed under articles 40, 46, 47 and 50 of the Constitution.
The petition succeeded

Issues Determined:
Issue: Whether the installation of DMS violated the right to privacy.
Found: The installation of the device was an unjustifiable limitation to privacy as there were alternative measures that could achieve that same purpose with a lesser degree of limitation.  It was shown that in the past, 1.89 million illegal devices were switched off because Mobile Network Owners were able to identify and block blacklisted devices.

Issue: Whether the installation of a DMS system in order to combat illegal devices was within the mandate of the Communications Authority of Kenya (CAK).
Found: Combating illegal devices was not a CAK mandate. There were other statutory bodies mandated to combat counterfeits, ensure standards and curb the importation of illegal devices such as importation laws, laws governing counterfeit goods, the Kenya Bureau of Standards, the Kenya Revenue Authority and the Kenya National Police Service. Those laws and institutions were not shown to be insufficient.

Issue: Whether the acquisition and installation of the DMS was undertaken in a process that fulfilled public participation requirements.
Found: .the decision, policy and or regulation seeking to implement the DMS system was adopted in a manner inconsistent with the Article 46(1) Constitution, section 5 (2) of KICA and the Consumer Protection Act in that there was no adequate public participation prior to its adoption and implementation hence the said decision, policy and or regulation was null and void for all purposes.

Issue: What were the considerations of the Courts in deciding matters relating to limitations placed on the enjoyment of fundamental rights and freedoms?
Found: The DMS could only pass the test provided for in article 24 of the Constitution, for the limitation of fundamental rights and freedoms if it was adopted legally.

Issue: Whether the installation of a device which could access personal information belonging to subscribers of a telecommunications network, without consulting those subscribers, was a violation of the subscribers’ consumer rights.
Found: Subscriber information could only be released under terms prescribed in section 27A of the Kenya Information and Communications Act. There was no evidence tendered to show that the DMS system in question fit into the circumstances contemplated under the said section 27A.

Therefore, the installation of a device with the capacity to access information belonging to subscribers is unconstitutional and the communication authority was therefore prohibited from implementing its DMS installation project meant to collect the IMEI, IMSI, MSISDN and CDRs of the subscribers.

Leave a Reply

We've got the answer