Report says Kenya needs data protection law for privacy of biometric voter registry
A lack of legal protections for the privacy of citizen’s data in Kenya leaves its biometric electoral registry open to misuse for discrimination and surveillance, according to a new report published by the Strathmore University Centre for Intellectual Property and Information Technology Law (CIPIT).
Researchers from Strathmore Law School conducted primary and secondary research in Nairobi, Kenya before, during, and after the country’s 2017 elections, and observed that the adoption of biometric technology for the electoral process did not restore public trust, violence and legal challenges followed the elections.
The report (PDF) focuses on the motivations for adopting biometric technology for Kenya’s elections, and how the privacy and security of Kenyans’ personal data is affected by that adoption. It notes that 75 percent of African nations have incorporated some form of biometric technology into their election processes, and says that the technology comes at a high cost to countries already struggling with the costs of elections.
Article 31 of Kenya’s Constitution enshrines a right to privacy, but there is no corresponding data protection legislation to operationalize it, according to the researchers. They observed unsolicited political messages being sent during the election campaign, including some which violated the country’s opt-in requirements, and some which included data from the voter register, raising concerns about the protection of the register’s biometric data.
“The key takeaway is that Kenya’s legal landscape lacks the protections that should be demanded to safeguard Kenyans privacy and protect data,” write the report authors. “Transparency, trust and security is key when deploying biometrics and other data technologies. When such technologies are adopted in the absence of a strong legal framework and strict safeguards, they pose significant threats to privacy and personal security, as their application can be broadened to facilitate discrimination, social sorting and mass surveillance. The varying accuracy of the technology can lead to misidentification, fraud and civic exclusion. As such, it is crucial that the use of biometric technologies is regulated and their use scrutinized.”
The 42-page report includes a brief history of Kenya’s recent elections and its adoption of biometrics for the political process, and acknowledges that the voter identification system worked relatively well in 2017, compared to 2013, when the fingerprint voter verification process “failed massively.” It also details a series of incidents in which Electronic Voter Identification Systems (EVIDs) were transferred without adequate oversight and data protection procedures, or stolen. The voting system was also alleged by the opposition to have been hacked, though OT-Morpho (now IDEMIA) denied it.
The report identifies several key necessities for improving the transparency and security of the biometric voter identification system in Kenya, including the establishment of a data protection framework, greater choice for individuals about the collection and use of their personal information, and transparency from data processors.