Kenyan Telco urged to delete biometric data collected for SIM registration
Global human rights watchdog Access Now has called on a mobile telecommunications company in Kenya, Safaricom, to delete all face biometrics data collected from citizens between November 2021 and April 2022 within the framework of an ongoing SIM card registration process in the East African country.
In an open letter, the rights organization accused the telco of unlawfully collecting facial images of Kenyan citizens for the SIM registration exercise in violation of multiple laws in Kenya.
The laws, according to the watchdog, include the Kenya Information and Communications (Registration of SIM cards) Regulations 2015; the Data Protection Act 2019; the General Data Protection Regulations 2021, the Kenya Information and Communication (Consumer Protection) Regulation 2010, and the Consumer Protection Act.
Access Now argues that collecting biometrics for SIM registration is illegal as the Kenya Information and Communications (Registration of SIM cards) Regulations 2015 requires that telcos collect only the names, gender, date of birth, physical address, postal address, and copies of identification documents of their mobile service subscribers during registration.
A legal challenge was brought against Safaricom soon after its biometric registration process was launched.
The letter mentions that although Safaricom has updated its policy to eliminate biometric capture for the SIM card registration, the company however still requires other personal information not allowed by Kenyan laws.
“Safaricom demanding excessive personal information — including private biometric data — for people to use its services is nothing less than unconscionable,” says Jaimee Kokonya, Africa campaigner at Access Now. “As one of the nation’s leading internet providers, the company wields the power to control the communication of millions of people, and must put human rights above all. Safaricom should be setting the privacy gold standard, not dragging the industry through the mud.”
The organization wondered why telecoms service providers like Safaricom continue to insist on the collection of too much personal information including biometrics when the Kenya Communication Authority, which had early called for the collection of the same, later rectified its stand on biometrics collection after a wrong interpretation of the law.
“When we see private companies manipulate laws and regulations with unclear motives, governments must intervene,” says Bridget Andere, Africa policy analyst at Access Now. “Safaricom must be held responsible for its illegal acquisition of private information — information it now controls, and is ripe for exploitation and manipulation.”
Apart from the call to delete the biometric data already collected, Access Now has also called on Safaricom to notify subscribers of the deletion. Also, the telco has been urged to commission, and publish, independent transparency reporting on the Data Protection Impact Assessment carried out prior to the collection of facial biometrics in adherence to Section 31 (2) of the Data Protection Act, 2019; and to commit to better data processing practices that adhere to the data protection principles as set out in Section 25 of the Data Protection Act, 2019 and respect for the rights of data subjects.