The Communications Authority of Kenya (CA) had published a notice requiring disclosure of IMEI numbers for mobile phone devices in use in the country.
The Communications Authority of Kenya (CA) has faulted the High Court for quashing a government directive to mobile phone importers and assemblers to submit device International Mobile Equipment Identity (IMEI) numbers.
The regulator says in an appeal that the collection of IMEI numbers pertains solely to generic mobile device identities that are not linked to any specific individual, and therefore does not relate to the right to privacy.
Justice Chacha Mwita quashed the notice in a judgment on July 18, stating that the government did not demonstrate that there was a lawful mechanism for processing IMEI numbers, which once associated with mobile devices and registered with a mobile network, qualify as personal data protected under the Bill of Rights.
However, the regulator said the court generally misinterpreted the concept of personal data and sensitive personal data, within the meaning of section 2 of the Data Protection Act and as applied in the Act and particularly in relation to ICT devices with IMEI numbers.
The CA says there was a lawful basis under the Data Protection Act, requiring the registration of IMEI numbers, and it was acting within its statutory mandate under the Kenya Information and Communications Regulations.
The regulator added that the High Court judge misinterpreted the inter-agency collaboration by government agencies at points of entry, and in particular the coordination between it and Kenya Revenue Authority (KRA) aimed at verifying devices entering the country in line with their respective statutory mandates.
“The learned judge erred in law and in fact by making findings concerning the post-sale used and protection of IMEI numbers in the absence of any evidence or participation by mobile network operators, who are the primary data controllers under the law, thereby rendering speculative and ungrounded conclusions,” CA said in the appeal.
In a notice last year, CA directed all local device assemblers to upload IMEI numbers of each assembled device to the KRA portal.
The IMEI number is a unique 15-digit serial code identifying each mobile device globally.
The notice also required all mobile phone importers to disclose IMEI numbers in their respective import documents submitted to the KRA.
While quashing the directive, Justice Mwita held that the notices were a threat to the right to privacy and therefore violate the constitution and the Data Protection Act as long as the intention was to take control of IMEI numbers of mobile devices, pool them in a portal and control the numbers even after the devices paired with IMEI numbers have been purchased and registered with a network.
KRA had notified the public on October 24 last year that all retailers and wholesalers of mobile devices should ensure that they only sell or distribute mobile devices that are tax compliant.
The notice further said that mobile network operators should only connect devices to their networks after verifying the tax compliance status through a whitelist database of compliant devices provided by KRA.
Mobile phone operators were required to provide for grey-listing non-compliant devices.
Katiba Institute challenged the notices, arguing that although IMEI numbers do not explicitly reveal the identity of an individual, their linkage to a device usage, position, as well as the ability to access certain types of data means that it falls within the ambit of personal data.
According to the lobby, mobile phones’ IMEI numbers constitute personal data and when read in connection with certain data held by mobile service providers, IMEI numbers can easily identify a person’s sensitive personal information.
The lobby group said the collection of IMEI information was excessive and the risks associated with the collection, processing and storage of IMEI numbers override the legitimate aims of reducing revenue loss and combating fraud and cybercrime.
