See copied below unabridged version.
KRA ACCESS TO M-PESA TRANSACTIONS IS A GRAVE THREAT TO PRIVACY ON DATA PROTECTION WEEK
BY JAMES MBUGUA
As the Kenyan government looks for new ways to increase revenue collection and curb tax cheating, the Kenya Revenue Authority has announced plans to gain direct and warrantless access to M-Pesa transactions. While the intentions of (KRA) may be noble, the methods proposed raise serious concerns about privacy rights and the protection of personal data.
In fact, they constitute illegal searches and seizures contrary to Article 31 of the Constitution of Kenya, and well established jurisprudence on privacy rights from around the world.
Article 31 provides for the right to privacy and states that every person has the right to privacy, which includes the right not to have their person, home or property searched; their possessions seized; information relating to their family or private affairs unnecessarily required or revealed; or the privacy of their communications infringed.
Kenya’s Data Protection Act of 2019, provides in Section 4 that a data subject’s consent must be sought before their data is collected and processed. Section 15 requires data controllers to obtain a warrant from a court of law before accessing personal data. This is to ensure that the collection, processing and sharing of personal data is necessary and proportionate.
The High Court of Kenya, in the case of Center for Rights Education and Awareness (CREAW) v Attorney General [2013] , as well as in Maina Kiai v Attorney General held that the government's surveillance of citizens' communications without a warrant is a violation of the right to privacy protected under the Constitution.
KRA’s proposal in the Budget Policy Statement released by the National Treasury last week, ironically came on the eve of Data Protection Week when the world marks the International Data Protection Day, on 28th January.
In Europe, whose General Data Protection Regulation (GDPR) we largely modelled our Act on, the principle of necessity and proportionality, in collection of personal data, has repeatedly been upheld by courts when government agencies have tried to access citizens’ telecommunications information without warrants. The courts have ruled that general and indiscriminate retention of personal data is incompatible with EU laws and constitutional rights, because it represents a serious interference with the right to privacy and the protection of personal data
In the Digital Rights Ireland vs. Minister for Communications case, as well as another called the Tele2 case, the European Court of Justice (ECJ) ruled that a law requiring telecommunications service providers to retain traffic and location data for a period specified by national law in order to detect, investigate and prosecute crime was invalid. The Court emphasized that any interference with the right to privacy and the protection of personal data must be proportionate to the legitimate aim pursued.
These cases reinforced the principle that any data retention measures must be limited to what is strictly necessary to achieve a legitimate aim.
In Kenya’s case, it can be argued that KRA can achieve its mandate through other means without large scale surveillance and interference with people’s privacy.
Further, granting KRA unfettered access to M-Pesa transactions data without the need for court orders, violates constitutional protection against illegal searches and seizures, also provided for under Article 31 of the Constitution.
In the United States, for example, the Supreme Court has ruled that the government's warrantless access to historical cell phone location data is a violation of the Fourth Amendment, which protects individuals against unreasonable searches and seizures. The court found that the collection of cell phone location data constitutes a search under the Fourth Amendment and that the government must obtain a warrant based on probable cause before accessing such data.
In Canada, the Supreme Court has ruled that the government's warrantless access to historical telecommunications data is a violation of the right to privacy protected under the Canadian Charter of Rights and Freedoms. The court found that the collection of telecommunications data constitutes a search under the Charter and that the government must obtain a warrant based on a reasonable expectation of privacy before accessing such data.