@Mwendwa Kivuva <Lordmwesh@gmail.com> Let us not conflate issues. ALWAYS treat mobile banking (and banking in general) quite separate from other services offered by MNOs. A practical problem- @James Mbugua was right on data minimization (I would add necessity as well) disqualifying the current directive by CA. If you speak of harmonization of regulations, you can no longer rely on minimization and necessity because a need (banking) has been created. While all these things begin with a SIM Card registration, MPESA requires a further positive step of registration. At that point, we can safely speak of harmonization and requiring more information to prevent financial crimes etc. Different products, different markets. Are we sure CA is the source of the photos directive? (Kindly share the directive if you have access to it). The Regulations only allow this information to be collected during SIM Card registration- 5 (1) A person who intends to register a SIM-card shall provide the following particulars to the telecommunications operator or agent— (a) full names; (b) identity card, service card, passport or alien card number; (c) date of birth; (d) gender; (e) physical address; (f) postal address, where available; (g) any other registered subscriber number associated with the subscriber; (h) an original and a copy of the national identity card, service card, passport or alien card; (i) an original and a copy of the birth certificate, in respect of registration of minors; (j) subscriber number in respect to existing subscribers; (k) an original and true copy of the certificate of registration, where relevant; (l) a letter duly sealed by the chief executive officer or the person responsible for the day to day management of the statutory body. (while your ID would normally have a photo- it is vastly different from a digital photo which can become part of a biometric register). I cannot insist on this enough, a SIM Card registration is not the same thing as MPESA (or other mobile money platform registration). The requirements for SIM Card registration have to remain as basal as possible. On Wed, Mar 16, 2022 at 9:33 PM Mwendwa Kivuva via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

Since SIM card data is used by a large section of the population for mobile banking (Safaricom has 30 million mobile money customers) - and banking regulations require a photo ID, should the regulation be harmonised for all mobile money customers to provide their photo ID?

KICTANet had a Thought Leadership Forum with the ODPC, and the question of DPIA came up. I can't remember the response. The recording of the forum is available here https://youtu.be/Rmdvoc8Valo

On Wed, 16 Mar 2022, 16:04 James Mbugua via KICTANet, < kictanet@lists.kictanet.or.ke> wrote:

...

Listers,

I am not sure if I am being paranoid but the SIM card re-registration order ostensibly by CA (Communications Authority) and which has mobile operators asking us to te-register our SIM cards by April or risk being deregistered, seems like regulatory overreach.

CA says under the SIM Registrations regulations of 2015, MNOs are required to update their registers with details including ID documents and photo IDs. The reason given, ostensibly, is that many had their SIM details registered before that law came into place.

Speaking of laws coming into operation, the Data Protection Act, itself came into effect in 2019. Significantly long after the said regulations.

In seeking to protect privacy and personal data, the DPA requires Data Minimisation where personal data collected should be:

"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);" Sec. 25(d) DPA, 2019

This means that data that the controller does not really need to achieve a specific purpose, should not be collected.

Biometric information such as Passport Photos that the Operators will take and store,for example, are in my opinion, surplus to requirements.

The identification of the subscriber can be done without collection of intrusive biometric data for example by using national IDs. CA explicitly asks that the operators verify details with the Integrated Personnel Registry System. so collection of biometric data to me is disproportionate and cannot meet the threshold of lawful basis.

Being the later law, and by the Huduma Number case precedent, the data minimisation provisions of the DPA, 2019 in my opinion hold primacy and in fact impliedly, repeal or render unlawful, the requirements for photo taking for SIM registration in the 2015 regulations.

2. Data Protection Impact Assessment.

Another question I would have for the CA, the Data Commissioner and mobile operators, is if, as per the precedent sent by Justice Ngaah in the Katiba Institute v. MoICT & others regarding the need for the conduct of a Data Processing Impact Assessment, has been carried out in this instance when CA proposes to have collected the data of more than 30 million subscribers including biometric data.

I think this is a plain case of flouting judicial guidance viz a viz when DPIAs should be carried out and CA should have had this carried out first before issuing the said directive.

Regards,

James G. Mbugua Data Privacy Consultant & Tech Policy Blogger @jgmbugua <jgmbugua@gmail.com>

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafr...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.c...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

-- *Mercy Mutemi, Advocate*.

It is interesting to observe that MTN is re-branding to become a data/technology company - full details are unclear, but it maybe something that other telecommunications companies in Africa may also do. Anti-trust regulations have had an interesting history in the USA, for example [1] and [2]. [1] https://en.wikipedia.org/wiki/United_States_v._Microsoft_Corp. [2] https://en.wikipedia.org/wiki/Breakup_of_the_Bell_System On 3/16/22 11:25 PM, kanini mutemi via KICTANet wrote:

@Mwendwa Kivuva <mailto:Lordmwesh@gmail.com> Let us not conflate issues. ALWAYS treat mobile banking (and banking in general) quite separate from other services offered by MNOs. A practical problem- @James Mbugua was right on data minimization (I would add necessity as well) disqualifying the current directive by CA. If you speak of harmonization of regulations, you can no longer rely on minimization and necessity because a need (banking) has been created. While all these things begin with a SIM Card registration, MPESA requires a further positive step of registration. At that point, we can safely speak of harmonization and requiring more information to prevent financial crimes etc. Different products, different markets.

Are we sure CA is the source of the photos directive? (Kindly share the directive if you have access to it). The Regulations only allow this information to be collected during SIM Card registration-

5 (1) A person who intends to register a SIM-card shall provide the following particulars to the telecommunications operator or agent—

(a)

full names;

(b)

identity card, service card, passport or alien card number;

(c)

date of birth;

(d)

gender;

(e)

physical address;

(f)

postal address, where available;

(g)

any other registered subscriber number associated with the subscriber;

(h)

an original and a copy of the national identity card, service card, passport or alien card;

(i)

an original and a copy of the birth certificate, in respect of registration of minors;

(j)

subscriber number in respect to existing subscribers;

(k)

an original and true copy of the certificate of registration, where relevant;

(l)

a letter duly sealed by the chief executive officer or the person responsible for the day to day management of the statutory body.

(while your ID would normally have a photo- it is vastly different from a digital photo which can become part of a biometric register).

I cannot insist on this enough, a SIM Card registration is not the same thing as MPESA (or other mobile money platform registration). The requirements for SIM Card registration have to remain as basal as possible.

On Wed, Mar 16, 2022 at 9:33 PM Mwendwa Kivuva via KICTANet <kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke>> wrote:

Since SIM card data is used by a large section of the population for mobile banking (Safaricom has 30 million mobile money customers) - and banking regulations require a photo ID, should the regulation be harmonised for all mobile money customers to provide their photo ID?

KICTANet had a Thought Leadership Forum with the ODPC, and the question of DPIA came up. I can't remember the response. The recording of the forum is available here https://youtu.be/Rmdvoc8Valo <https://youtu.be/Rmdvoc8Valo>

On Wed, 16 Mar 2022, 16:04 James Mbugua via KICTANet, <kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke>> wrote:

Listers,

I am not sure if I am being paranoid but the SIM card re-registration order ostensibly by CA (Communications Authority) and which has mobile operators asking us to te-register our SIM cards by April or risk being deregistered, seems like regulatory overreach.

CA says under the SIM Registrations regulations of 2015, MNOs are required to update their registers with details including ID documents and photo IDs. The reason given, ostensibly, is that many had their SIM details registered before that law came into place.

Speaking of laws coming into operation, the Data Protection Act, itself came into effect in 2019. Significantly long after the said regulations.

In seeking to protect privacy and personal data, the DPA requires Data Minimisation where personal data collected should be: "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);" Sec. 25(d) DPA, 2019

This means that data that the controller does not really need to achieve a specific purpose, should not be collected.

Biometric information such as Passport Photos that the Operators will take and store,for example, are in my opinion, surplus to requirements.

The identification of the subscriber can be done without collection of intrusive biometric data for example by using national IDs. CA explicitly asks that the operators verify details with the Integrated Personnel Registry System. so collection of biometric data to me is disproportionate and cannot meet the threshold of lawful basis.

Being the later law, and by the Huduma Number case precedent, the data minimisation provisions of the DPA, 2019 in my opinion hold primacy and in fact impliedly, repeal or render unlawful, the requirements for photo taking for SIM registration in the 2015 regulations.

2. Data Protection Impact Assessment.

Another question I would have for the CA, the Data Commissioner and mobile operators, is if, as per the precedent sent by Justice Ngaah in the Katiba Institute v. MoICT & others regarding the need for the conduct of a Data Processing Impact Assessment, has been carried out in this instance when CA proposes to have collected the data of more than 30 million subscribers including biometric data.

I think this is a plain case of flouting judicial guidance viz a viz when DPIAs should be carried out and CA should have had this carried out first before issuing the said directive.

Regards,

James G. Mbugua Data Privacy Consultant & Tech Policy Blogger @jgmbugua <mailto:jgmbugua@gmail.com>

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke <mailto:KICTANet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet <http://twitter.com/kictanet> Facebook: https://www.facebook.com/KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafr... <https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafrica.com>

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke <mailto:KICTANet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet <http://twitter.com/kictanet> Facebook: https://www.facebook.com/KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.c... <https://lists.kictanet.or.ke/mailman/options/kictanet/kaninimutemi%40gmail.com>

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

-- *Mercy Mutemi, Advocate*.

*/ /*

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/benson_muite%40emailpl...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

Mwendwa, I agree with Mutindi we should isolate KYC issues with subscriber registration. That is the whole essence of purpose limitation. We cannot use banking regulations for subscribe registration. It is not to say that every mobile subscriber is automatically also an MPESA customer and that the information should be collected for use the day they decide to register for MPESA. In any case, it is also not to say that when they do register for mobile money, that they will not have to provide all the know-your-customer details including photographs. My point is that SIM registration must be limited in data collection to what is necessary and adequate for its stated purposes, and not more personal information than necessary. Mutindi, I will be raising it with the ODPC thanks. Regards, James G. Mbugua Data Privacy Consultant & Tech Policy Blogger @jgmbugua <jgmbugua@gmail.com> On Wed, Mar 16, 2022 at 9:31 PM Mwendwa Kivuva via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

Since SIM card data is used by a large section of the population for mobile banking (Safaricom has 30 million mobile money customers) - and banking regulations require a photo ID, should the regulation be harmonised for all mobile money customers to provide their photo ID?

KICTANet had a Thought Leadership Forum with the ODPC, and the question of DPIA came up. I can't remember the response. The recording of the forum is available here https://youtu.be/Rmdvoc8Valo

On Wed, 16 Mar 2022, 16:04 James Mbugua via KICTANet, < kictanet@lists.kictanet.or.ke> wrote:

...

Listers,

I am not sure if I am being paranoid but the SIM card re-registration order ostensibly by CA (Communications Authority) and which has mobile operators asking us to te-register our SIM cards by April or risk being deregistered, seems like regulatory overreach.

CA says under the SIM Registrations regulations of 2015, MNOs are required to update their registers with details including ID documents and photo IDs. The reason given, ostensibly, is that many had their SIM details registered before that law came into place.

Speaking of laws coming into operation, the Data Protection Act, itself came into effect in 2019. Significantly long after the said regulations.

In seeking to protect privacy and personal data, the DPA requires Data Minimisation where personal data collected should be:

"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);" Sec. 25(d) DPA, 2019

This means that data that the controller does not really need to achieve a specific purpose, should not be collected.

Biometric information such as Passport Photos that the Operators will take and store,for example, are in my opinion, surplus to requirements.

The identification of the subscriber can be done without collection of intrusive biometric data for example by using national IDs. CA explicitly asks that the operators verify details with the Integrated Personnel Registry System. so collection of biometric data to me is disproportionate and cannot meet the threshold of lawful basis.

Being the later law, and by the Huduma Number case precedent, the data minimisation provisions of the DPA, 2019 in my opinion hold primacy and in fact impliedly, repeal or render unlawful, the requirements for photo taking for SIM registration in the 2015 regulations.

2. Data Protection Impact Assessment.

Another question I would have for the CA, the Data Commissioner and mobile operators, is if, as per the precedent sent by Justice Ngaah in the Katiba Institute v. MoICT & others regarding the need for the conduct of a Data Processing Impact Assessment, has been carried out in this instance when CA proposes to have collected the data of more than 30 million subscribers including biometric data.

I think this is a plain case of flouting judicial guidance viz a viz when DPIAs should be carried out and CA should have had this carried out first before issuing the said directive.

Regards,

James G. Mbugua Data Privacy Consultant & Tech Policy Blogger @jgmbugua <jgmbugua@gmail.com>

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafr...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jgmbugua%40gmail.com

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

From reading various comments its seems we have CA regulations, Banking regulations and Data Protection Regulations coming into play. It looks like Listers agree that the stringent Banking Regulations (e.g KYC) may kick in for MPESA registration, but not necessarily for basic subscriber (eg voice) registration.  The argument seems to be whether the basic subscriber (SIM card) registration for say voice services, should be accompanied with digital photos since this may violate the data minimization principles of the Data Protection Act. I am persuaded that this is a valid concern - However, I request the lawyers to expand their search further and review the security laws. Is it possible that the Security Laws (as amended over time) could have enhanced basic service (eg for voice) registration to include photos of the subscriber? Such that in case there is a terror attack and the terrorists use voice communication (and not necessarily mobile money),  one would still want to track them down using their mug-shot?

Interesting discourse. I didnt know CA had a directive for SIM card re-registration but that's besides the point since its their mandate. The issues here is whether collecting photos of data subjects during registration is an overeach. the lawyers can find out and tell us. walu On Thursday, March 17, 2022, 12:57:53 PM GMT+3, James Mbugua via KICTANet <kictanet@lists.kictanet.or.ke> wrote: Mwendwa, I agree with Mutindi we should isolate KYC issues with subscriber registration. That is the whole essence of purpose limitation. We cannot use banking regulations for subscribe registration. It is not to say that every mobile subscriber is automatically also an MPESA customer and that the information should be collected for use the day they decide to register for MPESA. In any case, it is also not to say that when they do register for mobile money, that they will not have to provide all the know-your-customer details including photographs. My point is that SIM registration must be limited in data collection to what is necessary and adequate for its stated purposes, and not more personal information than necessary.  Mutindi,  I will be raising it with the ODPC thanks. Regards, James G. MbuguaData Privacy Consultant & Tech Policy Blogger@jgmbugua  On Wed, Mar 16, 2022 at 9:31 PM Mwendwa Kivuva via KICTANet <kictanet@lists.kictanet.or.ke> wrote: Since SIM card data is used by a large section of the population for mobile banking (Safaricom has 30 million mobile money customers) - and banking regulations require a photo ID, should the regulation be harmonised for all mobile money customers to provide their photo ID? KICTANet had a Thought Leadership Forum with the ODPC, and the question of DPIA came up. I can't remember the response. The recording of the forum is available here https://youtu.be/Rmdvoc8Valo  On Wed, 16 Mar 2022, 16:04 James Mbugua via KICTANet, <kictanet@lists.kictanet.or.ke> wrote: Listers, I am not sure if I am being paranoid but the SIM card re-registration order ostensibly by CA (Communications Authority) and which has mobile operators asking us to te-register our SIM cards by April or risk being deregistered, seems like regulatory overreach. CA says under the SIM Registrations regulations of 2015, MNOs are required to update their registers with details including ID documents and photo IDs. The reason given, ostensibly, is that many had their SIM details registered before that law came into place. Speaking of laws coming into operation, the Data Protection Act, itself came into effect in 2019. Significantly long after the said regulations. In seeking to protect privacy and personal data, the DPA  requires Data Minimisation where personal data collected should be: "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);" Sec. 25(d) DPA, 2019 This means that data that the controller does not really need to achieve a specific purpose, should not be collected. Biometric information such as Passport Photos that the Operators will take and store,for example, are in my opinion, surplus to requirements. The identification of the subscriber can be done without collection of intrusive biometric data for example by using national IDs. CA explicitly asks that the operators verify details with the Integrated Personnel Registry System. so collection of biometric data to me is disproportionate and cannot meet the threshold of lawful basis. Being the later law, and by the Huduma Number case precedent, the data minimisation provisions of the DPA, 2019 in my opinion hold primacy and in fact impliedly, repeal or render unlawful, the requirements for photo taking for SIM registration in the 2015 regulations. 2. Data Protection Impact Assessment. Another question I would have for the CA, the Data Commissioner and mobile operators, is if, as per the precedent sent by Justice Ngaah in the Katiba Institute v. MoICT & others regarding the need for the conduct of a Data Processing Impact Assessment, has been carried out in this instance when CA proposes to have collected the data of more than 30 million subscribers including biometric data. I think this is a plain case of flouting judicial guidance viz a viz when DPIAs should be carried out and CA should have had this carried out first before issuing the said directive. Regards, James G. MbuguaData Privacy Consultant & Tech Policy Blogger@jgmbugua  _______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafr... KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform. _______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jgmbugua%40gmail.com KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform. _______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

Very rich debate this one. I think this whole debate has been necessitated by this message from Safaricom "Dear Customer, urgently visit an M-PESA Agent, Dealer or Safaricom Shop with original ID to update your SIM registration. Dial *106# for lines registered to you" James / Kanini, I'm not calling for all sim card owners to provide more data. My question was, "should the regulation be harmonised for all mobile money customers to provide their photo ID?" For mobile money customers, not SIM card owners. On Mon, 21 Mar 2022, 12:19 Mutindi Muema via KICTANet, < kictanet@lists.kictanet.or.ke> wrote:

@Walu, if i had time to spare i would dig in, but billable work is hogging my schedule right now. I can however add some direction for whoever has time to delve into this- we all looking forward to any findings:

Further to direction by Grace, Walu & Mutemi, it seems work needed along the lines of what the law says regarding:

1. requirements for SIM card registration - probably KICA both Act and Regs as well as any relevant guidelines issued by CA. Kanini Mutemi reproduced a segment of KICA earlier. some work to get any other relevant provisions. 2. @Walu it is also important that any directive for re-registration has been issued by CA - the same be reviewed. Yes CA has a mandate , content of any directions would also inform thai convo. 3. Requirements for mobile money registration/use are also relevant- from my understanding mobile money legal framework is the National Payment Systems ACt (NPSA)& Regs and relevant guidelines under that. Cursory review of Act, I do not remember seeing requirements for photo here last time I reviewed this (which a while back) someone with time on their hands can go through requirements as well. 4. Mobile banking regulatory framework- is different from mobile money framework. Mobile banking falls more within banking so Banking Act, prudential guidelines etc - we could actually have different requirements for registration of customers for mobile banking in law than requirements for registration of mobile money (NPSA) 5. Like Walu said - there is also need to review laws relating to ani-money laundering , terrorism fianncing etc to see requirements under those esp those that would relate to KYC as well as the deffinition of insitutions to which the obligations apply and if any distinction between application to businesses lines licensed under KICA (Sim card), NPSA (mobile money)versus licensees under Banking Act (mobile banking). 6. All the findings then need to be reconciled with provisions of the Data Protection Act & Regs now in force :

(i) from a data protection principle perspective but then also (ii) from a communications to data subject perspective- as evident in this thread, data subjects have questions around this and compliance is definitely impacted by clarity of comms to data subjects. This second point is particularly important for data protection compliance as communications helps with accountability and transparency with regards to what data controllers/ processors are actually doing with data subject data and why.

Kind regards, Mutindi Advocate & Certified Information Privacy Manager (CIPM)- International Association of Privacy Professionals (IAPP)

On Mon, Mar 21, 2022 at 11:44 AM Walubengo J via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Interesting discourse.

I didnt know CA had a directive for SIM card re-registration but that's besides the point since its their mandate. The issues here is whether collecting photos of data subjects during registration is an overeach.

From reading various comments its seems we have CA regulations, Banking regulations and Data Protection Regulations coming into play. It looks like Listers agree that the stringent Banking Regulations (e.g KYC) may kick in for MPESA registration, but not necessarily for basic subscriber (eg voice) registration.

The argument seems to be whether the basic subscriber (SIM card) registration for say voice services, should be accompanied with digital photos since this may violate the data minimization principles of the Data Protection Act.

I am persuaded that this is a valid concern - However, I request the lawyers to expand their search further and review the security laws. Is it possible that the Security Laws (as amended over time) could have enhanced basic service (eg for voice) registration to include photos of the subscriber?

Such that in case there is a terror attack and the terrorists use voice communication (and not necessarily mobile money), one would still want to track them down using their mug-shot?

the lawyers can find out and tell us.

walu

On Thursday, March 17, 2022, 12:57:53 PM GMT+3, James Mbugua via KICTANet <kictanet@lists.kictanet.or.ke> wrote:

Mwendwa,

I agree with Mutindi we should isolate KYC issues with subscriber registration. That is the whole essence of purpose limitation. We cannot use banking regulations for subscribe registration. It is not to say that every mobile subscriber is automatically also an MPESA customer and that the information should be collected for use the day they decide to register for MPESA. In any case, it is also not to say that when they do register for mobile money, that they will not have to provide all the know-your-customer details including photographs.

My point is that SIM registration must be limited in data collection to what is necessary and adequate for its stated purposes, and not more personal information than necessary.

Mutindi,

I will be raising it with the ODPC thanks.

Regards,

James G. Mbugua Data Privacy Consultant & Tech Policy Blogger @jgmbugua <jgmbugua@gmail.com>

On Wed, Mar 16, 2022 at 9:31 PM Mwendwa Kivuva via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

Since SIM card data is used by a large section of the population for mobile banking (Safaricom has 30 million mobile money customers) - and banking regulations require a photo ID, should the regulation be harmonised for all mobile money customers to provide their photo ID?

KICTANet had a Thought Leadership Forum with the ODPC, and the question of DPIA came up. I can't remember the response. The recording of the forum is available here https://youtu.be/Rmdvoc8Valo

On Wed, 16 Mar 2022, 16:04 James Mbugua via KICTANet, < kictanet@lists.kictanet.or.ke> wrote:

Listers,

I am not sure if I am being paranoid but the SIM card re-registration order ostensibly by CA (Communications Authority) and which has mobile operators asking us to te-register our SIM cards by April or risk being deregistered, seems like regulatory overreach.

CA says under the SIM Registrations regulations of 2015, MNOs are required to update their registers with details including ID documents and photo IDs. The reason given, ostensibly, is that many had their SIM details registered before that law came into place.

Speaking of laws coming into operation, the Data Protection Act, itself came into effect in 2019. Significantly long after the said regulations.

In seeking to protect privacy and personal data, the DPA requires Data Minimisation where personal data collected should be:

"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);" Sec. 25(d) DPA, 2019

This means that data that the controller does not really need to achieve a specific purpose, should not be collected.

Biometric information such as Passport Photos that the Operators will take and store,for example, are in my opinion, surplus to requirements.

The identification of the subscriber can be done without collection of intrusive biometric data for example by using national IDs. CA explicitly asks that the operators verify details with the Integrated Personnel Registry System. so collection of biometric data to me is disproportionate and cannot meet the threshold of lawful basis.

Being the later law, and by the Huduma Number case precedent, the data minimisation provisions of the DPA, 2019 in my opinion hold primacy and in fact impliedly, repeal or render unlawful, the requirements for photo taking for SIM registration in the 2015 regulations.

2. Data Protection Impact Assessment.

Another question I would have for the CA, the Data Commissioner and mobile operators, is if, as per the precedent sent by Justice Ngaah in the Katiba Institute v. MoICT & others regarding the need for the conduct of a Data Processing Impact Assessment, has been carried out in this instance when CA proposes to have collected the data of more than 30 million subscribers including biometric data.

I think this is a plain case of flouting judicial guidance viz a viz when DPIAs should be carried out and CA should have had this carried out first before issuing the said directive.

Regards,

James G. Mbugua Data Privacy Consultant & Tech Policy Blogger @jgmbugua <jgmbugua@gmail.com>

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafr...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jgmbugua%40gmail.com

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform. _______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/missmutindi%40gmail.co...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafr...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

Interesting read sir. Regards *Ali Hussein* Fintech | Digital Transformation Tel: +254 713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/alihkassim <http://ke.linkedin.com/in/alihkassim> Any information of a personal nature expressed in this email are purely mine and do not necessarily reflect the official positions of the organizations that I work with. On Mon, Mar 21, 2022 at 8:56 PM Bitange Ndemo via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

*The role of cryptocurrencies in sub-Saharan Africa <https://www.brookings.edu/blog/africa-in-focus/2022/03/16/the-role-of-cryptocurrencies-in-sub-saharan-africa/>*

Ndemo

On Mon, Mar 21, 2022 at 1:03 PM Mwendwa Kivuva via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Very rich debate this one.

I think this whole debate has been necessitated by this message from Safaricom

"Dear Customer, urgently visit an M-PESA Agent, Dealer or Safaricom Shop with original ID to update your SIM registration. Dial *106# for lines registered to you"

James / Kanini, I'm not calling for all sim card owners to provide more data. My question was, "should the regulation be harmonised for all mobile money customers to provide their photo ID?" For mobile money customers, not SIM card owners.

On Mon, 21 Mar 2022, 12:19 Mutindi Muema via KICTANet, < kictanet@lists.kictanet.or.ke> wrote:

...

@Walu, if i had time to spare i would dig in, but billable work is hogging my schedule right now. I can however add some direction for whoever has time to delve into this- we all looking forward to any findings:

Further to direction by Grace, Walu & Mutemi, it seems work needed along the lines of what the law says regarding:

1. requirements for SIM card registration - probably KICA both Act and Regs as well as any relevant guidelines issued by CA. Kanini Mutemi reproduced a segment of KICA earlier. some work to get any other relevant provisions. 2. @Walu it is also important that any directive for re-registration has been issued by CA - the same be reviewed. Yes CA has a mandate , content of any directions would also inform thai convo. 3. Requirements for mobile money registration/use are also relevant- from my understanding mobile money legal framework is the National Payment Systems ACt (NPSA)& Regs and relevant guidelines under that. Cursory review of Act, I do not remember seeing requirements for photo here last time I reviewed this (which a while back) someone with time on their hands can go through requirements as well. 4. Mobile banking regulatory framework- is different from mobile money framework. Mobile banking falls more within banking so Banking Act, prudential guidelines etc - we could actually have different requirements for registration of customers for mobile banking in law than requirements for registration of mobile money (NPSA) 5. Like Walu said - there is also need to review laws relating to ani-money laundering , terrorism fianncing etc to see requirements under those esp those that would relate to KYC as well as the deffinition of insitutions to which the obligations apply and if any distinction between application to businesses lines licensed under KICA (Sim card), NPSA (mobile money)versus licensees under Banking Act (mobile banking). 6. All the findings then need to be reconciled with provisions of the Data Protection Act & Regs now in force :

(i) from a data protection principle perspective but then also (ii) from a communications to data subject perspective- as evident in this thread, data subjects have questions around this and compliance is definitely impacted by clarity of comms to data subjects. This second point is particularly important for data protection compliance as communications helps with accountability and transparency with regards to what data controllers/ processors are actually doing with data subject data and why.

Kind regards, Mutindi Advocate & Certified Information Privacy Manager (CIPM)- International Association of Privacy Professionals (IAPP)

On Mon, Mar 21, 2022 at 11:44 AM Walubengo J via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Interesting discourse.

I didnt know CA had a directive for SIM card re-registration but that's besides the point since its their mandate. The issues here is whether collecting photos of data subjects during registration is an overeach.

From reading various comments its seems we have CA regulations, Banking regulations and Data Protection Regulations coming into play. It looks like Listers agree that the stringent Banking Regulations (e.g KYC) may kick in for MPESA registration, but not necessarily for basic subscriber (eg voice) registration.

The argument seems to be whether the basic subscriber (SIM card) registration for say voice services, should be accompanied with digital photos since this may violate the data minimization principles of the Data Protection Act.

I am persuaded that this is a valid concern - However, I request the lawyers to expand their search further and review the security laws. Is it possible that the Security Laws (as amended over time) could have enhanced basic service (eg for voice) registration to include photos of the subscriber?

Such that in case there is a terror attack and the terrorists use voice communication (and not necessarily mobile money), one would still want to track them down using their mug-shot?

the lawyers can find out and tell us.

walu

On Thursday, March 17, 2022, 12:57:53 PM GMT+3, James Mbugua via KICTANet <kictanet@lists.kictanet.or.ke> wrote:

Mwendwa,

I agree with Mutindi we should isolate KYC issues with subscriber registration. That is the whole essence of purpose limitation. We cannot use banking regulations for subscribe registration. It is not to say that every mobile subscriber is automatically also an MPESA customer and that the information should be collected for use the day they decide to register for MPESA. In any case, it is also not to say that when they do register for mobile money, that they will not have to provide all the know-your-customer details including photographs.

My point is that SIM registration must be limited in data collection to what is necessary and adequate for its stated purposes, and not more personal information than necessary.

Mutindi,

I will be raising it with the ODPC thanks.

Regards,

James G. Mbugua Data Privacy Consultant & Tech Policy Blogger @jgmbugua <jgmbugua@gmail.com>

On Wed, Mar 16, 2022 at 9:31 PM Mwendwa Kivuva via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

Since SIM card data is used by a large section of the population for mobile banking (Safaricom has 30 million mobile money customers) - and banking regulations require a photo ID, should the regulation be harmonised for all mobile money customers to provide their photo ID?

KICTANet had a Thought Leadership Forum with the ODPC, and the question of DPIA came up. I can't remember the response. The recording of the forum is available here https://youtu.be/Rmdvoc8Valo

On Wed, 16 Mar 2022, 16:04 James Mbugua via KICTANet, < kictanet@lists.kictanet.or.ke> wrote:

Listers,

I am not sure if I am being paranoid but the SIM card re-registration order ostensibly by CA (Communications Authority) and which has mobile operators asking us to te-register our SIM cards by April or risk being deregistered, seems like regulatory overreach.

CA says under the SIM Registrations regulations of 2015, MNOs are required to update their registers with details including ID documents and photo IDs. The reason given, ostensibly, is that many had their SIM details registered before that law came into place.

Speaking of laws coming into operation, the Data Protection Act, itself came into effect in 2019. Significantly long after the said regulations.

In seeking to protect privacy and personal data, the DPA requires Data Minimisation where personal data collected should be:

"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);" Sec. 25(d) DPA, 2019

This means that data that the controller does not really need to achieve a specific purpose, should not be collected.

Biometric information such as Passport Photos that the Operators will take and store,for example, are in my opinion, surplus to requirements.

The identification of the subscriber can be done without collection of intrusive biometric data for example by using national IDs. CA explicitly asks that the operators verify details with the Integrated Personnel Registry System. so collection of biometric data to me is disproportionate and cannot meet the threshold of lawful basis.

Being the later law, and by the Huduma Number case precedent, the data minimisation provisions of the DPA, 2019 in my opinion hold primacy and in fact impliedly, repeal or render unlawful, the requirements for photo taking for SIM registration in the 2015 regulations.

2. Data Protection Impact Assessment.

Another question I would have for the CA, the Data Commissioner and mobile operators, is if, as per the precedent sent by Justice Ngaah in the Katiba Institute v. MoICT & others regarding the need for the conduct of a Data Processing Impact Assessment, has been carried out in this instance when CA proposes to have collected the data of more than 30 million subscribers including biometric data.

I think this is a plain case of flouting judicial guidance viz a viz when DPIAs should be carried out and CA should have had this carried out first before issuing the said directive.

Regards,

James G. Mbugua Data Privacy Consultant & Tech Policy Blogger @jgmbugua <jgmbugua@gmail.com>

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafr...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jgmbugua%40gmail.com

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform. _______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/missmutindi%40gmail.co...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/kivuva%40transworldafr...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/bndemo%40bitangendemo....

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

David, Listers, The only challenge I foresee with this petition is jurisdiction in the first instance. It was argued in the Huduma Number case by the Data Protection Commissioner, and upheld by the Court, that under the doctrine of exhaustion of administrative remedies, the matter ought to have been filed with the ODPC in the first instance. Justice Ngaah found that Yash Pal Ghai, the second petitioner in that case, was a natural person and a data subject who ought to have approached the ODPC first. Katiba Institute, being a non-natural person, had no standing before the ODPC and therefore was allowed to canvass its petition before the High Court. Being a High Court ruling, it is likely a preliminary objection challenging the jurisdiction of the court to hear the matter could be raised, and the same sent to the ODPC first for determination. Regards, JG Mbugua @jgmbugua <jgmbugua@gmail.com> Data Privacy Consultant/Tech Blogger On Tue, Apr 5, 2022 at 9:34 AM David Indeje via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

Dear Listers,

Attached is a petition filed in the public interest in defense of the Constitution of Kenya, challenging the Directive requiring people seeking to register as mobile phone subscribers.

*Kind Regards,*

*David Indeje *_____________________________________ +254 (0) 711 385 945 | +254 (0) 734 024 856 <https://www.linkedin.com/in/david-indeje/> _______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jgmbugua%40gmail.com

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

Gobsmaked in deed 💯 The CA has finally stated today that kica SIM registration regs does not require photo of subscriber to be taken Full interview on Youtube here https://youtu.be/-SpW2rFhYxQ On Thu, 7 Apr 2022, 17:28 Ciiru K via KICTANet, < kictanet@lists.kictanet.or.ke> wrote:

Dear listers,

I am equally concerned by the overreach in this matter. For people who are outside Kenya, the list of requirements is obnoxious. Below are the requirements. - Mobile number - Passport page containing your bio details. - Passport page containing your visa. - Passport page containing the exit stamp from Kenya (full page including the dotted passport number) - Passport page containing the entry stamp in your current country of residence(full page including the dotted passport number) - Scanned copy of ID(both sides)

Why do they need all this information? Who will have access to it?

Yours truly gobsmacked. Liz

On Thu, Mar 17, 2022, 02:06 James Mbugua via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Listers,

I am not sure if I am being paranoid but the SIM card re-registration order ostensibly by CA (Communications Authority) and which has mobile operators asking us to te-register our SIM cards by April or risk being deregistered, seems like regulatory overreach.

CA says under the SIM Registrations regulations of 2015, MNOs are required to update their registers with details including ID documents and photo IDs. The reason given, ostensibly, is that many had their SIM details registered before that law came into place.

Speaking of laws coming into operation, the Data Protection Act, itself came into effect in 2019. Significantly long after the said regulations.

In seeking to protect privacy and personal data, the DPA requires Data Minimisation where personal data collected should be:

"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);" Sec. 25(d) DPA, 2019

This means that data that the controller does not really need to achieve a specific purpose, should not be collected.

Biometric information such as Passport Photos that the Operators will take and store,for example, are in my opinion, surplus to requirements.

The identification of the subscriber can be done without collection of intrusive biometric data for example by using national IDs. CA explicitly asks that the operators verify details with the Integrated Personnel Registry System. so collection of biometric data to me is disproportionate and cannot meet the threshold of lawful basis.

Being the later law, and by the Huduma Number case precedent, the data minimisation provisions of the DPA, 2019 in my opinion hold primacy and in fact impliedly, repeal or render unlawful, the requirements for photo taking for SIM registration in the 2015 regulations.

2. Data Protection Impact Assessment.

Another question I would have for the CA, the Data Commissioner and mobile operators, is if, as per the precedent sent by Justice Ngaah in the Katiba Institute v. MoICT & others regarding the need for the conduct of a Data Processing Impact Assessment, has been carried out in this instance when CA proposes to have collected the data of more than 30 million subscribers including biometric data.

I think this is a plain case of flouting judicial guidance viz a viz when DPIAs should be carried out and CA should have had this carried out first before issuing the said directive.

Regards,

James G. Mbugua Data Privacy Consultant & Tech Policy Blogger @jgmbugua <jgmbugua@gmail.com>

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/lizwanjiru%40gmail.com

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/missmutindi%40gmail.co...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

On Fri, 8 Apr 2022, 19:20 Mutindi Muema via KICTANet, < kictanet@lists.kictanet.or.ke> wrote:

Gobsmaked in deed 💯

The CA has finally stated today that kica SIM registration regs does not require photo of subscriber to be taken

Full interview on Youtube here https://youtu.be/-SpW2rFhYxQ

Meaning then if you ever registered, you will not need to re-register. Because photograph was the only missing link that was never taken in previous initial registration

Good people, so what is the current position?. Asking from Addis and wondering since my sim card was already registered and when I dial *106# it verifies I am registered, do I need to re-register? Kind regards Lydia From: KICTANet <kictanet-bounces+l.gachungi=unesco.org@lists.kictanet.or.ke> On Behalf Of Mwendwa Kivuva via KICTANet Sent: 08 April 2022 21:07 To: Gachungi, Lydia <l.gachungi@unesco.org> Cc: Mwendwa Kivuva <Kivuva@transworldafrica.com> Subject: Re: [kictanet] SIM CARD REGISTRATION & DATA PROTECTION ACT, 2019 CAUTION: This email is external from UNESCO. Please be vigilant on its sender and content. ATTENTION : Cet e-mail est externe à l'UNESCO. Soyez vigilant sur son expéditeur et contenu. On Fri, 8 Apr 2022, 19:20 Mutindi Muema via KICTANet, <kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke>> wrote: Gobsmaked in deed 💯 The CA has finally stated today that kica SIM registration regs does not require photo of subscriber to be taken Full interview on Youtube here https://youtu.be/-SpW2rFhYxQ Meaning then if you ever registered, you will not need to re-register. Because photograph was the only missing link that was never taken in previous initial registration

Well, i decided to join other Kenyans on the queue since Chiloba is a man of action. The lamentation is real. However the process did not even take a minute. Maybe the Telco operators should find a simpler way of conducting the exercise. Regards On Sat, 9 Apr 2022, 1:16 pm Alex Watila via KICTANet, < kictanet@lists.kictanet.or.ke> wrote:

total confusion

Chiloba clarifies order: 'Not all Kenyans need to register SIM card afresh'

https://nation.africa/kenya/news/chiloba-clarifies-order-not-all-kenyans-nee...

On Sat, 9 Apr 2022, 10:28 Gachungi, Lydia via KICTANet, < kictanet@lists.kictanet.or.ke> wrote:

...

Good people, so what is the current position?. Asking from Addis and wondering since my sim card was already registered and when I dial *106# it verifies I am registered, do I need to re-register?

Kind regards

Lydia

*From:* KICTANet <kictanet-bounces+l.gachungi= unesco.org@lists.kictanet.or.ke> *On Behalf Of *Mwendwa Kivuva via KICTANet *Sent:* 08 April 2022 21:07 *To:* Gachungi, Lydia <l.gachungi@unesco.org> *Cc:* Mwendwa Kivuva <Kivuva@transworldafrica.com> *Subject:* Re: [kictanet] SIM CARD REGISTRATION & DATA PROTECTION ACT, 2019

CAUTION: This email is external from UNESCO. Please be vigilant on its sender and content. ATTENTION : Cet e-mail est externe à l'UNESCO. Soyez vigilant sur son expéditeur et contenu.

On Fri, 8 Apr 2022, 19:20 Mutindi Muema via KICTANet, < kictanet@lists.kictanet.or.ke> wrote:

Gobsmaked in deed 💯

The CA has finally stated today that kica SIM registration regs does not require photo of subscriber to be taken

Full interview on Youtube here https://youtu.be/-SpW2rFhYxQ

Meaning then if you ever registered, you will not need to re-register. Because photograph was the only missing link that was never taken in previous initial registration _______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/awatila%40gmail.com

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

_______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/otieno.barrack%40gmail...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

My (unsubstantiated) theory: Safaricom taking photos + signatures apparently as part of the registration process wasn't so much about compliance with the CA directive but more to do with splitting MPESA <https://www.standardmedia.co.ke/national/article/2001440612/safaricom-could-separate-m-pesa-from-its-mobile-and-data-business> out and the subsequent fintech/digital bank play. On Sat, Apr 9, 2022 at 9:31 PM Grace Githaiga via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

@Gachungi, Lydia <l.gachungi@unesco.org> you are safe. It has been clarified here in this article.

Not all Kenyans need to register SIM cards afresh, says Communications Authority CEO Ezra Chiloba <https://www.standardmedia.co.ke/national/article/2001442738/not-all-kenyans-need-to-register-sim-cards-afresh-communications-authority?fbclid=IwAR2x9nZ7wZkZu2cF27Cwqctm6mlWeGRBd5vZ-vjtbgTD-UEY-eIDeMCg10k>

Excerpts: Different reports gave contradicting information in regard to who is supposed to register his or her SIM card, with certain quarters claiming it’s the entire telecommunications market, while other quarters stating that only the unlisted customers should seek registration.

“The Communications Authority did not order the telecommunications companies to register all SIM card holders afresh,” Chiloba exclusively told *The Standard.*

*Chiloba said the telecommunications companies that asked all Kenyans to re-register their lines, were “overzealous”, saying: “That’s not what we asked them to do.”*

*The Director-General says the mobile service providers opted for a knee-jerk reaction after CA demanded that all the service providers must provide updated lists of all their registered customers by April 15, 2022.*

On Sat, Apr 9, 2022 at 12:19 AM Gachungi, Lydia via KICTANet < kictanet@lists.kictanet.or.ke> wrote:

...

Good people, so what is the current position?. Asking from Addis and wondering since my sim card was already registered and when I dial *106# it verifies I am registered, do I need to re-register?

Kind regards

Lydia

*From:* KICTANet <kictanet-bounces+l.gachungi= unesco.org@lists.kictanet.or.ke> *On Behalf Of *Mwendwa Kivuva via KICTANet *Sent:* 08 April 2022 21:07 *To:* Gachungi, Lydia <l.gachungi@unesco.org> *Cc:* Mwendwa Kivuva <Kivuva@transworldafrica.com> *Subject:* Re: [kictanet] SIM CARD REGISTRATION & DATA PROTECTION ACT, 2019

CAUTION: This email is external from UNESCO. Please be vigilant on its sender and content. ATTENTION : Cet e-mail est externe à l'UNESCO. Soyez vigilant sur son expéditeur et contenu.

On Fri, 8 Apr 2022, 19:20 Mutindi Muema via KICTANet, < kictanet@lists.kictanet.or.ke> wrote:

Gobsmaked in deed 💯

The CA has finally stated today that kica SIM registration regs does not require photo of subscriber to be taken

Full interview on Youtube here https://youtu.be/-SpW2rFhYxQ

Meaning then if you ever registered, you will not need to re-register. Because photograph was the only missing link that was never taken in previous initial registration _______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/ggithaiga%40kictanet.o...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

-- Grace Githaiga KICTANet Convenor

KICTANet portals KICTANet.or.ke <https://kictanet.or.ke/> | Twitter <https://twitter.com/kictanet> | LinkedIn <https://www.linkedin.com/company/18428106/admin/> | Facebook <https://www.facebook.com/KICTANet/> _______________________________________________ KICTANet mailing list KICTANet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/josiah.mugambi%40gmail...

KICTANet is a multi-stakeholder Think Tank for people and institutions interested and involved in ICT policy and regulation. KICTANet is a catalyst for reform in the Information and Communication Technology sector. Its work is guided by four pillars of Policy Advocacy, Capacity Building, Research, and Stakeholder Engagement.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

KICTANet - The Power of Communities, is Kenya's premier ICT policy engagement platform.

-- Josiah Mugambi

Authority Extends SIM Card Registration Validation Exercise by Six (6) Months. [image: image.png] *Kind Regards,* *David Indeje *_____________________________________ +254 (0) 711 385 945 | +254 (0) 734 024 856 <https://www.linkedin.com/in/david-indeje/>