27 October, 2022 Fiona Makaka Data Protection Officer, Safaricom PLC, Safaricom House, Waiyaki Way, Westlands, P.O Box 66827-00800 Nairobi. CC: Stephen Kiptiness, Chief Corporate Affairs Officer, Safaricom PLC Nicholas Mulila, Chief Corporate Security Officer, Safaricom PLC Dear Ms. Makaka, Access Now is a global human rights organization with the mission to defend and extend human rights in the digital age. We fight for robust, rights-respecting, and people-centric data protection policies and frameworks. We are writing to you to raise the alarm over Safaricom’s breaches of privacy and data subject rights observed during your company’s participation in Kenya’s nationwide SIM registration exercise, between November 2021 and April 2022. In November 2021, Safaricom began sending your mobile service subscribers messages notifying them of a requirement to update their SIM card registration details. However, the messages did not specify what information was required, nor the law mandating that this information must be provided; the only instructions included were for people who subscribe to your services to visit Safaricom outlets with their identification documents to update their details. Eventually, your company informed people via direct social media messages that they were required to provide facial biometrics as part of this exercise. Your company alleged the basis for this request were new regulations from the Communications Authority of Kenya (CA) — the CA, however, clarified that facial biometrics were not required. SIM card registration in Kenya has been regulated by law since 2015, through Regulation 5 (1) of the Kenya Information and Communications (Registration of SIM-Cards) Regulations. This requires telecommunications operators to only collect mobile service subscribers’ names, gender, date of birth, physical address, postal address, and copies of their identification documents during registration. However, despite this, Safaricom misrepresented the law’s requirements to people who subscribe to your services on several occasions between November 2021 and April 2022, informing them that they were in fact required to provide facial biometrics in order to comply with SIM registration requirements, and warning that failure to do so would see your company disconnect their services. Collecting facial biometrics during this process is in clear violation of various laws, including: Nicholas Mulila, as Safaricom’s Chief Security Officer, you recently reiterated the company’s legal obligation to determine the level of risk that the processing of such sensitive personal data has on the rights and freedoms of data subjects. You said, “every time we begin a new process, system or product that involves the use of personal information, we conduct a Data Protection Impact Assessment to ensure the correct processes and controls are in place to keep personal information safe.” However, Safaricom has not informed the public whether it conducted such an impact assessment prior to the above-mentioned collection of biometric data. Your company has claimed that facial biometrics were only collected to enhance customers’ security in the face of cybercrimes — but such a justification has been debunked by leading human rights experts, including the United Nations High Commissioner for Human Rights, who has stated that using biometrics in fact exacerbates, rather than mitigates, the risk of identity theft. As a leading telecommunications service provider in Kenya, Safaricom has a responsibility to protect your subscribers’ privacy. Any breaches of privacy laws or of the company’s human rights obligations must be rectified immediately. To this end, we recommend you undertake the following: We welcome a public response to the serious issues raised in this letter, as a way to show your subscribers that you take their privacy seriously. We would greatly appreciate a formal response from Safaricom for publication by Tuesday 8 November, 2022. We will make this letter public on Friday 11 November. Kind regards, Jaimee Kokonya, Africa Campaigner, Access Now Bridget Andere, Africa Policy Analyst, Access Now Isedua Oribhabor, Business and Human Rights Lead, Access Now Re: Safaricom must delete all biometric data collected unlawfully during Kenya’s SIM card registration exercise
About us
Background
The problematic practice
Our recommendations and requests: