Open letter: Safaricom must delete all biometric data collected unlawfully during Kenya’s SIM card registration exercise

27 October, 2022

Fiona Makaka 

Data Protection Officer, Safaricom PLC,

Safaricom House,

Waiyaki Way, Westlands,

P.O Box 66827-00800 Nairobi.

CC:

Stephen Kiptiness, Chief Corporate Affairs Officer, Safaricom PLC

Nicholas Mulila, Chief Corporate Security Officer, Safaricom PLC

Re: Safaricom must delete all biometric data collected unlawfully during Kenya’s SIM card registration exercise

Dear Ms. Makaka,

About us 

Access Now is a global human rights organization with the mission to defend and extend human rights in the digital age. We fight for robust, rights-respecting, and people-centric data protection policies and frameworks. 

We are writing to you to raise the alarm over Safaricom’s breaches of privacy and data subject rights observed during your company’s participation in Kenya’s nationwide SIM registration exercise, between November 2021 and April 2022. 

Background

In November 2021, Safaricom began sending your mobile service subscribers messages notifying them of a requirement to update their SIM card registration details. However, the messages did not specify what information was required, nor the law mandating that this information must be provided; the only instructions included were for people who subscribe to your services to visit Safaricom outlets with their identification documents to update their details. Eventually, your company  informed people via direct social media messages that they were required to provide facial biometrics as part of this exercise. Your company alleged the basis for this request were new regulations from the Communications Authority of Kenya (CA) — the CA, however,  clarified that facial biometrics were not required. 

The problematic practice

SIM card registration in Kenya has been regulated by law since 2015, through Regulation 5 (1) of the Kenya Information and Communications (Registration of SIM-Cards) Regulations. This requires telecommunications operators to only collect mobile service subscribers’ names, gender, date of birth, physical address, postal address, and copies of their identification documents during registration.

However, despite this, Safaricom misrepresented the law’s requirements to people who subscribe to your services on several occasions between November 2021 and April 2022, informing them that they were in fact required to provide facial biometrics in order to comply with SIM registration requirements, and warning that failure to do so would see your company disconnect their  services. 

Collecting facial biometrics during this process is in clear violation of various laws, including:

• Kenya Information and Communications (Registration of SIM-Cards) Regulations, 2015;
• Sections 25 26 and 29 of the Data Protection Act, 2019; 
• Regulation 4 (4) of the Data Protection (General) Regulations, 2021;
• The Kenya Information and Communications (Consumer Protection) Regulations, 2010; and 
• Section 12 of Consumer Protection Act. 

Nicholas Mulila, as Safaricom’s Chief Security Officer, you recently reiterated the company’s legal obligation to determine the level of risk that the processing of such sensitive personal data has on the rights and freedoms of data subjects. You said, “every time we begin a new process, system or product that involves the use of personal information, we conduct a Data Protection Impact Assessment to ensure the correct processes and controls are in place to keep personal information safe.”  However, Safaricom has not informed the public whether it conducted such an impact assessment prior to the above-mentioned collection of biometric data. Your company has claimed that facial biometrics were only collected to enhance customers’ security in the face of cybercrimes — but such a justification has been debunked by leading human rights experts, including the United Nations High Commissioner for Human Rights, who has stated that using biometrics in fact exacerbates, rather than mitigates, the risk of identity theft. 

Our recommendations and requests: 

As a leading telecommunications service provider in Kenya, Safaricom has a responsibility to protect your subscribers’ privacy. Any breaches of privacy laws or of the company’s human rights obligations must be rectified immediately. To this end, we recommend you undertake the following:

• Delete all facial biometrics data collected illegally during the SIM re-registration exercise carried out between August 2021 and April 2022, and notify affected subscribers that their data has been deleted;
• Commission, and publish, independent transparency reporting on the Data Protection Impact Assessment carried out prior to the collection of facial biometrics in adherence to Section 31 (2) of the Data Protection Act, 2019; and
• Commit to better data processing practices that adhere to the data protection principles as set out in Section 25 of the Data Protection Act, 2019 and respect for the rights of data subjects. 

We welcome a public response to the serious issues raised in this letter, as a way to show your subscribers that you take their privacy seriously. We would greatly appreciate a formal response from Safaricom for publication by Tuesday 8 November, 2022. We will make this letter public on Friday 11 November.

Kind regards,

Jaimee Kokonya, Africa Campaigner, Access Now

Bridget Andere, Africa Policy Analyst, Access Now

Isedua Oribhabor, Business and Human Rights Lead, Access Now