Skip to document content Go to main menu Go to search

Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others; Katiba Institute & another (Exparte); Immaculate Kasait, Data Commissioner (Interested Party) (Judicial Review Application E1138 of 2020) [2021] KEHC 122 (KLR) (Judicial Review) (14 October 2021) (Judgment)

Reported
Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others; Katiba Institute & another (Exparte); Immaculate Kasait, Data Commissioner (Interested Party) (Judicial Review Application E1138 of 2020) [2021] KEHC 122 (KLR) (Judicial Review) (14 October 2021) (Judgment)
Citation
Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others; Katiba Institute & another (Exparte); Immaculate Kasait, Data Commissioner (Interested Party) [2021] KEHC 122 (KLR)
Media Neutral Citation
[2021] KEHC 122 (KLR)
Court
High Court
Court station
High Court at Nairobi (Milimani Law Courts)
Outcome
Allowed
Case number
Judicial Review Application E1138 of 2020
Alternative citations
Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others Ex Parte Katiba Institute & another; Immaculate Kasait, Data Commissioner (Interested Party) [2021] eKLR
Judges
J Ngaah
Judgment date
14 October 2021
Language
English
Type
Judgment
Original source file
Download DOCX (61.9 KB)
Collections
Date published
21 October 2021
Case action
Judgment
Court division
Judicial Review
Filing county
Nairobi
Order
1. The order of certiorari is hereby issued to bring to into this honourable court and quash the respondents’ decision of 18 November 2020 to roll out Huduma Cards for being ultra vires section 31 of the Data Protection Act, 2019. 2. The order of mandamus is hereby issued compelling the respondents to conduct a data protection impact assessment in accordance with section 31 of the Data Protection Act, 2019 before processing of data and rolling out the Huduma Cards.
Skip to document content
Introduction and Background:
1.As its name suggests, the Statute Law (Miscellaneous Amendments) Act, No 18 of 2018 (which i will hereinafter refer to as ‘the Miscellaneous Amendments Act’) amended several Acts of Parliament for one reason or the other. Amongst the amended Acts was the Registration of Persons Act, cap 107. The nature of the amendment of this Act was described in the omnibus law as follows:“Insert the following new section immediately after section 9 –Establishment of the National Integrated Identity Management System9A.(1)There is established a National Integrated Identity Management System.(2)The functions of the system are –(a)to create, manage, maintain and operate a national population register as a single source of personal information of all Kenyan citizens and registered foreigners resident in Kenya;(b)to assign a unique national identification number to every person registered in the register;(c)to harmonise, incorporate and collate into the register, information from other databases in Government agencies relating to registration of persons;(d)to support the printing and distribution for collection all national identification cards, refugee cards, foreigner certificates, birth and death certificates, driving licenses, work permits, passport and foreign travel documentation, student identification cards issued under the Births and Deaths Registration Act. Basic Education Act, Registration of Persons Act, Refugees Act, Traffic Act and the Kenya Citizenship and Immigration Act and all other forms of government issued identification documentation as may be specified by gazette notice by the Cabinet Secretary;(e)to prescribe, in consultation with the various relevant issuing authorities, a format of identification document to capture the various forms of information contained in the identification documents in paragraph (d) for purposes of issuance of a single document where applicable;(f)to verify and authenticate information relating to the registration and identification of persons;(g)to collate information obtained under this Act and reproduce it as may be required, from time to time;(h)to ensure the preservation, protection and security of any information or data collected, obtained, maintained or stored in the register;(i)to correct errors in registration details, if so required by a person or on its own initiative to ensure that the information is accurate, complete, up to date and not misleading; and(j)to perform such other duties which are necessary or expedient for the discharge of functions under this Act.(3)The Principal Secretary shall be responsible for the administration, coordination and management of the system.
2.Generally speaking, the amendment introduced the National Integrated Identity Management System which is a new system of identification for both citizens of Kenya and foreigners registered as residing in this country. The reasons for the introduction of this system are in the nature of functions set out in the newly amended section and are, by and large, self-explanatory.
3.The amendment came into force on 18 January 2019 which, of course, is the same date that the Miscellaneous Amendments Act commenced.
4.Following this amendment, and more particularly in March 2019, the 1st and 2nd respondents embarked on a nationwide exercise of collection of personal and biometric data.
5.The amendment and its implementation were, however, challenged before this honourable court in constitutional petitions respectively filed as Petition Nos 56, 57 and 59 of 2019 by the Nubian Rights Forum, Kenya Human Rights Commission and the Kenya National Commission on Human Rights. The three petitions were consolidated and determined together by a three judge bench of this honourable court. The respondents in the present suit were amongst the seven respondents who were sued in those consolidated petitions.
6.In its decision rendered on 30 January 2020, the court ordered as follows:“I.A declaration that the collection of DNA and GPS co-ordinates for purposes of identification is intrusive and unnecessary, and to the extent that it is not authorised and specifically anchored in the empowering legislation, it is unconstitutional and a violation of article 31 of the Constitution.II.Consequently, in so far as section 5(1)(g) and 5(1) (ha) of the Registration of Persons Act requires the collection of GPS coordinates and DNA, the said sections are in conflict with article 31 of the Constitution and are to that extent unconstitutional, null and void.III.The respondents are at liberty to proceed with the implementation of the National Integrated Identity Management System (NIIMS) and to process and utilize the data collected in NIIMS, only on conditions that an appropriate and comprehensive regulatory framework on the implementation of NIIMS that is compliant with the applicable constitutional requirements identified in this judgment is first enacted.IV.Each party shall bear its own costs of the consolidated petitions.”
7.While the Nubian Rights Forum case was pending determination, Parliament enacted the Data Protection Act, No 24 of 2019 whose date of commencement was 25 November 2019.
8.In its preamble the Act is said to be:(a)“An Act of Parliament to give effect to article 31(c) and (d) of the Constitution; to establish the Office of the Data Protection Commissioner; to make provision for the regulation of the processing of personal data; to provide for the rights of data subjects and obligations of data controllers and processors; and for connected purposes.”
9.And its objects are set out in section 3 thereof; this section states as follows:The object and purpose of this Act is—(a)to regulate the processing of personal data;(b)to ensure that the processing of personal data of a data subject is guided by the principles set out in section 25;(c)to protect the privacy of individuals;(d)to establish the legal and institutional mechanism to protect personal data; and(e)to provide data subjects with rights and remedies to protect their personal data from processing that is not in accordance with this Act.
10.The court in the Nubian Rights Forum took judicial notice of this development and perhaps minding the impact this new Act had on the suit before it, the court directed that the processing of data collected pursuant to the amendment of the Registration of Persons Act should not be undertaken before the Data Protection Act is operationalised and a regulatory framework put in place. The regulatory framework was to, among other things, address the concerns raised in the suit on the individual’s constitutional right to privacy in view of the somewhat intrusive nature of the new identification system.
11.In a press statement made on 18 November 2020, the 2nd respondent announced the rollout of the identity card, commonly referred to as ‘Huduma Card’, that is issued to a data subject (who is defined in section 3 of the Data Processing Act as ‘an identified or identifiable natural person who is the subject of personal data’) apparently after the collection and processing of personal data of the data subject. The statement read in part:(a)“In line with the HE President Uhuru Kenyatta’s directive on Jamhuri Day, the long awaited Huduma Card is finally here. The card was launched today by Cabinet Secretaries Fred Matiang’i and Joe Mucheru in Kiambu and Machakos Counties, respectively.(b)This follows the fulfillment of the requisite requirements, including the recent appointment and swearing-in of the Data Commissioner, Ms Immaculate Kassait.(c)Todays’ milestone marks the beginning of a phased, nationwide rollout starting the 1st December, 2020.”
14.The applicants were aggrieved by the rollout or the launch of Huduma Card and so by a motion dated 24 November 2020 filed under articles 23(3)(f) and 47 of the Constitution; section 7 and 8 of the Fair Administrative Action Act, 2015; section 8 and 9 of the Law Reform Act; and order 53 of the Civil Procedure Rules, 2010 they have asked this honourable court for judicial review orders of certiorari, mandamus and prohibition all aimed at the rollout of Huduma Card. The prayers for these orders have been framed as follows:i. “(a) Prohibition restraining the respondents, their servants and agents from executing the decision of 18th November 2020 to roll out Huduma Cards before and without a data protection impact assessment per section 31 of the Data Protection Act, 2019.(b)Certiorari to bring to this court and to quash the decision of 18th November 2020 to roll out Huduma Cards for being ultra vires section 31 of the Data Protection Act, 2019.(c)Mandamus compelling the respondents to conduct a data protection impact assessment per section 31 of the Data Protection Act, 2019 before rolling-out the Huduma Cards.”
15.The 1st applicant has been described in the statement of facts as “a constitutional research, policy and litigation institute established to further implementation of Kenya’s 2010 Constitution and generally to seek the development of a culture of constitutionalism in Kenya.” It filed the application for, among other reasons, the interest of the public. The 2nd applicant has sued in “his own name as a registrant in NIIMS and a person whose personal data is in question”. In terms of section 3 of the Data Protection Act, he is a data subject.
16.In general terms, the applicants’ major bone of contention in this application is that the Huduma Card has been launched without a data impact assessment, contrary to the provisions of section 31 of the Data Protection Act and is also in defiance of the orders and direction of this honourable court in the Nubian Rights Forum case.
17.The application is opposed; to this end, the 1st respondent filed a replying affidavit; the 3rd respondent filed grounds of objection while the interested party filed a replying affidavit and a further affidavit. She also filed a notice of preliminary objection dated 5 March 2021. The 2nd respondent did not file any response.
18.Directions on the disposal of the applicant’s motion were taken on 27 January 2021 to the effect that the motion was to be disposed of by way of written submissions and, to that end, parties were to file and exchange their respective submissions within prescribed timelines. When the interested party subsequently filed her notice of preliminary objection to the hearing of the applicant’s application, the court directed that objection and the main motion shall be disposed of simultaneously; this was on 8 March 2021.
Interested Party’s Preliminary Objection:
19.The interested party’s preliminary objection is to the effect that there exists an alternative remedy in sections 56 and 64 of the Data Protection Act, 2019 and regulations 23(5) & (6) of the Data Protection (Civil Registration) Regulations, 2020 available to the applicants. Consequently, these proceedings contravene section 9(2) of the Fair Administrative Action Act, 2015 which provides that the high court shall not review an administrative action or decision under the Act unless the mechanisms including internal mechanisms for appeal or review and all remedies available under any other written law are first exhausted. The interested party’s position is that parties ought to have exhausted the available mechanisms for resolution of the instant dispute before invoking Judicial Review proceedings.
20.No doubt, the preliminary objection is questioning the jurisdiction of this honourable court to determine this suit. Paragraph 36 of the 1st interested party’s submissions casts away any doubt on the crux of the preliminary objection; it states as follows:(a)“…having failed to make the necessary application to this honourable court seeking exemption from exhausting the alternative dispute resolution mechanisms available to them, this honourable court lacks the jurisdiction to determine this application at this stage. We urge this honourable hourt to, at this stage, down its tools.”
21.As always, the question whether the court has the requisite authority to determine any particular matter is an issue that calls for the court’s immediate attention whenever it is raised. It has been explained that without such authority the cannot take any step further in the determination of the dispute before it. (see the Owners of the Motor Vessel Lilian "S" vs. Caltex Kenya Limited (1989) KLR).
22.The learned counsel for the interested party has made fairly lengthy arguments on this question of jurisdiction. He submits that section 9 (2) of the Fair Administrative Action Act bars this honourable court from reviewing an administrative decision unless the dispute resolution mechanism and remedies available under any other statute are first exhausted.
23.It is the counsel’s position that there are inbuilt resolution mechanisms within the Data Protection Act for resolution of the sort of dispute that has been presented before this honourable court. Counsel made reference to regulation 23 (5) & (6) of the Data Protection (Civil Registration) Regulations, 2020 which is to the effect that any data subject aggrieved by the manner in which their personal data is processed can lodge a complaint with the civil registration entity, which will investigate, make a determination on the complaint and inform the data subject on their right of appeal to the Data Commissioner.
24.As far as section 56 of Data Protection Act, 2019 is concerned, counsel urged that this provision of the law requires a data subject who is aggrieved by the decision of any person under the Act to lodge a complaint with the data commissioner. The Data Commissioner is, in turn, enjoined by the Act to investigate any complaint and make a determination within ninety days. This section goes further to prescribe various remedies in cases where there the Data Commissioner finds that there is a violation or threat of violation of the provisions of the Act.
25.Section 64 of the Act, on the other hand, provides that a person against whom any administrative action is taken by the Data Commissioner, including enforcement and notices, may appeal to this honourable court.
26.It is the interested party’s position that since the Act and the Regulations made thereunder not only provide for mechanisms for resolution of disputes but also prescribe remedies to address any violation or threat of violation of the Act, there is no need for this honourable court’s intervention.
27.Counsel for the interested party cited Republic vs National Environmental Management Authority[2011] eKLR where it was held that the availability of an alternative remedy was not, by itself, a bar to commencement of Judicial Review Proceeding because by their very nature, Judicial Review remedies are concerned with the process by which a decision is arrived and not the merits of the impugned decision. But where there is an alternative remedy, the applicant is bound to explain why he would prefer the order for judicial review.
28.In the instant case, the applicants failed to disclose the existence of an alternative dispute resolution mechanism and also failed to explain why that alternative remedy was not efficacious. Again, the applicants have failed to explain exceptional circumstances that would entitle them to sidestep the internal dispute resolution mechanisms and invoke the jurisdiction of a judicial review court instead.
29.The decisions in the National Assembly vs. Karume Civil Application No. Nai. 92 of 1992; Republic vs, Ministry of Interior and Coordination of National Government and Another ex parte ZTE Judicial Review Case No. 441 of 2013; Republic v Benjamin Jomo Washiali, Majority Chief Whip, National Assembly & 4 others Ex-parte Alfred Kiptoo Keter & 3 others[2018] eKLR, were also cited for the proposition that judicial review is a remedy of last resort though an applicant will not be required to adopt some other procedure if it is less convenient or less appropriate. That where there is an alternative remedy provided by an Act of Parliament which is as effective, the court ought to ensure that the dispute is resolved in accordance with the relevant statute.
30.The interested party submitted that the Data Protection Commissioner having assumed office on 16 November, 2020, before the present suit was filed, could easily have investigated, heard and determined any complaint, including the applicants’ complaint within the confines of the Data Protection Act, 2019. The learned counsel for the interested party urged this honourable court “to exercise restraint in interfering with such statutory dispute resolution mechanisms as those set out in sections 56 and 64 of the Act, so as to facilitate administrative autonomy and institutional capacity building of novel statutory bodies such as the Office of the Data Protection Commissioner.”
31.In response to the interested party’s submissions, Mr. Ochiel, the learned counsel for the applicants invoked article 23 of the Constitution cited Mark Ndumia Ndung’u v Nairobi Bottlers Ltd & another[2018] eKLR and Dawda K Jawara v Gambia ACmHPR 147/95-149/96 and urged that remedies for violation of rights including the right to fair administrative action must be appropriate. The respondents, according to the learned counsel, bear the burden of proving that an alternative remedy is adequate and that where the availability of a remedy is not evident, it cannot be invoked to the detriment of a petitioner.
32.Again, the case of Republic v Zacharia Kahuthu & another (Sued as Trustees and on Behalf of and as Officials of the Kenya Evangelical Lutheran Church) v Johaness Kutuk Ole Meliyio & 2 others[2020] eKLR was cited in the same breath that where an internal remedy would not be effective or where its pursuit would be futile, a court may permit a litigant to approach the court directly. So too where an internal appellate tribunal has developed a rigid policy which renders exhaustion futile.
33.The applicants admitted that the suit was filed after the interested party had assumed office but that she did not produce any evidence “that she had a desk, an address, or working space or was able to handle or receive complaints within 48 hours of her appointment into a newly created office.”
34.The interested party is said to have adopted a rigid policy and a complaint to her would be rendered futile. Again, the interested party was incapable of determining whether the respondents had violated the order made in the Nubian Rights Forum case. In any event, like the respondents, the interested party’s interpretation of section 31 of the Act is contrary to the applicants’ own interpretation of this provision of the law.
35.The applicants’ counsel also urged that the 1st applicant is not a data subject and therefore lacks standing under regulation 23(5) and (6) and its only avenue is article 22 of the Constitution. Nonetheless, according to section 9(3) of the Fair Administrative Action Act, this honourable court can direct an applicant to first exhaust an alternative remedy before instituting proceedings; including by referring the issue to that forum. The remedy would, however, be unsuitable to the present case.
36.Section 56 and 64 of the Data Protection Act which the interested party has invoked read as follows:56. (1) A data subject who is aggrieved by a decision of any person under this Act may lodge a complaint with the Data Commissioner in accordance with this Act.(2)A person who intends to lodge a complaint under this Act shall do so orally or in writing.(3)Where a complaint made under sub clause (1) is made orally, the Data Commissioner shall cause the complaint to be recorded in writing and the complaint shall be dealt with in accordance with such procedures as the Data Commissioner may prescribe.(4)A complaint lodged under sub clause (1) shall contain such particulars as the Data Commissioner may prescribe.(5)A complaint made to the Data Commissioner shall be investigated and concluded within ninety days.64.A person against whom any administrative action is taken by the Data Commissioner, including in enforcement and penalty notices, may appeal to the High Court.
37.Of course the interested party has also invoked the regulation on the procedure on determination of complaints but before delving into those procedures it is necessary that we consider the parent law.
38.As I understand the applicants, they do not dispute the fact that there are alternative dispute resolution mechanisms in place under the Data Protection Act. Their problem with those mechanisms is that first, at the time of filing suit, the Data Commissioner did not have the necessary physical infrastructure to handle their dispute; she neither had a physical address nor office facilities necessary to enable her undertake the tasks imposed upon her by the law.
39.The second limb of the applicant’s answer to the preliminary objection is that the 1st applicant is not data subject and therefore the option of the alternative dispute resolution is not open to it.
40.Third, the applicants urge that as much as there is an alternative resolution mechanism open, at least to the 2nd applicant, that option is not as efficacious and convenient as a court remedy or remedies would be. Furthermore, the Data Commissioner has no capacity to determine the questions presented before court and that it is only this honourable court that can give proper guidance on such questions.
41.Last but not least, while the alternative dispute mechanism may be open to the 2nd applicant who is recognised as a data subject under the Act, no such mechanism is open to such parties as the 1st applicant.
42.It is apparent from section 56 of the Act that indeed a mechanism for internal dispute resolution has been provided to a data subject who is aggrieved by a decision of any person under the Act. Such person may lodge a complaint with the Data Commissioner. The form the complaint takes, the manner in which it may be lodged and procedure for the resolution of the complaint are all matters that have been catered for in sections 56 and 57 of the Act.
43.Whether there is a remedy alternative to judicial review, which is equally convenient, beneficial and effective is one of the factors that a judicial review court would consider in exercising its discretion to grant or not to grant orders for judicial review. The alternative remedy may take one of several forms but one with which were are concerned at the moment is the right of appeal which, in my humble view, is the right encapsulated in section 56 (1) of the Act. I say so because, according to that section, it is only where one is aggrieved by a decision made under the Act, that he may lodge a complaint to the Data Commissioner. The complaint in this context would be an appeal against the decision by which the subject data is aggrieved.
44.Cases now abound for the that position that where there is an alternative remedy and parliament has prescribed a particular form of procedure for resolution of a complaint that procedure ought to be followed.
45.In R vs Peterkin, ex parte Soni (1972) Imm AR 253 Lord Widgery CJ held as follows:“Where parliament has provided a form of appeal which is equally convenient in the sense that the appellate tribunal can deal with the injustice of which the complaint complains this court should in my judgment as a rule allow the appellate machinery to take its course. The prerogative orders form the general residual jurisdiction of this Court whereby the court supervises the work of inferior tribunals and seeks to correct injustice where no other adequate remedy exists, but both authority and common sense seem to me to demand that the court should not allow its jurisdiction under the prerogative orders to be used merely as an alternative form of appeal when and adequate jurisdiction exists elsewhere.”
46.Section 9(2) of the Fair Administrative Action Act goes a step further to imply that in fact, where there exist internal mechanisms for resolution of the dispute which, inevitably, would yield an alternative remedy, it is no longer a matter of the court’s discretion to entertain, let alone grant, an application for judicial review. In that event, the court will not review the administrative action until the internal mechanism has been exhausted.
47.Due to its import in the disposal of the question at hand, it is necessary that I reproduce the entire section here; it reads as follows:
9.Procedure for judicial review.(1)Subject to subsection (2), a person who is aggrieved by an administrative action may, without unreasonable delay, apply for judicial review of any administrative action to the High Court or to aarticle 22(3) of the Constitution}}.(2)The High Court or a subordinate court under subsection (1) shall not review an administrative action or decision under this Act unless the mechanisms including internal mechanisms for appeal or review and all remedies available under any other written law are first exhausted.(3)The High Court or a subordinate court shall, if it is not satisfied that the remedies referred to in subsection (2) have been exhausted, direct that applicant shall first exhaust such remedy before instituting proceedings under sub-section (1).(4)Notwithstanding subsection (3), the High Court or a subordinate court may, in exceptional circumstances and on application by the applicant, exempt such person from the obligation to exhaust any remedy if the court considers such exemption to be in the interest of justice.(5)A person aggrieved by an order made in the exercise of the judicial review jurisdiction of the High Court may appeal to the Court of Appeal.
48.The mechanism set up in sections 56 and 57 of the Act would, in my humble view, qualify as one of those “internal mechanisms for appeal or review and all remedies available under any other written law” which the legislature had in mind in section 9 (2) of the Fair Administrative Action Act and which have to be exhausted in any particular case before one invokes the jurisdiction of a judicial view court.
49.Now, it could be true, as the applicants have contended, that they had what, in their respectable view, sufficient reasons not to lodge their respective complaints with the Data Commissioner but instead chose to come directly to this honourable court. For reasons that will become apparent in due course, the 1st applicant may have a point here but not the 2nd applicant.
50.The internal mechanism under the Data Protection Act is available only to data subject of which the 1st applicant is not. As earlier noted, the 1st applicant is “a constitutional research, policy and litigation institute established to further implementation of Kenya’s 2010 Constitution and generally to seek the development of a culture of constitutionalism in Kenya.” Not being a data subject, the burden upon the 1st applicant was to demonstrate how it is affected by a decision by any person under the Act. This then takes us to the question whether the 1st applicant has standing or ‘sufficient interest’ to lodge the present application.
51.Halsbury’s Law of England, Judicial Review Vol 61 (2010) 5th Edition at paragraph 656, speaks of ‘sufficient interest’ in the following terms:(a)'Sufficient interest' is not defined, but it is in practice a broad, flexible concept. What is a 'sufficient interest' is a mixed question of fact and law. The determination of any issue as to whether the claimant has a sufficient interest to bring the challenge in question will depend on consideration of the relationship between the claimant and the matter to which the claim relates, having regard to all the circumstances of the case. In appropriate cases, the court may also have regard to broader concerns, including the merits of the challenge, the importance of enforcing the law, the importance of the issue raised, the presence or absence of any other person with sufficient interest, the nature of the unlawful conduct alleged and the role of the claimant in relation to the issues under consideration. In recent years, the rules on standing in judicial review claims have been considerably relaxed. Individuals have been recognised as having standing not only where their rights or interests are affected but in a broad range of situations where in some way they are affected by a decision. A public spirited citizen raising a serious issue of public importance may be recognised as possessing standing. The courts have increasingly recognised that a wide range of pressure groups have standing to bring challenges in matter which concern their areas of interest or expertise. (Emphasis added).
52.The 1st applicant falls into any of these categories; it may not be ‘a public spirited citizen raising a serious issue of public importance’ but it is, for all intents and purposes, a public spirited entity raising an issue of public interest. It can also be recognised as a pressure group in the ‘implementation of Kenya’s 2010 Constitution and generally to seek the development of a culture of constitutionalism in Kenya’.
53.In IRC v National Federation of Self-Employed and Small Businesses Ltd [1981] 2 All ER 93 at 107, Lord Diplock acknowledged the role of pressure groups in pursuit of the rule of law and, for that reason, why they should be given leeway to engage the courts in matters of public interest. In that case which the applicants cited in R vs Secretary of State For Foreign Affairs ex parte Word Development Movement Ltd (1995) 1 All ER 611 at p.618, the learned judge said:“It would, in my view, be a grave lacuna in our system of public law if a pressure group, like the federation, or even a single public spirited taxpayer, were prevented by outdated technical rules of locus standi from bringing the matter to the attention of the court to vindicate the rule of law and get the unlawful conduct stopped. The Attorney General, although he occasionally applies for prerogative orders against public authorities that do not form part of central government, in practice never does so against government departments. It is not, in my view, a sufficient answer to say that judicial review of the actions of officers or departments of central government is unnecessary because they are accountable to Parliament for the way in which they carry out their functions. They are accountable to Parliament for what they do so far as regards efficiency and policy, and of that Parliament is the only judge; they are responsible to a court of justice for the lawfulness of what they do, and of that the court is the only judge.”
54.In the Word Development Movement Ltd case, the applicant was a renowned pressure group and it was described in the judgment in the following terms:“The affidavit of Mr Jackson, the applicants' campaign co-ordinator, describes the applicant company. It is a non-partisan pressure group, over 20 years old and limited by guarantee. It has an associated charity which receives financial support from all the main United Kingdom development charities, the churches, the European Community and a range of other trusts. About 60% of its total income comes from members and supporters. The council of the applicants has cross-political party membership, and, indeed, historically, a Member of Parliament from each of the three main political parties has sat on the council. There are 7,000 full voting members throughout the United Kingdom with a total supporter base of some 13,000. There are 200 local groups whose supporters actively campaign through letter-writing, lobbying and other democratic means to improve the quantity and quality of British aid to other countries. It conducts research and analysis in relation to aid. It is a founder member of the Independent Group on British Aid, which brings academics and campaigners together. It has pressed the British government, the European Union, the banks and other businesses for better trade access for developing countries. It is in regular contact with the ODA and has regular meetings with the minister of that department, and it makes written and oral submissions to a range of select committees in both Houses of Parliament. It has run all-party campaigns against aid cuts in 1987 and 1992.Internationally, it has official consultative status with UNESCO and has promoted international conferences. It has brought together development groups within the OECD. It tends to attract citizens of the United Kingdom concerned about the role of the United Kingdom government in relation to the development of countries abroad and the relief of poverty abroad.Its supporters have a direct interest in ensuring that funds furnished by the United Kingdom are used for genuine purposes, and it seeks to ensure that disbursement of aid budgets is made where that aid is most needed. It seeks, by this application, to represent the interests of people in developing countries who might benefit from funds which otherwise might go elsewhere.”
55.In that case, the applicant applied for judicial review of two decisions of the Secretary of State for Foreign Affairs in relation to aid to fund the Pergau dam in Malaysia. Earlier, in 1994 there were proceedings in public before the House of Commons Public Accounts Committee and the Foreign Affairs Committee which led the applicants' solicitors to seek an assurance from the Secretary of State that no further funds would be furnished. On 29 April 1994 the Foreign Secretary refused to give such an assurance. The refusal triggered the application.
56.By the notice of motion, the applicants sought to have both decisions quashed and an order preventing further payments from being made.
57.One of the issues that arose in the course of the hearing before the Divisional court was whether the applicants had standing to make the application.
58.While allowing the application, Rose LJ held that where standing is questioned in circumstances such as the applicant found itself in, the merits of the challenge are an important, if not dominant, factor when considering standing. The learned judge quoted Professor Sir William Wade's words in Administrative Law (7th edn, 1994) p 712 that:'... the real question is whether the applicant can show some substantial default or abuse, and not whether his personal rights or interests are involved.'
59.Amongst other factors that influenced the decision of the court was the importance of vindicating the rule of law, as Lord Diplock emphasised in IRC v National Federation of Self-Employed and Small Businesses Ltd [1981] 2 All ER 93 at 107, [1982] AC 617 at 644; the importance of the issue raised; the likely absence of any other responsible challenger; and the nature of the breach of duty against which relief is sought. All these factors, noted the learned judge, pointed to the conclusion that the applicants had a sufficient interest in the matter to which the application related.
60.While referring to a similar case that had been decided earlier, the learned judge noted further that:“It seems pertinent to add this, that if the Divisional Court in Ex p Rees-Mogg eight years after Ex p Argyll Group was able to accept that the applicant in that case had standing in the light of his 'sincere concern for constitutional issues', a fortiori, it seems to me that the present applicants, with their national and international expertise and interest in promoting and protecting aid to underdeveloped nations, should have stand-in in the present application.”
61.I would say the same of the 1st applicant. It is true, as the interested party submitted, the 1st applicant lacked standing to lodge a complaint to the Data Commissioner under section 56 of the Data Protection Act, but it certainly had the necessary locus to lodge these proceedings because of sufficiency of interest.
62.The 2nd applicant’s position is shaky; for reasons that have been given earlier in this judgment, he was bound to comply and follow the prescribed procedure set out in in the Act. He might have had good reasons to avoid those procedures but I suppose it is of that reason that section 9(4) of the Fair Administrative Action Act provides a window for exemption from following the internal mechanisms but only after the applicant moves the court and seeks for such exemption. It is worth reproducing this subsection here for emphasis; it reads as follows:(4) Notwithstanding subsection (3), the High Court or a subordinate court may, in exceptional circumstances and on application by the applicant, exempt such person from the obligation to exhaust any remedy if the court considers such exemption to be in the interest of justice.
63.The reasons given by the applicant for sidestepping the internal dispute resolution mechanisms put in place could only have been considered in the context of the application for exemption; needless to say, it was not open to the applicants, or any of them, to decide unilaterally that the 2nd applicant need not comply with section 56 of the Data Protection Act and section 9(2) of the Fair Administrative Action Act but instead directly invoke the jurisdiction of this honourable court to determine his complaint.
64.In short, the 2nd applicant’s application is misconceived and, for this reason, I would sustain the interested party’s objection against the 2nd applicant’s application. The objection is, however, overruled with respect to the 1st applicant’s application. For the reasons I have given, I am satisfied that the 1st applicant has properly invoked the judicial review jurisdiction of this honourable court and therefore its application is tenable and deserves to be considered on its own merits.
The 1st applicant’s case:
65.By and large, the applicant’s application is pegged on what, in the applicant’s view is the respondents’ non-compliance with section 31 of the Data Protection Act and for this reason it calls for a deeper attention by this honourable court. The section is relatively lengthy but owing to its import in the determination of this application, it is necessary that I reproduce it here; it states as follows:31. (1)Where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall, prior to the processing, carry out a data protection impact assessment.(2)A data protection impact assessment shall include the following —(a)a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller or data processor;(b)an assessment of the necessity and proportionality of the processing operations in relation to the purposes;(c)an assessment of the risks to the rights and freedoms of data subjects;(d)the measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, taking into account the rights, and legitimate interests of data subjects and other persons concerned.(3)The data controller or data processor shall consult the Data Commissioner prior to the processing if a data protection impact assessment prepared under this section indicates that the processing of the data would result in a high risk to the rights and freedoms of a data subject.(4)For the purposes of this section, a "data protection impact assessment" means an assessment of the impact of the envisaged processing operations on the protection of personal data.(5)The data impact assessment reports shall be submitted sixty days prior to the processing of data.(6)The Data Commissioner shall set out guidelines for carrying out an impact assessment under this section.
66.The applicant’s case is that the by launcourt in the Nubian Rights Forum case. I gather from the judgment of this latter case that the order in issue was order no. III which stated thus:“III. The respondents are at liberty to proceed with the implementation of the National Integrated Identity Management System (NIIMS) and to process and utilize the data collected in NIIMS, only on conditions that an appropriate and comprehensive regulatory framework on the implementation of NIIMS that is compliant with the applicable constitutional requirements identified in this judgment is first enacted.”
67.The applicant’s argument, as I understand it, is that this particular order is consistent with section 31 of the Data Protection Act since both point to the requirement that a data impact assessment ought to be conducted before the processing of personal data and embarking on such activities as rolling out or launching of the Huduma Card. Thus, the nature of the violations by the respondents is simply that they processed data and launched the Huduma card without first complying with this condition precedent.
68.One of the arguments that have arisen in the submissions from the parties is whether section 31 of the Data Protection Act is applicable to the data collected under the NIIMS. According to the applicant, it is not just section 31 of the Act that applies; the respondents’ actions in collection and processing of data are subject to the entire Data Protection Act and therefore any decision made or action taken outside any of the provisions of the Act would be ultra vires the Act.
69.In support of its arguments, the 1st applicant cited the Nubian Rights Forum case and urged as follows:“In Nubian Rights Forum & 2 others v Attorney General & 6 others; Child Welfare Society & 9 others (Interested Parties) [2020] eKLR the Respondents submitted and this court held at para 852 that the Data Protection Act, 2019 “applies to the data collected” under NIIMS. The court asserted:(1) ‘since one of the objectives of the Act is the regulation of the processing of personal data ... whose definition includes biometric data collected by NIIMS, it is our finding that it also applies to the data collected under the impugned amendments’
70.Accordingly, the applicant urged that the respondents are estopped, by issue estoppel, from arguing that the Data Protection Act, 2019 does not apply to the data collected under NIIMS. On this question of issue estoppel, counsel for the applicant cited the case of Linmerx Holdings Limited & another v Mercy Nduta Keng’ara t/a Mwangi Keng’ara & Co Adv & 6 others [2016] eKLR at para 7 in which North West Water Ltd v Binnie & Partners [1990] 3 All ER 547) was cited with approval; in this latter decision it had been held:“Where an issue had been decided in a court of competent jurisdiction, the court would not allow that issue to be raised in a separate proceeding between the different parties arising out of identical facts and dependent on the same evidence since, not only was the party seeking to re-litigate the issue prevented from doing so, by issue estoppel but it would also be an abuse of process to all, the issue to be re-litigated.”
71.According to the applicant, the question whether the Data Protection Act, in particular section 31 thereof is applicable to the respondents’ actions is fait accompli.
72.The applicant has urged, in the alternative, that even if the question of the application of the Data Protection Act was still open for debate, the court would still find that the Act was meant to apply retrospectively to all data collected under NIIMS.
73.According to the applicant, the Data Protection Act is a normative derivative of article 31 of the Constitution and that the rights to privacy protected under article 31 were guaranteed the moment the Constitution was promulgated. The rights are conferred by the Constitution and not by Data Protection Act; this Act only provides the structure of the implementation of the rights. On this point, counsel for the applicant urged that lack of a legislative framework to elaborate on a right can never be a legitimate reason why the duty bearer should not undertake reasonable steps to ensure that the right is fully facilitated. In this regard counsel cited Nairobi Law Monthly Company Limited v Kenya Electricity Generating Company & 2 others [2013] eKLR where it was held that lack of legislation cannot be a reason to suspend the implementation of a constitutional right.
74.It was also urged that failure to conduct Data Protection Impact Assessment would amount to continuing violation of the law and the Constitution and that the only remedy in these circumstances would be to comply with the Act and conduct the requisite impact assessment.
75.It was also submitted that there is no legal bar to the retroactive application of the Data Protection Act and in this regard counsel relied on Samuel Kamau Macharia and Another v Kenya Commercial Bank Ltd and 2 Others [2012] eKLR, where the Supreme Court addressed the question of retrospective application of a statute in the following terms:“As for non-criminal legislation, the general rule is that all statutes other than those which are merely declaratory or which relate only to matters of procedure or evidence are prima facie prospective, and retrospective is not to be given to them unless, by express words or necessary implication, it appears that this was the intention of the legislature. (Halsbury’s Laws of England, 4th Edition Vol. 44 at p.570). A retroactive law is not unconstitutional unless it: (i) is like a bill of attainder; (ii) impairs the obligation under contracts; (iii) divests vested rights; or (iv) is constitutionally forbidden”
76.It was submitted further on behalf of the applicant that since this honourable court found in Nubian Rights Forum case that one of the objects of the Data Protection Act is to regulate the processing of personal data and which, by definition, includes biometric data collected by NIIMS, the intention of the Act was that the Act would apply to the processing of data collected under NIIMS. And on this question of legislative intent counsel cited the Court of Appeal decision in Commissioner of Income Tax v Pan African Paper Mills (E.A) Limited (2018) eKLR where it was held:“Whether or not legislation operates retrospectively depends on the intention of the enacting body as manifested by the legislation. In seeking to ascertain the intention behind the legislation the courts are guided by certain rules of construction. One of these rules is that if the legislation affects substantive rights it will not be construed to have a retrospective operation unless a clear intention to that effect is manifested; whereas if it affects procedure only, prima facie it operates retrospectively unless there is a good reason to the contrary. But in the last resort, it is the intention behind the legislation which has to be ascertained and a rule of construction is only one of the factors to which regard must be had to ascertain that intention.”
77.Again, the court’s record showed that in Nubian Rights Forum, the respondents filed the Data Protection Bill in court as a response to the claim that there was no legislation on data protection; this in itself showed that they were in agreement that the intention of the Act was to apply retrospectively. Thus, the court’s order of 30 January 2020 would apply retrospectively to such a time as when the respondents began to collect or process data under NIIMS. On this point counsel relied on Mary Wambui Munene v Peter Gichuki King’ara & 2 others (2014) eKLR where the Supreme Court held that judicial decisions have retrospective effect because the wrong being remedied occurred before the case was instituted.
78.It was ironical, so urged the applicant’s counsel, that the interested party would rely on the provisions of the Data Protection Act to contest the sustainability of the applicants’ suit and at the same time argue that the Act was not applicable to the suit.
The Respondents’ and the Interested Party’s Case:
79.In response to this question of the applicability of section 31 of the Act, the respondents and the interested party urged that it is not in dispute that the respondents rolled out the mass collection of personal data under the National Integrated Identity Management System sometimes in March, 2019. It is further not in dispute that the Data Protection Act, 2019 was enacted by Parliament and assented to by the President on 8 November, 2019 and that commencement date of the said Act was 25 November, 2019. That being case, it was urged that at the commencement date of the Data Protection Act, 2019, the mass collection of personal data under NIIMS had already been completed.
80.While it is true that section 31 of the Act requires a Data Protection Impact Assessment to be carried out where processing of personal data is likely to result in high risk to rights and freedoms of the data subject, at the time personal data under NIIMs was being collected, a Data Protection Impact Assessment was not a requirement prior to the processing of the personal data. Rather section 31 of the Act imposes a new duty or obligation on the respondents after the collection of personal data under NIIMS had already been completed.
81.The interested party therefore urged that the fact that section 31 of the Act imposes a new duty or obligation that was not there before and during the collection of personal data under NIIMS means that the same cannot apply retrospectively. Counsel for the interested party relied on the Supreme Court decision in SK Macharia & another v Kenya Commercial Bank Limited & Others, SCK Application No 2 of 2011 where the Supreme Court stated that a retroactive law is not unconstitutional unless it inter-alia impairs obligations under contracts, divests rights or is constitutionally forbidden. The court noted that a statute which takes away or impairs vested rights acquired under existing laws, or creates new obligations or imposes a new duty in respect of transaction already past must be presumed to be intended not to have retrospective operation. The case of Municipality of Mombasa v Nyali Limited (1963) EA was also cited in support of the same point.
82.It was also urged that there is no provision under the Act that expressly provides that the said Act should apply retrospectively and, in any event, the applicants did not demonstrate that it was the intention of Parliament that section 31 of the said Act should apply retrospectively.
83.Finally, the interested party contested the applicants’ line of argument that it is the interested party’s case that that Act does not apply to the applicants’ suit. It was urged that the interested party’s case was that as at the time the personal data under NIIMS was being collected, section 31 of the Act did not apply.
Analysis and Determinations:
84.If the interested party’s argument is that save for section 31 of the Data Protection Act, the rest of the Act would apply to the applicant’s suit then I am unable to understand her argument against retrospective application of the Act. Following the interested party’s argument has not been that easy; it is, at best, confusing.Sample this.
85 .The interested party argues that it is not true, as suggested by the applicants, that the entire Act does not apply to the applicants’ suit and that it is only section 31 of the Act that does not apply retrospectively. To quote the learned counsel’s submission on this point, he said as follows:“48. It is quite unfortunate that the ex parte applicants are attempting to mislead this honourable court in their submissions by alleging that the interested party "contends that the Act does not apply to this dispute". This is indeed not the case. What the interested party has averred to is the fact that as at the time the personal data under NIIMS was being collected,section 31 of the Act did not apply.
86.But again he argues, apparently against the retrospective application of the entire Act, and states:“46. There is no provision under the Act that expressly provides that the said Act should apply retrospectively. Further, the ex-parte applicants have not demonstrated that it was the intention of Parliament for section 31 of the said Act to apply retrospectively.”
87.This to me appears to be a clear case of approbate and reprobate; on the one hand, the interested party is approving that the Act is retrospective but, on the other hand, she is saying that it is not and that it only applies from the date of commencement. This the interested party cannot do; she is bound to elect and pursue either of the two alternatives; it is either the Act applies retrospectively or it does not.
88.But the interested party’s argument in support of the preliminary objection in which she sought to have the applicants held to account on compliance with certain provisions of the Data Protection Act, in particular, sections 56 and 64 of the Act and the Regulations made thereunder would betray her stance against the retrospective application of the Act. It certainly cannot be the case, and indeed no authority has been presented to this honourable court to support the argument that the Act is severable or is severable to such an extent that only certain provisions that are favourable to the interested party’s case are retrospective but those against it are not.
89.Something about the rule against retrospectivity in legislation.
90.In an article titled “The Rule Against Retroactive Legislation: A Basic Principle of Jurisprudence” published in the 1936 Minnesota Law Review. 1258, Elmer E. Smead traces the rule against retroactive legislation in ancient Greece in a case of Timokrates and the Athenian Ambassadors. There the Ambassadors had withheld money owed to the city-state, and were condemned to repay twice the amount. Timokrates succeeded in securing the enactment of a law to relieve the Ambassadors of this penalty, but as a consequence of the efforts of Demosthenes, the law was held to be invalid because it was retroactive.
91.This was the rule which the English common law later declared applicable as a guide to the construction of statutes. It was a rule that was in opposition to construing a statute so as to make it apply to cases arising prior to the enactment of the statute or acts from a time anterior to passage.
92.It was, however, acknowledged that as much as the courts viewed this rule as a guide in interpretation of statutes, Parliament could, if it so desired, pass a statute to apply to a past time. Thus, this principle in the English common law meant that the courts, in the exercise of their function of interpreting the law in cases which came before them, viewed themselves as bound by the rule of construction that no law should be given an operation from a time prior to its enactment unless Parliament had expressly provided that it should have such an effect (See Gillmore vs Shooter (1678) 2 Mod Rep 310) or unless the words of the Act could have no meaning except by the application to this past time. (See Blackstone Comm. 46).
93.This point was taken by the House of Lords in Wilson & others vs Secretary of State for Trade and Industry (2003) UKHL 40 where Lord Scott of Foscote stated at paragraph 153 of the judgment as follows:“It is, of course, open to parliament, if it chooses to do so, to enact legislation which alters the mutual rights and obligations of citizens arising out of events which predate the enactment. But in general Parliament does not choose to do so for the reason that to legislate so as to alter the legal consequences of events that have already taken place is likely to produce unfair or unjust results. Unfairness or injustice may be produced if persons who have acquired rights in consequence of past events are deprived of those rights by subsequent legislation; or it may be produced if persons are subjected on account of those past events to liabilities that they were not previously subject to. There is, therefore, a common law presumption that a statute is not intended to have a retrospective effect. This presumption is part of a broader presumption that Parliament does not intend a statute to have an unfair or unjust effect (see Maxwell on Statutes, 12th edition p 215 and Bennion's Statutory Interpretation, 4th edition pp 265-266 and 689-690). The presumption can be rebutted if it sufficiently clearly appears that it was indeed the intention of Parliament to produce the result in question. The presumption is no more than a starting point.
94.The exact words of Maxwell on the Interpretation of Statutes, 12th Edition (1969), at page 215 which the learned judge made reference to are as follows:"Upon the presumption that the legislature does not intend what is unjust rests the leaning against giving certain statutes a retrospective operation. They are construed as operating only in cases or on facts which come into existence after the statutes were passed unless a retrospective effect is clearly intended. It is a fundamental rule of English law that no statute shall be construed to have a retrospective operation unless such a construction appears very clearly in the terms of the Act, or arises by necessary and distinct implication."
95.It is therefore beyond doubt that legislation can be retrospective in its application only that such an intention has to be either apparent from the statute in question or can be implied, as a matter of necessity.
96.The question posed in the instant suit is whether the Data Protection Act and in particular, section 31 was intended to have retrospective effect. This question can be answered adequately when one considers the circumstances surrounding the enactment of the Data Protection Act. The most obvious and certainly crucial background is that it was enacted against the backdrop of article 31 of the Constitution; as matter of fact, it is clearly indicated in the Act itself that it is meant to give effect to article 31 of the Constitution. That article reads as follows:31.Every person has the right to privacy, which includes the right not to have—(b)their person, home or property searched;(c)their possessions seized;(d)information relating to their family or private affairs unnecessarily required or revealed; or(e)the privacy of their communications infringed.
97.It is apparent from the preamble of the Act that it is created to give effect to the right to privacy guaranteed under part (c) and (d) of this Article of the Constitution; for the sake of emphasis, it is worth reproducing the preamble here again; its states as follows:“An Act of Parliament to give effect to article 31(c) and (d) of the Constitution; to establish the Office of the Data Protection Commissioner; to make provision for the regulation of the processing of personal data; to provide for the rights of data subjects and obligations of data controllers and processors; and for connected purposes.”
98.Section 3 of the Act, on the object and purpose of the Act, sheds more light on how the right to privacy is to be protected; the section has been produced earlier in this judgment but again it deserves to be reproduced here; it reads as follows:3.The object and purpose of this Act is—(a)to regulate the processing of personal data;(b)to ensure that the processing of personal data of a data subject is guided by the principles set out in section 25;(c)to protect the privacy of individuals;(d)to establish the legal and institutional mechanism to protect personal data; and(e)to provide data subjects with rights and remedies to protect their personal data from processing that is not in accordance with this Act.
99.Reading the preamble to the Act together with section 3 thereof on the Act’s object and purpose, it is clear that the Act was intended to be retrospective to such an extent or to such a time as to cover any action taken by the state or any other entity or person that may be deemed to affect, in one way or the other, the right to privacy under article 31(c) and (d) of the Constitution.
100.Needless to say, the need to protect the constitutional right to privacy did not arise with the enactment of the Data Protection Act; the right accrued from the moment the Constitution was promulgated. It would be unreasonable, in these circumstances, to argue, as the 1st interested party suggests, that the obligation to protect the individual rights under article 31 of the Constitution is a new obligation or duty imposed on the state only when the Data Protection Act came into force and that for this reason, section 31 of the Data Protection Act cannot be said to be retrospective.
101.There should not be any doubt that the amendments introduced in section 9 of the Registration of Persons Act cap 107 and the events that followed pursuant to these amendments, more particularly the nationwide collection of personal and biometric data in March 2019, would in some way impact on the right to privacy under article 31 of the Constitution. It is because of such likely impact that section 3 of the Data Protection Act states, in clear and unambiguous terms, that the Act is intended to regulate the processing of such personal data; that the processing of personal data of a data subject is guided by certain principles whose import is to protect an individual’s right to privacy; that the Act is intended to protect the individual’s personal data and, that the Act is also intended to provide data subjects with rights and remedies whenever their right to privacy is infringed.
102.Owing to the likely impact of the amendments to section 9 of the Registration of Persons Act and the exercise of collection and processing of personal data on the individual’s right to privacy, it would have been prudent, if not for anything else, for good order, for the state to ensure that the legal framework for protection of the right to privacy was in place before taking action likely to infringe the individual’s right under article 31.
103.To be precise, considering the object and purpose of the Data Protection Act, and more importantly, considering that the Act is intended to give effect to article 31 (c) and (d) of the Constitution, it would have stood to reason to have this Act in place before the purported amendment to section 9 of the Registration of Persons Act and before the collection and processing of personal data.
104.But since the state chose to put the cart before the horse, so to speak, it has to live with the reality there now exists legislation against which its actions must be weighed irrespective of when they were taken as long as those actions touch on the individual’s right under article 31 of the Constitution. To put it straight, there is no other scale upon which to weigh the actions of the state to collect and process personal data except that provided by the Data Protection Act, at least to the extent that it is an Act meant to put into effect the constitutional right to privacy under article 31 of the Constitution.
105.There was the argument there is a presumption against retrospective legislation in that it ousts vested rights and imposes new obligations and duties; to quote the learned counsel for the interested party:“It is therefore our submission that the fact that Section 31 of the Act imposes a new duty and/or obligation that was not there before and during the collection of personal data under NIIMS means that the same cannot apply retrospectively.”
106.To this argument I would reiterate that there was always the duty on the part of the state to ensure that Bill of Rights under Chapter IV of the Constitution, including the right to privacy under article 31 of the Act is respected and protected. Section 31 of the Act does not impose any more obligation or duty on the state than that which the state or the respondents, for that matter, have hitherto had to bear.
107.If anything, it is the individual’s constitutional rights and which, for all intents and purposes, are vested rights, that were under threat by the excesses of the state in collecting and processing data without prior legal framework to ensure that even as the state embraces a new system of identification, the right to privacy is protected. This is the more reason why section 31 of the Data Protection Act appeals to me to be retrospective in its application. It is more of a bulwark against the excesses of the state than a tool imposing new obligations or duties on the state.
108.In this regard, I would adopt the words of Lord Mustill in L’Office Chefrien v Yamashita-Shinnihon Steamship Co Ltd (1994) 1 AC 486 at page525F- where he noted:"Precisely how the single question of fairness will be answered in respect of a particular statute will depend on the interaction of several factors, each of them capable of varying from case to case. Thus, the degree to which the statute has retrospective effect is not a constant. Nor is the value of the rights which the statute affects, or the extent to which that value is diminished or extinguished by the retrospective effect of the statute. Again, the unfairness of adversely affecting the rights, and hence the degree of unlikelihood that this is what Parliament intended, will vary from case to case. So also will the clarity of the language used by Parliament, and the light shed on it by consideration of the circumstances in which the legislation was enacted. All these factors must be weighed together to provide a direct answer to the question whether the consequences of reading the statute with the suggested degree of retrospectivity are so unfair that the words used by parliament cannot have been intended to mean what they might appear to say."
109.Staughton LJ was of similar view in Secretary of State for Social Security v Tunnicliffe [1991] 2 All ER 712, 724f –g where he noted:"that Parliament is presumed not to have intended to alter the law applicable to past events and transactions in a manner which is unfair to those concerned in them, unless a contrary intention appears. It is not simply a question of classifying an enactment as retrospective or not retrospective. Rather it may well be a matter of degree - the greater the unfairness, the more it is to be expected that Parliament will make it clear if that is intended."
110.The question would be, where does fairness lie in terms of protection of the individual right to privacy? Is it in retrospective application of section 31 of the Data Protection Act or in the rule against such application? I would stand with the individual or the citizen against the might of the state and hold that fairness is in interpreting section 31 as being retrospective in its application.
111.Aside from my interpretation of the law on why section 31 of the Data Protection Act must be taken to have retrospective effect, there is the judgment of this honourable court in the Nubian Rights Forum Case and here, I need not say anything more than reproduce what the court said on the extent of the application of the Data Protection Act; at paragraph 852 of its judgment which the learned counsel for the applicant referred me to, the court noted as follows:“852. While we find that the Data Protection Act has included most of the applicable data protection principles, we noted that the Registration of Persons Act is not one of the Acts to which the Data Protection Act applies as part of the consequential amendments. This notwithstanding, since one of the objectives of the Act is the regulation of the processing of personal data, whose definition as we have already found includes biometric data collected by NIIMS, it is our finding that it also applies to the data collected pursuant to the impugned amendments.”
112.It was never suggested that this judgment has been overturned or challenged. The finding that the collection and processing of personal data in March 2019 is subject to the Data Protection Act still stands and here, I would agree with counsel for the applicants that the interested party and the respondents are estopped from denying that they are bound by that judgment, being judgment in rem.
113.In the final analysis I am satisfied that the 1st applicant has made out a case against the respondents for the judicial review orders of certiorari and mandamus mainly on the ground of illegality. This ground of judicial review was explained by Lord Diplock in Council of Civil Service Unions versus Minister for the Civil Service [1985] AC 374,410 where he stated as follows:“My Lords, I see no reason why simply because a decision-making power is derived from a common law and not a statutory source, it should for that reason only be immune from judicial review. Judicial review has I think developed to a stage today when without reiterating any analysis of the steps by which the development has come about, one can conveniently classify under three heads the grounds upon which administrative action is subject to control by judicial review. The first ground I would call “illegality,” the second “irrationality” and the third “procedural impropriety.” That is not to say that further development on a case by case basis may not in course of time add further grounds. I have in mind particularly the possible adoption in the future of the principle of “proportionality” which is recognised in the administrative law of several of our fellow members of the European Economic Community; but to dispose of the instant case the three already well-established heads that I have mentioned will suffice.By “illegality” as a ground for judicial review I mean that the decision-maker must understand correctly the law that regulates his decision-making power and must give effect to it. Whether he has or not is par excellence a justiciable question to be decided, in the event of dispute, by those persons, the judges, by whom the judicial power of the state is exercisable. (Emphasis added).
114.The respondents, in my humble, have not appreciated the import and the extent of the application of the Data Protection Act, with respect to collection and processing of data collected under the National Integrated Identity Management System. If they did, they would have given effect to section 31 of the Data Protection Act and conducted a data impact assessment before processing personal data and rolling out the Huduma Cards.
115.Talking of the National Integrated Identity Management System, it is grounded, as earlier noted in section 9A of the Registration of Persons Act which in turn came about as a result of Miscellaneous Amendments Act, No 18 of 2018.
116.It is as a result of the amendment that the 1st two respondents embarked on a nationwide collection of personal data; in other words, section 9A, the newly introduced provision of the law in the Registration of Persons Act was the legal basis of the nationwide exercise to collect data.
117.Lest we forget, Miscellaneous Amendments Act, No 18 of 2018 was nullified in by a three judge bench of this honourable court in Petition No 284 of 2020, Speaker of the Senate & 5 Others v The Speaker of the National Assembly & another, amongst other laws that were purportedly enacted by the National Assembly without involving the Senate contrary to the Constitution. The bench, which I was privileged to preside over, held inter alia as follows:(i)''A declaration be and is hereby issued that the underlisted Acts passed by the National Assembly are in contravention of articles 96, 109, 110, 111, 112 and 113 of the Constitution and are therefore unconstitutional thus null and void;i. The Public Trustee (Amendment) Act, No 6 of the 2018ii. The Building Surveyors Act, 2018, No 19 of 2018iii. The Computer Misuse and Cybercrime, Act, No 5 of 2018iv. The Statute Law (Miscellaneous Amendment Act), No 4 of 2018v. The Kenya Coast Guard Service Act No 11 of 2018vi. The Tax Laws (Amendments) Act, No 9 of 2018vii. The Statute Law (Miscellaneous Amendments) Act, No 18 of 2018viii. The Supplementary Appropriation Act, No 2 of 2018;ix. The Equalization Fund Appropriation Act No 3 of 2018x. The Sacco Societies (Amendment) Act, 2018 No 16 of 2018xi. The Finance Act, No 10 of 2018xii. The Appropriations Act, No 7 of 2018xiii. The Capital Markets (Amendments) Act, No 15 of 2018xiv. The National Youth Service Act No 17 of 2018xv. The Supplementary Appropriations Act, No 13 of 2018xvi. The Health Laws (Amendment)Act, No of 5 of 2019xvii. The Sports (Amendment) Act, No 7 of 2019xviii. The National Government Constituency Development Fund Act, 2015xix. The National Cohesion and Integration (Amendment) Act, 2019xx. The Statute law (Miscellaneous Amendment) Act, 2019xxi. The Supplementary Appropriation Act, No 9 of 2019xxii. The Appropriations Act, 2019xxiii. The Insurance (Amendment) Act, 2019''(Emphasis added)
118.I am aware that the respondents filed an appeal against this decision but I am not so certain about the current status of the appeal. Assuming the appeal is pending for determination, could the respondents proceed and act on the Statute Law (Miscellaneous Amendments) Act, No 18 of 2018 as if it is valid? Again, assuming the decision of this honourable court in Petition No 284 of 2020, Speaker of the Senate v The Speaker of the National Assembly & another is upheld by the Court of Appeal, what would be the effect of sustaining the decision on any action taken on the basis of the Statute Law (Miscellaneous Amendments) Act, No 18 of 2018 including the amendment to the Registration of Persons Act and entire exercise of collection and processing of data? These questions are certainly not before court but I only ask them because the applicants made reference to the decision in Petition No 284 of 2020 in their submissions. I shudder to think all these efforts including the efforts put in these proceedings, could be rendered of no legal consequence in the future.
Conclusion:
119.Regardless of what the future portends for the appeal against this honourable court’s decision in Petition No 284 of 2020, the 1st applicant in the motion dated 24 November 2020 merits the orders of certiorari and mandamus. To be precise, and for the avoidance of doubt, I hereby order as follows:1.The order of certiorari is hereby issued to bring to into this honourable court and quash the respondents’ decision of 18 November 2020 to roll out Huduma Cards for being ultra vires section 31 of the Data Protection Act, 2019.2.The order of mandamus is hereby issued compelling the respondents to conduct a data protection impact assessment in accordance with section 31 of the Data Protection Act, 2019 before processing of data and rolling out the Huduma Cards.
120.It has been a while since the rollout or the launch of the Huduma Card and it is not clear whether it is still on or has been concluded; it would be speculative to allow prayer (a) for the Order of Prohibition in these circumstances. In any event, having granted prayers (b) and (c) prayer (a) is as good as moot.
121.Owing to the fact that this suit of substantial public interest, I will not make any order on costs. It is so ordered.
Signed, dated and delivered on 14 October 2021Ngaah JairusJUDGE
▲ To the top