In a landmark ruling with far-reaching implications for digital privacy and the rule of law, the High Court of Kenya has struck down the government’s controversial plan to establish a centralized registry of International Mobile Equipment Identity (IMEI) numbers. The court ruled that the directive, spearheaded by the Communications Authority of Kenya (CA) and the Kenya Revenue Authority (KRA), was unconstitutional, lacked a legal foundation, and posed a serious threat to citizens’ privacy rights.
Court Finds No Legal Basis and Upholds Privacy Rights
Justice Chacha Mwita, in a judgment delivered on Friday, held that the proposed IMEI registration framework was “not based on any law” and contravened Articles 24 and 31 of the Constitution, which protect individuals from arbitrary limitations of rights and guarantee the right to privacy. Consequently, the court issued a prohibition order against the government, halting all plans to implement the IMEI registration regime.
Unlawful Executive Overreach
The directive, which emerged through public notices issued in October and November 2024, sought to require importers, manufacturers, retailers, and even travellers entering Kenya to declare IMEI numbers of mobile devices in their possession. Under the proposed system, only devices listed in a national whitelist database would be permitted to connect to Kenyan mobile networks, effectively shutting out all unregistered phones.
These notices, though regulatory in appearance, were never tabled before Parliament as required under the Statutory Instruments Act. The court emphasized that this amounted to an unconstitutional usurpation of Parliament’s law-making role, as enshrined in Article 94 of the Constitution. Justice Mwita found that the executive had unlawfully assumed legislative powers by seeking to introduce sweeping restrictions through administrative directives rather than statute.
Privacy and Surveillance Concerns
The petition, filed by the Katiba Institute and supported by the Law Society of Kenya and the Data Privacy and Governance Society, argued that the IMEI registration plan constituted an unjustifiable and disproportionate infringement of privacy rights. IMEI numbers, being unique identifiers tied to a device’s hardware, can be used to track a device’s physical location and link the user to their communication patterns. Privacy experts raised alarms that the mass collection of IMEI data, combined with subscriber information, would enable real-time surveillance of individuals without any form of judicial oversight or accountability. As Nora Mbagathi, Executive Director at Katiba Institute, noted, “This judgment is important in establishing that IMEI numbers can be personal data and countering the risk of pervasive surveillance through our devices.”
Failure to Conduct Required Public Participation and Impact Assessments
The petitioners further pointed to the government’s failure to undertake meaningful public participation as mandated by Article 10 of the Constitution. They also cited the absence of a data protection impact assessment, a mandatory requirement under Section 31 of the Data Protection Act where processing of personal data presents a high risk to individuals’ rights. Neither the CA nor KRA disclosed any such assessment, despite the proposal’s implications for millions of Kenyan mobile users. The court agreed that the failure to conduct this assessment was a grave omission, undermining the safeguards built into Kenya’s data protection framework.
Coercion and Violation of Consent Principles
Justice Mwita also faulted the proposed framework for failing to obtain genuine, informed consent from data subjects. Citizens were faced with a coercive binary: register their devices or lose access to mobile networks. Under Section 32 of the Data Protection Act, consent must be freely given, informed, and specific. A regime that conditions the enjoyment of essential services, like mobile connectivity, on surrendering personal data cannot be said to meet this standard. The court found this coercive design not only contrary to statute but also a violation of the dignity of the individual under Article 28 of the Constitution.
Disproportionate Impact on International Travellers
The judgment also highlighted the disproportionate impact the directive would have had on international travellers. Under the proposed plan, anyone entering Kenya with a mobile device would have been required to declare its IMEI number at the border—a measure the court found invasive, impractical, and devoid of any procedural safeguards. Critics argued that the requirement was unworkable and would have subjected visitors to arbitrary restrictions and undue scrutiny, all in the absence of a legal framework.
Rejection of Government’s Justifications
In rejecting the government’s justification that the plan was aimed at curbing tax evasion and counterfeit devices, the court noted that more proportionate means already exist. Globally, anti-counterfeit measures are typically enforced through anonymized blacklists targeting only stolen or non-compliant devices, without collecting personal information from every lawful user. The court found that the government had failed to demonstrate why such less intrusive alternatives were insufficient.
A Strong Judicial Message on Digital Rights
This judgment signals the judiciary’s readiness to rein in executive overreach, particularly where digital technologies are concerned. It affirms that data privacy is not merely a technical compliance issue but a constitutional imperative that cannot be sacrificed at the altar of administrative convenience or vague claims of national interest. Moreover, it clarifies that any policy affecting fundamental rights must be rooted in law, undergo rigorous impact assessments, and adhere to the principles of necessity, proportionality, and transparency.
As the digital space becomes increasingly entangled with governance, commerce, and daily life, this ruling sets an important precedent: technological innovation and state interests must not override the constitutional rights of individuals. The state must tread carefully, and lawfully, when it comes to handling personal data. The judgment serves as a critical reminder that even in the digital age, the Constitution remains the final safeguard against unchecked power.
