CCK trashes telecom users’ privacy with new spying rules

Telecommunications industry regulator, Communications Commission of Kenya (CCK), is set to acquire a new set of powers that will give it unfettered access to private or confidential information on consumers without a court order.

The powers, which are contained in a new set of regulations that has been prepared for publication in the Kenya Gazette, allow the CCK or its agents the leeway to obtain information or data held by telecoms operators.

“A licensee shall grant the Authority’s officers access to its systems, premises, facilities, files , records and other data to enable the Authority inspect such systems, premises, facilities, files, records and other data for compliance with the ACT  and these regulations,” state the proposed regulations.

They open yet another avenue through which the government will eat into the citizens’ rights provided in the Constitution. Consumer rights activists said the regulations are particularly in breach of people’s right to privacy as provided for in the Constitution.

Article 31 of the Constitution guarantees citizens’ right to privacy, including the right not to have the privacy of their communications infringed upon.

The CCK said it has relied on Article 35 of the Constitution to formulate the new rules.

“In this respect, Section 93 of the Kenya Information and Communications Act, 1998 provides for the manner in which such information is to be applied. The said section provides that access to information and restrictions on disclosure of information held by the Authority shall be implemented pursuant to Article 35 of the Constitution. It is noteworthy that the said Article binds all State organs and persons,” said the CCK in response to questions on the subject.

Article 35 grants citizens the right to access information held by the State or by another person and is required for the exercise and protection of any rights or fundamental freedom.

A recent court decision on the exercise of the rights granted under Article 35, however, expressly excludes companies or agencies such as the CCK from accessing information held by another person or organisation.

The High Court ruled in the Nairobi Law Monthly versus KenGen case that only a human person (not a company or agency) can access information held by others as provided for under Article 35.

The CCK’s quest for unfettered access to telecoms services consumers’ data comes at a time when the world is grappling with the dilemma of balancing the right to privacy in the wake of security threats associated with terrorist groups such as Al-Shabaab and Al-Qaeda.

The US government was last year thrown into a legal and diplomatic crisis following revelations by a former national security contractor Edward Snowden that its secret agencies routinely spied on and recorded telephone conversations of ordinary people and prominent world leaders such as German Chancellor Angela Markel.

The Obama government has since acted swiftly to restore public confidence in its commitment to the protection of personal liberties even in the face of rising security threats – a matter that does not seem to bother the formulators of the new CCK regulations.

The regulations are contained in the Kenya Information and Communications (Registration of subscribers of telecommunication services) Regulation, 2014, and are derived from the controversial Kenya Information and Communication Amendment Act (Kica) 2013 that was gazetted on January 10 and is set to come into force this Friday.

KICA 2013 removed all safeguards for citizens’ privacy by deleting Section 93 of the law that defined how the regulator or government agencies accessed information on citizens and replaced it with reference to access of information in accordance with Article 35 of the Constitution.

The new regulations only restrict telecom operators and their agents from disclosing registration particulars of subscribers but are silent on disclosure by staff or manner of access to private information by government agencies.

The mobile operators led by Safaricom and Airtel now want the State to fast track the Data Protection Bill, which addresses the loopholes that KICA 2013 has opened.

Although the Constitution envisages limitations to the right to privacy, Article 24 states that any such limitation is only permissible by virtue of an Act of Parliament and within the threshold set by the Constitution – and potentially rendering the new regulations null and void.

Kenya’s four telecoms operators said they were not consulted when Section 93 was deleted and are therefore not aware of the reasons behind it.

“No information with respect to any particular business which has been obtained under or the virtue of this Act (KICA 1998), and relates to particular business, shall during the lifetime of that individual or so long as that business continues to be carried on shall be disclosed by the commission or by any other person without the consent of that individual or person for the time being carrying that business,” read the deleted section.

The deletion and subsequent failure to capture this in the new regulations open a window for a possible abuse of information obtained by authorities.

“The old Act provided safeguards for customer information requiring that it be treated as confidential and private. This provision has now been removed,” Shivan Bhargava, Airtel’s managing director, said.

The CCK has defended its position, saying that there are sufficient legal and constitutional safeguards in respect of handling the information obtained pursuant to the regulations.

However, Francis Wangusi, the CCK director general, said that the new regulations were discussed based on the old Act, but they will be implemented based on the new Act.

“These regulations are pursuant to the new Act and that is why the Authority will promulgate them and not the ministry,” said Mr Wangusi.

In the new Act the Section 93 referred to by the CCK has been deleted.

“In respect of access to sites and records, the new regulations simply provide for the power to access telecom sites for purposes of inspection for compliance expressly in the law hence making this a new provision in the regulations,” said the CCK. 

It noted that the same provision exists in the licence conditions issued to telecom firms. 

“We still believe that enactment of specific legislation that covers data protection, as contemplated by the Constitution, would significantly give clarity to the issues of confidentiality in record keeping by various organisations including mobile operators,” Bob Collymore, Safaricom’s CEO, said, a statement that was echoed by Mickael Ghossein of Orange and Mr Bhargava.

The mobile operators are also concerned about lack of a single point of reference in respect to access of information, especially where different arms of the government or agencies could be seeking information about a particular person. 

The mobile firms, however, said they would adhere to the Constitution to protect their clients’ information.