Now the taxman is targeting M-Pesa. What next?

So the Kenya Revenue Authority (KRA) intends to access merchant and individual user M-Pesa accounts in order to estimate the income profiles of their owners.

The tax collector, which has failed to meet its revenue collection targets, has come up with creative ideas on how to close the gap.

KRA can cross-check this information with the income tax returns already filed, and at the touch of a button, will be able to deduce who may or may not be cheating on their tax returns.

The intention is to ensure that everyone makes his or her rightful contribution to the national kitty by surrendering the right amount of tax.  This is clearly a good strategy, but the question is why it has not been tried elsewhere before.

The simple answer revolves around the difference between data custodians and data owners.  The data that mobile operators hold on their servers does not belong to them; they simply hold it in trust on behalf of their subscribers.

DREADED DISEASE

So the data custodians have no right to use it beyond the original purpose for which it was collected.  That’s why mobile operators won’t tell you where your spouse disappeared to over the weekend, even though they can reconstruct a trail from information on their servers.

It is the same reason banks cannot tell your landlord that your salary indeed landed last week, even though you are claiming otherwise. 

It is the very same reason hospitals cannot tell your employer that you are suffering from that dreaded disease, even as they deliberate on whether or not to give you a coveted promotion.

All these institutions understand that the information they hold about their clients does not belong to them and can therefore only be shared to third parties upon request through court orders.

In other words, personally identifiable information can only be shared upon review by a judicial entity that can determine if at all the greater public good merits breaching a citizen’s right to privacy.

Nothing, indeed, can be of greater public good than paying taxes. At face value, the KRA’s intended move seems to be quite positive and timely. After all, it is only those with something to hide, who should have a problem.

WHOM YOU CALL

But hang on. How far can this go, or at what point exactly should this stop?

Today it will be the KRA asking the mobile operator to tell them about how big your monthly shopping or fuel bill is, or how high your school fees is, given that you pay all these through mobile money. After all, this is all in the good name of estimating your income profile for tax purposes.

Tomorrow it will be the National Intelligence Service (NIS) agents asking your mobile operator to tell them whom you called, how often you call them and for how long.

Next, they will want to harvest a sample of the text messages you have been sharing on your buddy list over the last six months. All this is done in the good name of compiling your social profile in order to enhance our collective national security.

In mature economies and democracies, these contentious conversations were had twenty years ago and resolved under the data protection principles, often legislated as the Data Protection Act.

This Act prescribes what data custodians can or cannot do with your data. It outlines under which circumstances third parties such as KRA or NIS can access citizen data while stating penalties for violations.

Unfortunately or fortunately, we live in a not-so-mature democracy, what others may want to call the third world - where anything and everything goes.

Because of that, your personal data may already have reached KRA and other interested third parties. Unless and until we enact the Data Protection Act, we are heading onto a very slippery path when it comes to citizen privacy concerns.

Mr Walubengo is a lecturer at the Multimedia University of Kenya, Faculty of Computing and IT. Email: [email protected], Twitter: @jwalu