The Court of Appeal has dismissed a plea by the government to continue issuing Huduma Namba cards without conducting impact assessment on data protection.
A three-judge bench comprising justices Agnes Murgor, Mbogholi Msagha and Imana Ldaibuta ruled that the government was already complying with the High Court orders.
According to the judges, there was nothing in the orders issued by Justice Jairus Ngaah last year to suspend. They agreed with the respondents – Katiba Institute and Yash Pal Ghai – that the State had moved to the court too late in the day.
“We agree with the respondents, and are persuaded, that the circumstances of the case before us do not call for stay of the order of mandamus as sought. To grant such orders would be in vain, as no orders of the kind sought can arrest the doing or undo what has already been done,” the bench, headed by Justice Murgor, ruled.
The High Court had found that government violated law when it first rolled out the cards without conducting data protection impact assessment.
Justice Jairus Ngaah found that the rollout in November 2020 was against the law on data protection, rendering the cards invalid.
Huduma Namba was rolled out in 2020. The first recipients of the new cards were President Uhuru Kenyatta and First Lady Margaret Kenyatta.
However, blunders by government officials have put the whole project on a guillotine and consequently pushed Sh10.6 billion taxpayers’ money to a bottomless pit.
The government has twice been on a receiving end over the same project. Earlier, a three-judge bench - Justice Ngaah, Anthony Ndung’u and Teresiah Matheka - invalidated 23 laws enacted by National Assembly without consultation with the Senate. This included Data Protection Act.
Following the verdict by the three judges, Justice Ngaah faulted the government for collecting and processing data based on the invalidated Act. “The order of certiorari (review) is hereby issued to bring into this honourable court and to quash the respondent’s decision of November 18, 2020, to roll out Huduma Card for being ultra vires Section 31 of the Data Protection Act, 2019,” ruled Justice Ngaah.
Data Protection Commissioner Immaculate Kassait was appointed on November 6, last year, to head the new office. Two days later, a case landed on her desk over the data collected by government, the aggrieved being Prof Ghai-led lobby, Katiba Institute. The grievance was that the government did not provide a guarantee against theft or misuse of Kenyans’ personal information. At the same time, they questioned its failure to register Kenyans afresh and conduct data protection impact assessment, a requirement provided by the Data Protection Act.
In court, the human rights body argued that the government put the horse before the cart.
According to Katiba, the government ought to have enacted a data protection law first, then amend the Registration of Persons Act before rolling out the Huduma Namba exercise. Justice Ngaah agreed with the lobby group.
In an irony of fate, the government enacted Data Protection Act in hope to sanitise the exercise that gobbled Sh10.6 billion. However, the same law took the state back to square one.
The judge was of the view that if the state was serious in protecting Kenyan’s data, it would have also done data protection assessment before rolling out the cards. “An order of mandamus (compelling order) is issued to the respondent to conduct a data protection impact assessment in accordance with the Data Protection Act before processing of data and rolling out Huduma cards,” he ordered.
In the case, Kassait, Attorney General Kihara Kariuki mounted objections arguing that Katiba Institute did not own any data, thus could not be an aggrieved person.
Since its inception, Huduma Namba has faced three onslaughts. The first case was filed by Nubian community, which challenged the government’s use of the Registration of Persons Act to collect data. It also raised doubts on how secure National Integrated Informational Management System is.
Nubians also contested lack of public participation and collection of DNA and GPRS location.
The court cleared the government on the condition that it would enact a data protection law. It, however, barred it from collecting DNA and GPRS location after finding that was too intrusive.
Justices Mumbi Ngugi, Pauline Nyamweya and Weldon Korir ruled there was no to guarantee on data protection.
The judges proposed the introduction of an amendment through a miscellaneous amendment Bill but cautioned this would limit public participation.