Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others; Katiba Institute & another (Exparte); Immaculate Kasait, Data Commissioner (Interested Party) (Judicial Review Application E1138 of 2020) [2021] KEHC 122 (KLR) (Judicial Review) (14 October 2021) (Judgment)

Key Facts

Issues

• Whether there was a presumption against retrospective legislation in that it ousted vested rights and imposed new obligations and duties.
• Whether retrospective application of section 31 of the Data Protection Act that imposed a new duty to carry out a data protection impact assessment that was not there before and during the collection of personal data under NIIMS was unfair.
• Whether retrospective application of section 31 of the Data Protection Act imposed a new duty to carry out a data protection impact assessment that was a violation of the right to privacy.
• Whether a judicial review court could entertain a judicial review application where an applicant filed a judicial review application before exhausting the remedies of making complaints to the Data Commissioner.
• Whether the Data Protection Act applied retrospectively to such an extent or to such a time as to cover any action that could be deemed to affect the right to privacy.
• Whether the collection and processing of personal data under the National Integrated Identity Management System were subject to the Data Protection Act.
• What was the effect of the collection and processing of personal data without there being a legal framework for the protection of the right to privacy?

Holdings

• The interested party's objection against the 2nd applicant's application was sustained, but it was overruled with respect to the 1st applicant's application. The 1st applicant, a constitutional research institute, was found to have sufficient interest to pursue the application despite lacking standing as a data subject.
• An order of certiorari was issued to quash the respondents' decision to roll out Huduma Cards for being ultra vires section 31 of the Data Protection Act, 2019. This decision was declared invalid as it failed to comply with the requirement for a data protection impact assessment prior to processing personal data under NIIMS.
• No order as to costs was made, as the court determined the case involved substantial public interest and declined to allocate costs to either party.
• An order of mandamus was issued compelling the respondents to conduct a data protection impact assessment in accordance with section 31 of the Data Protection Act, 2019 before processing data and rolling out the Huduma Cards. This mandates compliance with the Act's requirement for assessing risks to privacy prior to data processing.

Remedies

• Order of mandamus compelling the respondents to conduct a data protection impact assessment in accordance with section 31 of the Data Protection Act, 2019 before processing data and rolling out the Huduma Cards.
• Order of certiorari to bring into court and quash the respondents' decision of November 18, 2020 to roll out Huduma Cards for being ultra vires section 31 of the Data Protection Act, 2019.

Legal Principles

• The court acknowledged the general presumption against retroactive legislation but found it rebutted in this case. The Data Protection Act's express purpose to enforce constitutional privacy rights (Article 31) justified its retrospective application to past data collection activities under NIIMS.
• The respondents were estopped from arguing that the Data Protection Act did not apply to the data collected under the National Integrated Identity Management System (NIIMS), as the court in the Nubian Rights Forum case had already determined its applicability. This issue estoppel bound the parties to the prior ruling.
• The court ruled that the respondents' decision to roll out the Huduma Card was ultra vires section 31 of the Data Protection Act, 2019. This was because no data protection impact assessment was conducted prior to processing personal data, violating the Act's procedural requirements.
• The court applied a purposive approach in interpreting the Data Protection Act, emphasizing its role in giving effect to the constitutional right to privacy under Article 31 of Kenya's Constitution. This included retroactive application of section 31 to ensure compliance with privacy protections.

Precedent Name

• Council of Civil Service Unions v Minister for the Civil Service
• IRC v National Federation of Self Employed and Small Businesses Ltd
• Wilson & others v Secretary of State for Trade and Industry
• Commissioner of Income Tax v Pan African Paper Mills (EA) Limited
• Samuel Kamau Macharia & another v Kenya Commercial Bank Limited & 2 others
• Linmerx Holdings Limited & another v Mercy Nduta Keng'ara t/a Muangi Keng'ara & Co Adv & 6 others
• Municipality of Mombasa v Nyali Limited
• IRC v National Federation of Self-Employed and Small Businesses Ltd
• Republic v National Environmental Management Authority
• R v Peterkin ex parte Soni
• L'Office Chefrien v Yamashita-Shinnibon Steamship Co Ltd
• Owners of the Motor Vessel 'Lilian S' v Caltex Oil (Kenya) Ltd
• Mary Wambui Manene v Peter Gichuki King'ara & 2 others
• Dawda K Jawara v Gambia
• Secretary of State for Social Security v Tunncliffe
• North West Water Ltd v Binnie & Partners
• Linmerx Holdings Ltd & another v Mercy Nduta Keng'ara t/a Mwangi Keng'ara & Co Advocates
• Republic v Ministry of Interior and Coordination of National Government & another ex parte ZTE Judicial Review Case No 441 of 2013
• Republic v Benjamin Jomo Washiali, Majority Chief Whip, National Assembly & 4 others Ex-parte Alfred Kiptoo Keter & 3 others
• Speaker of the Senate & 5 others v The Speaker of the National Assembly & another
• R vs Secretary of State For Foreign Affairs ex parte Word Development Movement Ltd
• Republic v Ministry of Interior and Coordination of National Government Ex-parte ZTE Corporation & another
• Speaker of the National Assembly v James Njenga Karume
• National Assembly v Karume Civil Application No Nai 92 of 1992
• Nairobi Law Monthly Company Ltd v Kenya Electricity Generating Company & 2 others
• Mark Ndumia Ndung'u v Nairobi Bottlers Ltd & another
• Nubian Rights Forum & 2 others v Attorney General & 6 others; Child Welfare Society & 9 others (Interested Parties)
• Northwest Water Ltd v Binnie & Partners
• R v Secretary of State For Foreign Affairs ex parte Word Development Movement Ltd
• Republic v Zacharia Kabuthu & another (Sued as Trustees and on Behalf of and as Officials of the Kenya Evangelical Lutheran Church); Johanness Kutuk Ole Meliyio & 2 others (Interested Parties) Ex parte Benjamin Kamala & another

Cited Statute

• Data Protection (Civil Registration) Regulations, 2020
• Registration of Persons Act, 1969
• Constitution of Kenya, 2010
• Data Protection Act, 2019
• Fair Administrative Action Act, 2015

Judge Name

Passage Text

• The respondents had not appreciated the import and the extent of the application of the Data Protection Act, with respect to collection and processing of data collected under the NIIMS. If they did, they would have given effect to section 31 of the Data Protection Act and conducted a data impact assessment before processing personal data and rolling out the Huduma Cards.
• The need to protect the constitutional right to privacy did not arise from the enactment of the Data Protection Act; the right accrued from the Constitution. The obligation to protect the individual rights under article 31 of the Constitution was not a new obligation or duty imposed on the State when the Data Protection Act came into force.
• An order of certiorari was issued to bring to into the court and quash the respondents' decision of November 18, 2020 to roll out Huduma Cards for being ultra vires section 31 of the Data Protection Act, 2019.