On 23rd October, 2024, the Communications Authority of Kenya (CAK) formally put the Kenyan public on notice of a measure which mandates the declaration and registration of International Mobile Equipment Identity (IMEI) numbers with the Kenya Revenue Authority.¹ This move has since been defended by CAK as one that will protect the State from, among other things, counterfeit devices and tax-related noncompliance.² Since then, the response from the public has been one of furor, as many decry concerns of data privacy and compliance. Such retort – of question and controversy – seems well founded as the notice compels the declaration of IMEI numbers to ensure tax integrity.³

The result of the discomfort has materialised into the filing of a suit by Katiba Institute,⁴ questioning the notice, its necessity, and its possible intrusion on the rights of Kenyans. The Court has since issued a conservatory order halting the implementation of the notice.⁵ Nonetheless, many questions loom: what does this notice mean? What is an IMEI? And is the arising suspicion warranted? This article attempts to look into these issues and provide valuable insight particularly in terms of data protection.

Overview of the Notice

The CAK announced that starting January 1, 2025, mobile devices in Kenya ought to meet specific tax compliance measures. These include:

• Local Assemblers ought to upload the IMEI numbers of all devices to a Kenya Revenue Authority (KRA) provided portal.
• Importers were required to disclose the IMEI numbers of imported devices in their documentation.
• Retailers and wholesalers could only distribute tax-compliant devices.
• Mobile network operators ought to verify devices’ tax compliance before allowing network connections and provide mechanisms to regularize non-compliant devices, which, if unaddressed, will be blacklisted.

Since its introduction, the CAK has been sharing instructions on how consumers can check if their devices have valid IMEI.⁶ An IMEI is a unique 15-digit numeric identifier for mobile devices, structured to indicate the manufacturer, model, batch number, among other identifying information.⁷ Through access to an IMEI, an entity can track, inter alia, the messages and calls made on a particular device, and in the digitized world of mobile money, it is quite visible why the KRA might be interested in receiving such information. Interestingly, an IMEI only identifies a particular device and does not identify a particular person, entity, or organization.⁸ A key rationale for the use of IMEI’s is for security concerns,⁹ as it can be used to track stolen devices, and even to ascertain the originality of a device.¹⁰

Having introduced an IMEI, the next step is to analyze the potential data protection implications of the notice introduced by CAK. Scholars such as Aririguzo and Agbaraji’s work highlight that while IMEI registration can aid in regulatory oversight and reduce theft, it must be paired with strong data protection frameworks to prevent potential misuse and privacy violations​.¹¹

Key Data Protection Elements and Concerns

The notice necessitates the collection of IMEI numbers, which, pursuant to Section 2 of the Data Protection Act (DPA), qualify as personal data. Although IMEI numbers do not explicitly reveal the identity of an individual, their linkage to device usage positions, as well as the ability to access certain types of data does mean that it falls within the ambit of ‘personal data’. This is because it is indeed information that relates ‘to an identified or identifiable natural person’.¹² As such, they are a critical data point. Thus, this creates a higher standard with regards to collection and processing of data.

Regarding the legal justification for processing such data, Section 30 of the DPA provides that the processing of personal data is lawful only when certain criteria are met.¹³ These include obtaining the consent of the data subject, fulfilling a legal obligation, or executing a task that serves the public interest. The application of IMEI data for purposes of tax compliance may align with these legal obligations; however, this could be questioned in some way. For instance, one may ask whether this move is indeed necessary, and whether it meets the Constitutional test enshrined in Article 24 of restricting a right such as right to privacy. There is precedence where the High Court has found that accessing an IMEI to weed out counterfeit devices was found to unconstitutionally limit the right to privacy.¹⁴ One could then ask thusly: if it is unconstitutional for access to IMEIs for security purposes, then is it not foreseeable that access for tax compliance purposes is equally impugnable? Indeed this is something that may be posed aptly. One might venture to argue that Kenya has adequate protection mechanisms that would restrict the wanton use of the data. However, the consensus appears to be that despite the existence of comprehensive data protection statutes, enforcement remains inadequate, thereby raising valid concerns regarding the efficacy of such legal frameworks in protecting IMEI data.¹⁵ Equally, Kimani has underscored that existing legal frameworks within Kenya exhibit structural deficiencies, potentially exposing such data to risks of misuse.¹⁶

In any case, by dint of Section 28 of the DPA, personal data must be collected directly from the data subject, and processing must align with lawful purposes.¹⁷ The IMEI, being a unique identifier linked to personal ownership of mobile devices, constitutes personal data that needs careful handling, and this is a concern that must be addressed. In the present scenario, the notice forces third parties, such as importers and assemblers, to make the registration. This then raises doubt over what extent, if at all, the requirements of Section 28 are met. Of course, this is subject to various limitations, such as if the indirect collection is necessary for, among other things, ‘the enforcement of a law which imposes a pecuniary penalty’. For now, it is unclear if the mandate carries with it a pecuniary penalty if the same is not fulfilled.

Lawful collection of data must meet a set standard: that consent has been obtained from the data subject, or that it is necessary for, inter alia, compliance with a legal obligation, or even if it serves the public interest or a task carried out by an authority.¹⁸ In this case, the compliance and tax regulation purpose may align with the legal obligations mentioned above. However, this presupposes that the measure itself is legal and Constitutional, and does not improperly limit the right to privacy. In the present notice, with the absence of a Court’s judgement, one is forced by trite law, to assume that the same is Constitutional.

Even a cursory observer will note that privacy is, therefore, a key issue in the prevailing matter. One of the key objectives of the DPA is to protect the privacy of individuals, as stated in Section 3(c).¹⁹ There are, as above mentioned, well founded fears and public concerns over potential overreach and surveillance. Equally, this piece has echoed the sentiments of authors such as Kimani, who have raised concern over the practical data protection regime. With such a significant amount of IMEI data being processed and stored, ensuring data security becomes paramount. Section 41 of the Data Protection Act mandates data controllers and processors to implement technical and organizational measures to safeguard data. This includes protecting data from unauthorized access, which could lead to breaches impacting the security and privacy of device owners.

In the event of a data breach, Section 43 requires that the Data Commissioner and affected data subjects be notified promptly. The notice should include details of the breach, measures taken, and recommendations for mitigating potential risks.

Ensuring transparency is critical in mitigating public concern – in any political or policy measure. Section 25(b) of the Data Protection Act emphasizes that personal data should be processed lawfully, fairly, and transparently.²⁰ The one-page notice is hardly clear about how a subject’s data will be used, the parties involved in processing, and any data-sharing practices with entities such as the KRA. While indeed, there is a skeletal position, it is unclear whether this is sufficiently transparent.

Key Takeaways and Recommendations

The regulation by the CAK is aimed at enhancing tax compliance and device integrity, to align with broader national interests, such as the raising of finances. The upshot of what is required – at a very basic level – can be summarized thusly.

• Consent and Notification: Ensuring that device owners are informed and have an opportunity to consent to data collection or understand their rights is critical.
• Safeguarding Data: The CAK, KRA, and involved stakeholders must prioritize stringent data protection measures to secure IMEI data against breaches or unauthorized access.
• Balancing Compliance with Privacy: There needs to be a clear balance between regulatory compliance and individual privacy rights. Transparent communication strategies will be essential to maintaining public trust.

1 Kenya Revenue Authority, ‘ Declaration of Mobile Devices Incorporating IMEI Numbers at Importation,’ https://kra.go.ke/news-center/public-notices/2150-declaration-of-mobile-devices-incorporating-imei-numbers-at-importation accessed 5 November 2024.

2 TechSpace Africa, ‘CA Boss Defends New New IMEI Registration System, Assures Kenyans of Data Privacy’, November 8 2024, https://techspace.africa/ca-boss-defends-new-imei-registration-system-assures-kenyans-of-data-privacy/ accessed 21 January 2025

3 Business Daily, ‘CA to block non-tax compliant mobile phones in revenue drive,’ https://www.businessdailyafrica.com/bd/economy/ca-to-block-non-tax-compliant-mobile-phones-in-revenue-drive-4801338 accessed 28 October 2024.

4 Katiba Institute v Communications Authority of Kenya and Three Others, (2024).

5 Katiba Institute v State Law Office and Kenya Revenue Authority, (E647 of 2024)

6 See, for instance, https://x.com/CA_Kenya/status/1871498442306109818https://x.com/CA_Kenya/status/1871498442306109818 on 24 December 2024.

7 Ostrev J, et al., ‘Mobile Spy Communications’ 71 (2) Proceedings of the Technical University of Sofia, 2021, 14.

8 Faraz S, ‘Analysis of International Numbers of a Cell Phone’ 3(1) Journal of Information Systems and Communication, 2012, 243.

9 Rafferty M, ‘Thoughts for the acquisition and use of computer evidence during investigative practice in criminal’ 2(1), Yearbook of International & European Criminal and Procedure Law, 2023, 564.

10 Mandela, N., Wangchuk, T., Mbinda, T., Damedjate, K., Mwendwa, G., & Makopa, J. (2024, February). IMEI-based Mobile Device Tracking and Stolen Phone Identification System. In 2024 11th International Conference on Computing for Sustainable Global Development (INDIACom) (pp. 1115-1121). IEEE.

11 MI Aririguzo and EC Agbaraji, “Mobile Phone Registration for a Developing Economy: Gains and Constraints”, 3(3) European Journal of Basic and Applied Sciences, 2016, 44-52.

12 Section 2, Data Protection Act, 2019.

13 Section 30, Data Protection Act, 2019.

14 Okiya Omtatah Okoiti vs Communication Authority of Kenya & 8 Others (2018) eKLR.

15 Ziwa N, ‘The Effectiveness of Legal Framework On Personal Data Protection in E-Commerce in Kenya’, Unpublished LLB Thesis, Moi University, Kenya, 2022, 33.

16 Kimani D, ‘Are We Ready for a Data Bank? An Analysis of the Sufficiency of Kenya’s Legal and Institutional Framework on Data Protection and Identity Theft’, 2019.

17 Section 28, Data Protection Act, 2019.

18 Section 30, Data Protection Act, 2019.

19 Section 3(c), Data Protection Act, 2019

20 Section 25(b), Data Protection Act, 2019.