Unpacking the Device Management System (DMS) Judgement
By Mitchel Ondili
Communications Authority of Kenya v Okiya Omtatah Okoiti & 8 others  eKLR
Under the Global System for Mobile Communication (GSM) standards, each mobile device bears a unique quality mark known as the International Mobile Equipment Identity (IMEI) number, which is issued by the Global System for Mobile Communications association (GSMA). The GSMA maintains a central database containing the IMEI numbers of manufactured devices.
The East African Communications Organization, of which Kenya is a member, implemented an Equipment Identification Register (EIR) to tackle counterfeit and illegal phones. The system allows networks to keep list of blacklisted lost or stolen phones and automatically connects to the GSMA IMEI database to share that list with other operators in order to block them on both local and international networks. This resulted in the switch off of 1.89 million illegal mobile handsets by September 2012.
The victory was short lived as this measure had a dual effect on those running counterfeit or illegal operations as regards mobile communication. First, they began to clone genuine IMEI numbers to slip through detection, secondly, they began to engage in SIM boxing which refers to bypassing the international mobile carrier legal route and evading license fees in the process.
The Communications Authority of Kenya (CAK) proposed the introduction of the Device Management System (DMS), intending to curb the newer methods of introducing and using counterfeit and illegal mobile devices.
The DMS would:
a) Define a whitelist of IMEIs which should access GSM services.
b) Identify counterfeit devices.
c) Identify substandard goods which have not met the type approval requirement.
d) Identify and distribute information about mobile phones reported lost and/or
stolen to all service providers; and
e) Identify instances of SIM boxing operators.
The CAK required co-operation from various stakeholders including Mobile Network Operators (MNO’s) and sent letters to this effect requesting that they provide information on their subscribers and integrate the DMS with their systems. This sparked concern of privacy violations and heightened scrutiny on the need for data protection at a time when Kenya’s Data Protection Act was yet to be enacted.
In 2017, Okiyah Omtatah and 8 others filed a petition in the High Court challenging the system. The result was a judgement by the High Court declaring that the system’s implementation be ceased entirely on grounds of privacy infringement, inadequate public participation, non-compliance with the law, and an overreach of the mandate of the CAK.
The CAK filed an appeal seeking to overturn the judgement of the High Court.
Summary of Issues
The Court found 4 main issues for determination:
- Whether the dispute was premature meaning the question before the court was hypothetical
- Whether installation of the Device Management System (DMS) by the CAK would Infringe on the right to privacy by recording communications and mobile data
- Whether in the design and implementation of the DMS, public participation was adequate
- Whether the implementation of the DMS would violate consumer protection rights
- Whether the trial Judge misinterpreted the CAK’s mandate
- Premature dispute
The first issue was whether the dispute was premature, since the case was filed even before CAK had installed DMS, and consultations on the system were still ongoing.
Counsel for the appellant stated that the trial Judge had misdirected himself when he held that the petition was not hypothetical. Noting a difference between the doctrines of locus standi and the doctrine of ripeness, counsel challenged the trial Judge’s finding because the 1st respondent and the other parties who supported the petition did not provide supporting evidence of the possibility of a breach of fundamental rights.
Counsel cited John Harun Mwau & 3 Others vs. Attorney General & 2 others  eKLR and Wanjiru Gikonyo & 2 Others vs. National Assembly of Kenya & 4 others  eKLR in support of the appellant’s argument that the court cannot exchange in abstract arguments and there must be a real threat. Counsel also pointed out that part of the evidence provided by the 1st respondent was newspaper cuttings and baseless allegations. Counsel reiterated that the consultation to agree on the architecture and implementation of the DMS was ongoing, evidenced by records of correspondence and meetings between the appellant and various stakeholders including the MNO’s.
Relying on Articles 22 (1), 165 (3) (b) and 258 (1), the 1st respondent opposed the appellant’s submissions asserting his right to institute court proceedings where a fundamental right is threatened as well as the jurisdiction of the High Court to determine such rights.
Counsel for the 7th respondent relied on the case of Coalition for Reforms and Democracy & Others vs. Attorney General, Petition No 628 of 2014  eKLR, which stated, in part
“…A party does not have to wait until a right or fundamental freedom has been violated, or for a violation of the Constitution to occur, before approaching the court …’
Counsel for the 7th respondent also submitted that the appellant had gone ahead to undertake implementation before stakeholder concerns were addressed. As proof, counsel submitted the invitation by the appellant to prospective bidders to bid for installation of the DMS system.
The Court stated that determining all issues hinged on the decision as to whether the matter was ripe for litigation or not. The Court pointed out the petition filed by the 1st respondent as ‘slovenly drawn’ and largely specious, made up of generalized accusations and unsubstantiated claims taken from newspapers and statements by unidentified technical experts. The Court also considered the affidavit sworn by Mercy Ndegwa which, in the view of the Court formed the foundation of the petition before the High Court.
The Court found that the trial Judge had erred in failing to identify the actual probable evidence that the system would infringe on the right to privacy and failed to acknowledge that the appellant, acting within its mandate, had introduced the system in order to combat the newer and more challenging tactics that the purveyors of counterfeit devices had come up with as well as the sim boxing operators.
Finding that the trial Judge had delved into the human rights aspect of the case but not the challenges that may have merited the existence of the DMS, the Court stated that a one sided definition of ‘access’ had been adopted, taken to mean intrusion of a person’s right to privacy and overlooking the definition of ‘making use of resources to address the challenges at hand’.
The Court also stated that had the trial Judge relied on the affidavits by Mr Wangusi and Mercy Ndegwa, the Judge would have found that access was requested for purposes of configuration and not installation of the DMS system.
The Court acknowledged the invitation to bidders for the DMS equipment as a necessary requirement for the configuration of the system with existing infrastructure and not installation, something which the trial Judge also failed to consider.
2. The Right to Privacy
Privacy was another contention. Counsel for the appellant explained that the trial Judge had created his own case, as the discussions of the architecture and installation of the device were still underway, therefore there was no evidence to support the conclusions reached by the Judge on alleged spy capabilities.
The first respondent, Mr. Omtatah, argued that the system would give backdoor access to the appellant allowing it to interfere and spy on consumers.
Counsel for the 7th respondent, Safaricom Limited, raised privacy concerns, pointing to the fact that their concerns had been raised in meetings held with the appellant in October of 2016 and January of 2017, yet the appellant undertook implementation before concerns by stakeholders could be addressed. Counsel also raised concerns surrounding the accessibility of the information by the Kenya Revenue Authority (KRA), the Kenya Bureau of Standards (KEBS) and the National Police Service (NPS).
Mr. Manases, representing the Kenya Human Rights Commission, highlighted the spying capability of the system and infringement of the right to privacy under Article 31 of the Constitution and proposed an alternative, using the IMEI numbers to identify stolen and counterfeit devices. He also stated that the CAK was overstepping its mandate by playing a surveillance role in accessing counterfeits as that was the purview of the Anti – Counterfeit Authority (ACA) and the police.
The Court found that the trial Judge had erred when he found that the right to privacy of consumers was threatened, hinging their finding on non-completion of the consultation and framework process of the DMS.
3. Public Participation
The appellant was aggrieved that the High Court did not take into consideration that they had engaged the industry in its efforts to curb the issue of counterfeit and illegal devices since 2012.
The first respondent argued that the appellant had contravened the Statutory Instruments Act of 2013 and the Fair Administrative Action Act of 2015 by failing to obtain adequate public participation or consultation.
The Court held that it would be premature for the Court to pronounce itself on whether public participation had been adequate since the consultation and framework process had not been completed. Relying on several factors in the cases of In the matter of the Mui Coal Basin Local Community  eKLR and Doctors for Life International vs. Speaker of the National Assembly & Others,the Court added that there was no set standard for adequacy, only guidelines enumerated in the aforementioned cases which included the bona fides of the public actor, the nature of the subject matter, the length and quality of the engagement and the outreach mechanisms.
The Court stated that the trial Judge had erred in finding that there had been no public participation.
4. Consumer Protection
Counsel for the appellant submitted that the trial Judge overreached the matters pleaded in the petition by introducing consumer rights under Article 46 of the Constitution as well as the Consumer Protection Act, as the article required that the goods and services offered be of reasonable qualities, therefore having no relation to the case. Counsel added that the ambit of the DMS system excluded it from the consideration of consumer rights in the manner construed by the trial Judge.
5. Ambit of the CAK
Counsel for the appellant argued that the appellant was acting under its role as the sole regulator of the communication sector and in line with its constitutional, statutory, international and regional mandate.
The 1st respondent argued that the appellant cannot extend its mandate to curtail guaranteed freedoms and no statute allowed it to interfere with third party communications.
Mr Manases, for the KHRC stated that the issue of counterfeits was a matter for the Anti Counterfeit Authority and the police therefore the appellant had overstepped its mandate by intruding into surveillance.
The Court found that the appellant was acting within its mandate in developing the DMS system as it had a role as the regulator and challenger of illegal mobile operators
The Court stated that the trial Judge overlooked the statutory mandate of the Appellant stated in the Kenya Information and Communication Act no 2 of 2018 which states, in part that the appellant is tasked. with licensing and regulating postal, information and communication services.
The Court concluded by finding that the appeal has merit.
From the foregoing, the court made four orders, reproduced below:
(a) In exercise of its mandate of developing a DMS system, the appellant shall continue with the consultations that were ongoing with the stakeholders and MNOs prior to the filing of the petition so as to complete the technical and consumer guidelines on the DMS.
(b) The guidelines/ regulations should be subjected to public participation.
(c) For the same reasons given by the High court we order each party to bear their own costs of the appeal.