2.1 A constitutional provision that guarantees the right to privacy

Any country that wishes to successfully implement a digital ID system should have the right to privacy recognized in the constitution. Indeed, the existence of a constitutional provision guaranteeing the right to privacy is an indication that the aspect of privacy has been prioritized in a given jurisdiction.

Although the rights-based test of the CIS framework does not make a direct reference to the right to privacy, the aspects that are assessed during the test all seek to protect the privacy of citizens from being violated. For instance, the requirement that digital identity systems should adhere to data minimization is intended to ensure that there is a restriction to the volume of citizens’ personal information that is collected by the digital ID system. In this case, a digital ID system should only collect personal data that is relevant to serve its purpose.

As such, for purposes of this study, the existence of the right to privacy in any country that wishes to establish and implement a digital identity system is consistent with the rights-based test. First, a right to privacy law protects citizens’ private information from being unnecessarily revealed or demanded by state agents. Secondly, it compels the state to safeguard citizens’ privacy rights.

An analysis of the literature revealed that several countries around the world have explicit constitutional provisions on the right to privacy. These include Chile, China, Cuba, Finland, Germany, and Ghana, among others (Privacy International, 2021). Additionally, having constitutional privacy protections is important as it provides a foundation for the formulation and enactment of specific laws on data protection.

In contrast, in some countries such as the USA and Ireland, there is no specific reference to the right to privacy in the constitution. Instead, courts have developed these rights from the language of other constitutional provisions (World Bank, 2017).

Beyond having a constitutional provision, countries’ commitment to protecting the right to privacy is also demonstrated through the ratification of international instruments relating to the protection of privacy. These include the following:

• • Article 12 of the Universal Declaration of Human Rights 1948;

• • Article 17 of the International Convention on Civil and Political Rights (ICCPR) (United Nations (UN), 1966).

Below is a brief discussion of each of the aforementioned international instruments and how they relate to the right to privacy.

At the international level, the right to privacy has its origin in the “Universal Declaration of Human Rights (UDHR)” that was adopted by the United Nations on December 10, 1948. The UDHR states in Article 12 that

In the context of this paper, this means that the right to privacy as enshrined in the UDHR limits who can access our bodies, spaces, things, and more importantly our communications as well as our information [UDHR] (1948, p. 74).

This is particularly relevant for digital ID systems that act as a gateway to certain government services. In most cases, digital IDs require citizens to share personal data to access services. Rightfully, there is a concern that shared personal information may be misused by government agents to monitor citizens against their will. However, a government that has ratified the UDHR will be obliged to respect the right to privacy even when rolling out a digital identity system.

The right to privacy is also recognized in the ICCPR, which was adopted by the “United Nations (UN) General Assembly” as resolution 2200A in 1966. Article 17 of the ICCPR adopted the same language as the UDHR by stating,

In sum, in terms of the right to privacy, this paper will establish, firstly, if Kenya has a constitutional provision on the right to privacy and, secondly, whether the country has ratified and adheres to international instruments on the right to privacy.

2.2 An enabling law governing the establishment and implementation of the digital identity system

Robust identification systems are anchored on a comprehensive digital identity law that stipulates the purpose of the digital ID system, among other issues relating to its operation.

The element of legislative mandate under the rule of law test of the CIS evaluation framework requires that countries intending to implement digital identity systems must ensure that there is a digital ID law that will govern the use and operation of the digital ID system. Further, the state is obliged to ensure public participation before implementing a digital ID system.

In essence, the digital ID project should be founded on a validly enacted law which should, among other things, outline the legitimate aim of the digital ID, specify the actors of the system; outline the grievance redress mechanism against the administrators of the system, and provide for an oversight mechanism to address any cases of misuse of the digital ID.

Indeed, World Bank (2017) contends that an ideal digital ID law should reflect the purpose of an ID system, the data it must collect, and the ends to which it is established to meet. Additionally, the digital ID law will outline mechanisms for monitoring and ensuring compliance with the purpose limitations (World Bank, 2017).

For example, Article 15 of the Nigerian National Identity Management Commission Act 2007 sets out specific objectives of the national identity database. These include providing a medium for the identification, verification, and authentication of citizens, among others (World Bank, 2017).

Additionally, the digital identity law also specifies the body that is mandated with the implementation of the digital identity system. For example, in Austria, the Source PIN register Authority regulation enacted in 2009 sets out the responsibilities of the Authority which is responsible for citizen IDs and cooperation with service providers (World Bank, 2018).

Ironically, some countries have attempted to implement digital identity systems without an enabling digital ID law in place. This has resulted in the ID systems facing litigation headwinds and a lack of trust in the system by the citizens. For example, India’s Aadhaar system was initially introduced before an enabling law had been enacted. This led to legal challenges particularly on the constitutionality of the system, with the case ending up in the Indian Supreme Court (World Bank, 2018).

Beyond enacting a digital identity system law, it is equally important to appreciate that there are other laws that are closely related to the aspect of digital identification. A case in point is the law on the registration of persons.

Notably, the process of civil registration entails the collection of citizens’ personal attributes which can be used for identification purposes. As such, civil registration contributes to the development of identification systems. As a matter of fact, the establishment and implementation of foundational identity systems is influenced by the existing civil registration system of a particular jurisdiction.

Further, the management of civil registration systems raises similar legal and regulatory issues as those of foundational identification systems (World Bank, 2017). As such, seamless implementation of a digital identity system requires that the law governing the establishment and operation of the identity system be aligned with the law relating to registration of persons.

In Kenya’s context, the concern of this paper is to establish if the law relating to the registrations of persons has been amended to reflect the establishment and operation of the NIIM system.

2.3 Existence of laws governing the collection, storage, and processing of personal identifiable information (Data Protection Law)

As mentioned earlier, identity systems collect and retain a lot of personally identifiable information relating to citizens. This data-centric nature of digital identity systems predisposes their users to risks associated with data breaches. These risks include identity theft and discrimination, among other ills.

The rights-based test of the CIS evaluation framework requires that countries implementing digital identity systems have a law that addresses the aspects of necessity and proportionality, data minimization, access control, exclusion, and mandatory use. Notably, all these aspects relate to the collection, storage, and processing of personal data, and are therefore addressed by enacting a data protection law. In essence, a data protection law stipulates data protection principles that will guide the management of personal data within the ID system.

For example, on the aspect of data minimization, the data protection law should outline mechanisms that ensure that the digital identity system adheres to the principle of data minimization. That is, it should propose privacy design features that ensure the collection of personal data is limited to only what is necessary to serve the purpose of the digital ID system.

In terms of the enactment of the Data Protection law, internationally, according to the United Nations Conference on Trade and Development (UNCTAD), out of the 194 countries in the world, at least 132 have some sort of regulation on the acquisition, use, and safety of data (United Nations Conference on Trade and Development (UNCTAD), 2016). At the continental level, in Africa, extant literature reviewed revealed that 25 out of 55 countries have passed data protection laws (Kadengye and Owoko, Reference Kadengye and Owoko2019).

According to Banisar and Davies (Reference Banisar and Davies1999), there are two major models of data privacy protection. The first model comprises a country adopting an omnibus or general data protection law that seeks to safeguard all categories of personal data. This is the preferred model for most European countries. It provides for a public official, an ombudsman or privacy commissioner, to enforce the provisions of the data protection law.

In contrast, some countries, such as the United States, have avoided a general data protection law in favor of sectoral laws governing specific categories of information such as police files and consumer credit records. However, the drawback of this model is that it requires legislations to be introduced for each new technology and thus may delay protections (Banisar and Davies, Reference Banisar and Davies1999, p. 13). Further, the sectoral approach means enacting multiple legislations which may be time-consuming, thus delaying the implementation of the digital ID system.

In many African countries, having a general law that covers all categories of personal data would be more appropriate. This would ensure leverage of the limited resources since lawmaking entails a prolonged process that involves drafting, seeking public views, and presentation to parliament for debate and approval.

In the Kenyan context, this paper is concerned with establishing the model of data privacy protection adopted to facilitate the establishment and implementation of the NIIM system.

There is also the aspect of ensuring that the provisions of the data protection law are reflected in the design of the identity system. Indeed, the European Union’s GDPR introduced new obligations requiring organizations to adhere to the principle of privacy-by-design so that data protection issues are considered at the outset of the design phase of an identity system (World Bank, 2017).

The rights-based test of the CIS framework that underpins this study requires countries implementing digital identity systems to adhere to the principle of data minimization. Notably, one way of achieving data minimization within a digital identity system is by embedding features that allow the system to collect as minimal data as possible.

This means developing a privacy-preserving ID system by incorporating data protection principles in the architecture of the identity system. For example, in India, the Aadhaar system has inbuilt privacy-enhancing features that ensure that the Aadhaar number generated by the system does not disclose the identity of the user. This privacy-by-design feature is consistent with the principle of data minimization that is pronounced in the Aadhaar’s system enabling legislation, the Aadhaar Act 2016 (World Bank, 2018).

In the Kenyan context, the concern of this paper is whether there are any privacy-by-design features pronounced in Kenya’s Data Protection law and if so, how these features are incorporated in the design of the NIIM system to achieve data minimization.

There is also the question of accountability. Specifically, the rule of law test requires a digital identity system law to provide a mechanism for holding both private and public users of the digital ID accountable. In essence, the law should ensure the effective enforcement of the various provisions relating to data protection. Indeed, under the European Union’s GDPR, member states are expected to have an oversight authority to monitor the enforcement and implementation of the law (European Union (EU), 2016).

Extant literature reviewed revealed that different countries have adopted different models of oversight mechanisms depending on the governance structure. For instance, some countries have two distinct agencies overseeing the implementation of the Data Protection Act and the Freedom of Information Act. In contrast, some countries have a single agency overseeing the implementation of both Acts.

For example, in the UK, all laws relating to access to information and data protection are coordinated by a single authority. In particular, the UK information commissioner is the point of contact for public authorities and the public for both the Data Protection Act and the Freedom of Information Act (Amos and Holsen, Reference Amos and Holsen2004). Further, the Access to Information clearing house is charged with ensuring consistent application of the Data Protection Act, the FOIA. and the environmental regulations (Dokeniya, Reference Dokeniya2013, p. 18).

In the Kenyan context, the paper is concerned with establishing whether the Data Protection Act 2019 provides for an oversight mechanism to oversee the deployment of digital ID systems such as NIIMs.

2.4 Law governing access to Information—Data Protection law and the Freedom/ Access to Information legislation

The rights-based test of the CIS framework that underpins this study requires that countries implementing digital identity management systems have a law that governs access to citizens’ information by the state as well as private actors. Notably, in many jurisdictions, access to personal information is governed by the data protection legislation.

However, it is important to appreciate that the Data Protection law does not operate in a vacuum but interfaces with other legislations governing access to information. In particular, for a Data Protection law to be implemented effectively, its provisions must be consistent with the laws relating to freedom/access to information.

In essence, the provisions of the freedom/access to information legislation should complement certain aspects of the data protection law, particularly in relation to privacy of personal data. For example, in the UK, the Freedom of Information (FOI) Act 2000 is harmonized with the UK Data Protection Act of 1998. Specifically, the UK FOI Act 2000 clearly states that requests for information about third parties are covered by the Freedom of Information Act 2000, but data protection principles apply (Amos and Holsen, Reference Amos and Holsen2004).

In contrast, an analysis of literature revealed that in countries where the data protection law is not harmonized with the freedom/access to information legislation, there is confusion among public officials leading them to unjustifiably refuse requests for information. For example, in New Zealand, citizens complained of being unjustifiably denied access to information on account of the Privacy Act (Rodrigues, Reference Rodrigues2008).

While most countries have distinct legislations for data protection and access to information, it is worth noting that in some countries, such as Canada and Ireland, the aspects of data protection and freedom of information are integrated into a single legislation (World Bank, 2016 ID4D Country Diagnostic, Kenya).

In the Kenyan context, this paper is concerned with establishing the extent to which the Data Protection Act 2019 in Kenya is harmonized with the Freedom/Access to Information Act 2016 to fulfil the access control element of the rights-based test and, by extension, create a conducive environment for the operation of the NIIM system.

2.5 Existence of policy and regulations to operationalize both the Digital ID law and the Data Protection law

The elements articulated in both the rule of law test and the rights-based test cannot be actualized by only enacting the set of laws mentioned above. As such, it is important to appreciate that laws are operationalized by enacting regulations and a policy framework that elaborates the methodology of enforcing the provisions set out in the law.

In view of the above, for a digital identity law to operate effectively, it has to be supplemented by regulations specifying how the various components of the identity system will operate.

Similarly, there is a need for data protection regulations to operationalize the data protection legislation. Indeed, some of the legal requirements of the rights-based test such as the aspect of data minimization are operationalized through policy tools that provide guidelines to data controllers on adhering to the data minimization principle.

Further, effective enforcement of the digital identity law requires the formulation of a policy that outlines the various guidelines to be followed in the implementation of the digital ID law The guidelines will outline among other aspects the roles and responsibilities of various actors in the operation of the digital identity system. Similarly, there is a need to formulate a data protection policy that spells out the mechanism for actualizing the implementation of the Data Protection Act.

In the Kenyan context, the concern of this study was to establish whether Kenya’s digital ID law and the Data Protection Act 2019 were complemented by policy and regulations to facilitate their operationalization.

2.6 Existence of a law governing the digital economy

Digital identity systems do not operate in isolation; rather they are part of a broader digital economy. Advances in information and communication technologies in the last decade have led to increased global internet connectivity. This has resulted in a digital economy where essential services are offered through digital technologies. In essence, in a digital economy, consumers once connected to the Internet can access goods and services from the digital market from any part of the world (Gillani et al., Reference Gillani, Dermish and Grossman2022, p. 1). Ordinarily, financial transactions are founded on trust, and electronic transactions are no exception. As such, digital IDs are necessary to ensure that electronic transactions in the digital market are secure and reliable. Through a digital ID, sellers can verify and authenticate the identity of the buyers in the digital market.

Granted, the digital economy has revolutionized access to goods and services. However, it is also fraught with challenges. Key among them is its susceptibility to cybercrimes such as identity theft and electronic fraud. To address these ills, there is need for an overarching legislation that covers the broader digital economy to guarantee trusted communication.

Internationally, in 2001, the Council of Europe formulated an international treaty (Budapest Convention) that came into effect in 2004. The treaty identifies crimes committed on the Internet and other computer networks such as infringement on copyright, child pornography, and violations of network security (Council of Europe, 2004). As such, countries are expected to demonstrate their commitment to combat cybercrime and internet fraud by ratifying or aligning their domestic laws with the Budapest Convention.

The Budapest Convention is cognizant of the fact that electronic systems, including digital identity systems, are susceptible to manipulation, and as such, there is a need to have a law addressing the criminal conduct directed against the confidentiality, integrity, and availability of computer systems and networks as well as data processed on them (World Bank, 2017).

Amartya Sen’s capability approach, that partly underpins this study, advocates for the removal of constraints that may hinder citizens from living a meaningful life (Sen, Reference Sen1999). In the context of this study, the challenges facing the digital economy such as identity theft and electronic fraud, among others, undermine the ability of citizens to enjoy their fundamental rights and freedoms within the digital space. In this regard, having a law on the digital economy will ensure that there is a set of rules and mechanisms for dealing with cybercrimes, thereby enabling citizens to fully achieve their capabilities in the digital space.

The concern of this study is to establish the existence of an overarching law governing the digital economy in Kenya.

2.7 Fundamental Rights and Duties

Any country across the world that is founded on democratic ideals is expected to guarantee certain rights to its citizens. These are termed as fundamental rights which every citizen is entitled to and are outlined in the Bill of Rights. In the same vein, these fundamental rights oblige citizens to perform certain duties toward other individuals, society, nation, or humanity.

In essence, any legal system has certain social and ethical principles that outline what is allowed of people (freedom) and what is owed to people (duties). These rights and duties facilitate the existence and development of individuals in a society (India, 1950).

Democratic societies safeguard fundamental rights by enshrining them in the Constitution, thereby guaranteeing them. Further, fundamental rights are justiciable, that is, they can be enforced through the courts (India, 1950). This means that in the event of a violation of any of these rights, an individual can petition the court seeking their protection.

These fundamental rights are universal and outlined in the Bill of Rights. They include the right to life, right to equality, freedom from discrimination, freedom of conscience, religion, belief, and opinion, among others (India, 1950; Kenya, 2010).

As such, governments across the world should always endeavor to safeguard fundamental rights. This means that any law enacted by the state must be consistent to the fundamental rights of the citizens. In view of this, the enactment and implementation of the digital ID law must be consistent with citizens’ fundamental rights.

In particular, the rights-based test of the CIS evaluation framework that underpins this study requires countries that are implementing digital identity systems to ensure that those systems do not perpetuate exclusion. In this case, the use of the digital ID system should not occasion a situation where a certain category of citizens is excluded or discriminated against from accessing certain government services.

Similarly, Amartya’s Sen’s capability approach, that partly underpins this study, requires that human beings be afforded an environment that enables them to fully achieve their capabilities. In this regard, granting citizens their fundamental rights and freedoms ensures that they fulfil their capabilities (Sen, Reference Sen1999).

At the international level, governments are expected to demonstrate respect for their citizens’ fundamental freedoms by ratifying international instruments such as the International Convention on the Elimination of All Forms of Racial Discrimination (ICERD).

In December 1965, the UN General Assembly adopted Resolution 2106, which established the ICERD. In essence, this convention seeks to adopt measures to eliminate racial discrimination in all its forms and manifestations (United Nations General Assembly (UNGA), 1965).

This convention is relevant to the aspect of digital identity systems, especially given that most digital ID systems are programmed in Western countries and may have an embedded bias that may not be compatible with African contexts. In this regard, it is important for countries intending to implement digital ID systems to ratify this convention to ensure that they implement digital ID systems that do not discriminate against citizens based on their race or color.

4.1 Constitutional provision guaranteeing privacy—Right to Privacy

The study revealed that Kenya’s constitution explicitly provides for the right to privacy. Specifically, Article 31 of the Constitution of Kenya (2010) recognizes and guarantees citizens the right to privacy. In particular, Article 31 of the Constitution of Kenya (2010) provides the following:

1. a) their person, home or property searched;

2. b) their possessions seized;

3. c) information relating to their family or private affairs unnecessarily required or revealed; or

4. d) the privacy of their communications infringed (Kenya, 2010).

Constitutional guarantee on privacy is important as it lays the legal foundation for the enactment and implementation of laws relating to privacy and protection of personal data. Indeed, in Kenya’s case, Article 31 of the Constitution of Kenya (2010) laid the foundation for the enactment of the Data Protection Act in 2019.

In terms of the impact on the implementation of the NIIM system, the presence of a constitutional guarantee on the right to privacy means that the system is being implemented in an environment where the privacy of citizens is well safeguarded. This engenders trust in the system among the citizenry by providing an assurance that their personal data is safe.

Additionally, the study revealed that Kenya adheres to several international legal instruments aimed at enhancing privacy and protection of personal data. Specifically, Kenya has ratified international instruments relating to the right to privacy, thus committing itself to fulfilling the requirements stipulated in these instruments. These include the following:

• • Universal Declaration of Human Rights (UDHR) and specifically Article 19;

• • International Convention on Civil and Political Rights (ICCPR);

• • International Convention on the Elimination of All Forms of Racial Discrimination (IECRD).

There are also regional treaties that seek to promote data protection and privacy. For instance, in Africa, the study revealed that only 14 out of 55 African Union (AU) member states have ratified the African Union Convention on Cyber Security and Data Protection (Malabo Convention). Indeed, enforcement of the African Union Convention on data privacy has been undermined by the delay by some African Union member states to ratify the convention. Notably, some scholars have argued that this delay is attributed to the inclusion of the aspect of cybersecurity as part of the convention as well as lack of resources by the African Union to lobby its members to ratify (Greenleaf and Bertil, Reference Greenleaf and Bertil2020).

Regrettably, Kenya is among the countries that are yet to ratify the African Union Convention on Cyber Security and Data Protection (Malabo Convention). The delay in ratification of the Malabo Convention by Kenya sends the wrong signal as it puts into doubt the country’s commitment toward complying with regional standards on cybersecurity and data protection.

4.2. An enabling law governing the establishment and operation of the digital ID system

As mentioned earlier, the rule of law test of the CIS evaluation framework that underpins this study demands that a digital identity system should be founded on an enabling law governing its establishment and operation. Specifically, a digital identity system that adheres to data protection norms should draw its legitimacy from an elaborate stand-alone Act that outlines the legitimate aim of the digital identity system and outlines its functions and purpose.

However, in Kenya’s case, NIIMS was not established through a stand-alone Act of parliament. Instead, the government introduced an omnibus bill seeking to amend provisions of the Registration of Persons Act Cap 107. Section 9A (1) of the Act establishes the NIIMS (Mutung’u and Rutenberg, Reference Mutung’u and Rutenberg2020). The fact that the NIIM system is anchored on an executive order instead of a stand-alone digital ID law means that the system does not meet the requirements of the CIS framework rule of law test, thereby undermining its legitimacy.

Further, this narrow legislative approach adopted in establishing the system undermined public participation and scrutiny of the proposed amendments. Indeed, this anomaly was highlighted by civil society organizations who noted that regulations cannot be used to regulate and create substantive systems which have implications on the effective and proper functioning of government, and which directly affect an individual’s identity (Article 19 Eastern Africa, 2020).

Further, the digital ID law is expected to specify the purpose of the digital ID. Indeed, according to the World Bank (2017), the law establishing the digital ID system should, among other aspects, outline the purposes for which data will be collected and used. This is meant to adhere to the rights-based test that requires that the data collected be proportionate to the purpose of the ID system. Regrettably, in Kenya’s case, the amendment to the Registration of Persons Act, on which NIIMS is anchored, is not elaborate on the contemplated purpose of the data collected by the system. This has prompted some civil society activists to describe the NIIM system as “purpose-free” (Mutung’u and Rutenberg, Reference Mutung’u and Rutenberg2020).

As such, the legal basis of the NIIM system in Kenya was through an executive order no.1 of 2018. Specifically, the president directed the development of NIIMs to create and manage a central master population database, to be the “single source of truth” on all Kenyan citizens and foreign nationals residing in Kenya (Mutung’u and Rutenberg, Reference Mutung’u and Rutenberg2020).

Section 9A (1) of the Act establishes the NIIMS. The Registration of Persons Act cap 107 section 14 (1) (k) (1) and (m) prohibits anyone from publishing or communicating any data that is acquired in the course of employment other than for allowed official purposes. It also prohibits any third party from possessing any personal data derived from registration processes (Kenya, 1947).

Beyond enacting a digital ID enabling law, it is also important to align it to the legislation relating to the registration of persons. This action stems from the fact that the digital identity system is directly linked to the registration of persons. Indeed, World Bank (2017) noted that civil registries record a lot of personal attributes which are sometimes used for identification purposes. As such, foundational identity systems are founded on existing civil registration systems. Notably, for a digital ID system to function well, it requires the mandate for civil registration and, at some point, it should provide citizens with incentives for voluntary registration (Asian Development Bank, 2016).

In Kenya’s case, the digital identity system was established through an amendment to the primary identity law, the Registrations of Persons Act. The amendment expanded the range of data collected during the registration of persons and created NIIMS as a central link to government services and some private services (Mutung’u and Rutenberg, Reference Mutung’u and Rutenberg2020).

According to Section 9A (2)(a) and (b) of the amended Act, NIIMS was introduced to

• • create, manage, maintain, and operate a national population register as a single source of personal information of all Kenyan citizens and registered foreigners resident in Kenya;

• • assign a unique national identification number to every person registered in the register (Kenya, 2018).

As such, in Kenya’s case, there is no stand-alone digit ID law, and thus no harmonization with the Registration of Persons Act. Instead, the government amended provisions of the Registration of Persons Act as outlined above. The absence of a stand-alone digital ID law means that the establishment and operation of the NIIM system does fully meet the rule of law test of the CIS evaluation framework.

4.3. Law governing the collection, storage, and processing of personal information (Data Protection Law)

The data-centric nature of digital identity systems means that they collect large volumes of personally identifiable information belonging to citizens. Having a digital identity system that is in the form of a centralized database exposes it to data breaches such as identity theft, mass surveillance, and other privacy concerns.

The rights-based test of the CIS evaluation framework identifies the principles of necessity and proportionate as well as data minimization as important elements that should be embedded in a digital identity system for it to be deemed to be complying with data protection norms.

In this case, a digital identity system that is founded on the principle of necessity and proportion will only collect personal data that is necessary for the fulfilment of the legitimate aim of the system. Further, the data collected is proportional to the use and purpose of the digital ID system.

In Kenya’s context, the government enacted the Data Protection Law 2019 which outlines data protection principles that all data-centric systems implemented within Kenyan borders are expected to adhere to. Notably, Kenya’s Data Protection Act 2019 adopts the form and substance of the European Union’s GDPR and therefore, by extension, embodies the OECD principles of collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.

On the question of privacy-by-design, the rights-based system of the CIS evaluation framework requires digital identity systems to collect personal data that is adequate, relevant, and limited to what is necessary in relation to the purpose of the digital ID. This means protecting the privacy of citizens through embedding the principle of data minimization in the design of the digital ID.

In Kenya’s case, the Data Protection Act 2019 does not stipulate privacy design features that are supposed to be adhered to when designing data-centric systems. Indeed, there are no specific privacy-by-design features embedded in the NIIM system.

In sum, the NIIM system does not adhere to some of the data protection principles. This is problematic as it means that its implementation may undermine citizens’ right to privacy by, for instance, collecting more personal data than is necessary for the fulfilment of its purpose.

4.4. Law governing access to Information—Data Protection law and the Freedom/ Access to Information legislation

The rights-based test of the of the CIS evaluation framework also obliges countries implementing digital identity systems to adhere to data protection norms by having elaborate laws that govern access to information by state and private actors. In this case, the framework stipulates that the country needs to enact a data protection law as well as the freedom/access to information law.

Further, an analysis of extant literature revealed that digital identity systems are successful in an environment where the data protection law is harmonized with the law relating to freedom/access to information.

As such, this study sought to establish whether Kenya’s Data Protection Law 2019 was harmonized with the Access to Information Act 2016 to facilitate the seamless operation of the NIIM system.

The study revealed that the Access to Information Act (ATI) 2016 that governs access to information held by public entities by citizens is to a large extent harmonized with the Data Protection Law 2019. Specifically, the ATI Act 2016 is relevant to the privacy of identity systems, in that Section 6 (1) of the Act provides for limitation of the right to information thus safeguarding the privacy of personal data. Subsection 1 (d) prohibits disclosure of information that is likely to “involve the unwarranted invasion of the privacy of an individual.” Further, Section 28 of the Act provides for a heavy fine of Kenya shillings 1 million or an imprisonment as defined in Section 6 (Kenya, 2016).

As mentioned earlier, the access control element under the rights-based test normally relates to how access to personal data by the state and private entities is regulated. Typically, the aspect of access to information is governed by the freedom/access to information law as well as the Data Protection Act. Regulating access to information is key it ensures citizens’ privacy rights are protected. Similarly, having a law that facilitates citizens’ access to information is important as it fosters good governance and accountability.

Notably, the management of information in Kenya is also influenced by the Public Archives and Documentation Service Act, Chapter 19 of the Laws of Kenya. Essentially, all records generated by public entities during the transaction of government business are regarded as public records and their management should be guided by this Act. In terms of digital identity, the provisions of Kenya’s Public Archives and Documentation Service Act are consistent with the provisions of the Data Protection Act 2019 as well as the Freedom Right to Information Act 2016.

While Kenya has made great strides toward facilitating access to information by citizens, it is also important to note that the right/freedom to information is not absolute. In this regard, there are certain categories of information whose access is restricted; for instance, information relating to national security matters. These restrictions are outlined in various acts such as the Official Secrets Act, Chapter 187 1970, National Intelligence Service Act 2012, Evidence Act 2012, and Security Laws (Amendment) Act of 2014. In particular, the Security Laws Amendment Act 2014 undermines access to information by inhibiting media freedom. Similarly, the Act compromises citizens’ privacy by giving the intelligence agencies surveillance powers.

In Kenya’s case, it is evident that the NIIM system is operating in an environment where the access control element of the CIS evaluation framework has been fulfilled by access to information law as well as a data protection act whose provisions are harmonized.

4.5. Policy and regulations to operationalize the Digital Identity system law and the Data Protection Act

A digital identity law can only operate effectively if supplemented by regulations specifying how the various components of the ID system will operate. Further, there is a need for a policy framework that outlines the various guidelines to be followed in the implementation of the digital ID law as well as the roles and responsibilities of the various actors.

In the Kenyan context, the absence of a stand-alone digital identity law means the NIIM system is anchored on Huduma-Namba regulations. Human rights organizations such as Article 19 have criticized this move by noting that regulations cannot be used to regulate and create substantive systems which have implications on the effective and proper functioning of government, and which directly affect an individual’s identity (Article 19 Eastern Africa, 2020). Whilst it is commendable to have regulations that elaborate the operations of the NIIM system, they should not be the basis upon which the system is founded.

On the question of policy, the government has formulated a data protection policy to operationalize the Data Protection Act 2019. Further, a staff at the ODPC intimated that the Data Protection Commissioner has already formulated data protection regulations which are currently being debated in parliament.

“We have already drafted the data protection regulations, as well as received views from the public in adherence to the public participation requirement. We have forwarded the draft regulations to parliament for consideration” (Nyambura, Reference Nyambura2021).

The upshot is that the existence of both the data protection regulations as well as the data protection policy means that there is an adequate policy framework to operationalize and ensure effective enforcement of the Data Protection Act 2019.

4.6. Law regulating the digital economy

Digital identity systems are an integral element of information communication and technologies (ICTs), and thus the need to have policies that aim to promote the modern and effective use of ICTs in the long term (Atick et al., Reference Atick, Gelb, Pahlavooni, Ramos and Safdar2014). In this respect, a comprehensive legal and regulatory framework for digital ID establishment and implementation should be broad enough to address legal and policy issues relating to the wider digital economy.

In essence, policies that are geared toward providing more connectivity and online access, improved digital education and training, as well as responsible use of the Internet will go a long way in promoting digital identity systems development (Atick et al., Reference Atick, Gelb, Pahlavooni, Ramos and Safdar2014). This is consistent with Sen’s capability approach, which advocates for an environment where citizens’ capabilities are nurtured by removing constraints that may undermine their freedoms (Sen, Reference Sen1999).

In Kenya, the government has made efforts to enact laws regulating the digital economy. For example, Kenya enacted a Computer Misuse and Cybercrimes Act in 2018. The Act seeks to regulate the country’s cyberspace and largely adopts the form and substance of the Budapest Convention on cybercrime. As such, the Act is aligned with international standards on cybercrime prevention. Further, the Act provides penalties for the misuse of computer systems, such as NIIMS (Kenya, 2018).

Likewise, Part VIA of the Kenya Information Communication Act Amended 2019 provides that the cabinet secretary can declare a system as a “protected system” for purposes of safeguarding the system from unauthorized access. Specifically, section 83Q provides that the cabinet secretary can gazette “protected systems,” such as NIIMS. Further, the section provides a fine not exceeding Kenya shillings 10 million or imprisonment for a term of 10 years or both to anyone who secures unauthorized access or attempts to secure unauthorized access to a protected system (Kenya, 2019b).

Notably, there are also other laws that seek to regulate citizens’ conduct in the digital space. These include provisions within Kenya’s penal code, and the Consumer Protection Act 2012.

In view of the above, arguably, Kenya has an adequate set of laws governing the digital economy. The provisions within the Computer Misuse and Cybercrimes Act 2018 and the amended Kenya Information Communication Act 2019, as well as broad provisions in the penal code and the Consumer Protection Act 2012, provide adequate mechanisms to address any cybercrimes that may arise during the implementation of the NIIM system.

4.7. Fundamental Rights and Duties

The rights-based test of the CIS evaluation framework that underpins this study provides that countries implementing digital ID systems should ensure that the adoption of digital ID systems does not exclude citizens or restrict their access to benefits and services.

Similarly, Amartya Sen’s capability approach provides that in policy design, the focus should always be on giving people the freedom to do what they are capable of doing and removing constraints that undermine their capabilities (Sen, Reference Sen1999). This is particularly relevant for this study as it seeks to ensure that countries do not deploy identity systems that undermine the fundamental rights of their citizens and prevent them from achieving their capabilities.

In Kenya’s case, chapter 4 of the constitution of Kenya (2010) provides for the Bill of Rights that guarantees specific fundamental rights and freedoms. In particular, Part Two of the Chapter provides for the following fundamental rights and freedoms:

• • The right to life;

• • Right to equality and freedom from discrimination;

• • Right to freedom and security of the person;

• • The prohibition of slavery, servitude and forced labour and

• • Freedom of conscience, religion, belief, and opinion (Kenya, 2010).

The right to equality and freedom from discrimination is particularly relevant for this study as it implies that the government is obliged to ensure that digital systems such as the NIIM system do not perpetuate discrimination or exclude citizens from accessing services. In view of the above, it is evident that the NIIM system in Kenya is being implemented in an environment where citizen’s fundamental rights and freedoms are clearly articulated and enshrined in the constitution.