From: email@example.com <firstname.lastname@example.org>
Sent: Thursday, February 2, 2023 1:47 PM
To: Bankelele <email@example.com>
Subject: KICTANet Digest, Vol 179, Issue 46
Send KICTANet mailing list submissions to
To subscribe or unsubscribe via email, send a message with subject or
body ‘help’ to
You can reach the person managing the list at
When replying, please edit your Subject line so it is more specific
than “Re: Contents of KICTANet digest…”
1. Re: KRA Should Keep of MPESA (Kukubo Masibo)
2. Re: Users allowed to sue Safaricom over clients bank details access
3. Re: Users allowed to sue Safaricom over clients bank details access
From: Kukubo Masibo <firstname.lastname@example.org>
Subject: [kictanet] Re: KRA Should Keep of MPESA
To: “Kenya’s premier ICT Policy engagement platform”
Interesting article James,
I am also curious whether KRA has conducted a Data Protection Impact
Assessment to assess the risks to personal data that come with the exercise
and to introduce sufficient safeguards.
On Mon, Jan 30, 2023 at 11:44 AM James Mbugua via KICTANet <
> See copied below unabridged version.
> KRA ACCESS TO M-PESA TRANSACTIONS IS A GRAVE THREAT TO PRIVACY ON DATA
> PROTECTION WEEK
> BY JAMES MBUGUA
> As the Kenyan government looks for new ways to increase revenue collection
> and curb tax cheating, the Kenya Revenue Authority has announced plans to
> gain direct and warrantless access to M-Pesa transactions. While the
> intentions of (KRA) may be noble, the methods proposed raise serious
> concerns about privacy rights and the protection of personal data.
> In fact, they constitute illegal searches and seizures contrary to Article
> 31 of the Constitution of Kenya, and well established jurisprudence on
> privacy rights from around the world.
> Article 31 provides for the right to privacy and states that every person
> has the right to privacy, which includes the right not to have their
> person, home or property searched; their possessions seized; information
> relating to their family or private affairs unnecessarily required or
> revealed; or the privacy of their communications infringed.
> Kenya’s Data Protection Act of 2019, provides in Section 4 that a data
> subject’s consent must be sought before their data is collected and
> processed. Section 15 requires data controllers to obtain a warrant from a
> court of law before accessing personal data. This is to ensure that the
> collection, processing and sharing of personal data is necessary and
> The High Court of Kenya, in the case of Center for Rights Education and
> Awareness (CREAW) v Attorney General  , as well as in Maina Kiai v
> Attorney General held that the government’s surveillance of citizens’
> communications without a warrant is a violation of the right to privacy
> protected under the Constitution.
> KRA’s proposal in the Budget Policy Statement released by the National
> Treasury last week, ironically came on the eve of Data Protection Week when
> the world marks the International Data Protection Day, on 28th January.
> In Europe, whose General Data Protection Regulation (GDPR) we largely
> modelled our Act on, the principle of necessity and proportionality, in
> collection of personal data, has repeatedly been upheld by courts when
> government agencies have tried to access citizens’ telecommunications
> information without warrants. The courts have ruled that general and
> indiscriminate retention of personal data is incompatible with EU laws and
> constitutional rights, because it represents a serious interference with
> the right to privacy and the protection of personal data
> In the Digital Rights Ireland vs. Minister for Communications case, as
> well as another called the Tele2 case, the European Court of Justice (ECJ)
> ruled that a law requiring telecommunications service providers to retain
> traffic and location data for a period specified by national law in order
> to detect, investigate and prosecute crime was invalid. The Court
> emphasized that any interference with the right to privacy and the
> protection of personal data must be proportionate to the legitimate aim
> These cases reinforced the principle that any data retention measures must
> be limited to what is strictly necessary to achieve a legitimate aim.
> In Kenya’s case, it can be argued that KRA can achieve its mandate through
> other means without large scale surveillance and interference with people’s
> Further, granting KRA unfettered access to M-Pesa transactions data
> without the need for court orders, violates constitutional protection
> against illegal searches and seizures, also provided for under Article 31
> of the Constitution.
> In the United States, for example, the Supreme Court has ruled that the
> government’s warrantless access to historical cell phone location data is a
> violation of the Fourth Amendment, which protects individuals against
> unreasonable searches and seizures. The court found that the collection of
> cell phone location data constitutes a search under the Fourth Amendment
> and that the government must obtain a warrant based on probable cause
> before accessing such data.
> In Canada, the Supreme Court has ruled that the government’s warrantless
> access to historical telecommunications data is a violation of the right to
> privacy protected under the Canadian Charter of Rights and Freedoms. The
> court found that the collection of telecommunications data constitutes a
> search under the Charter and that the government must obtain a warrant
> based on a reasonable expectation of privacy before accessing such data.