See copied below unabridged version.
KRA ACCESS TO M-PESA TRANSACTIONS IS A GRAVE THREAT TO PRIVACY ON DATA
BY JAMES MBUGUA
As the Kenyan government looks for new ways to increase revenue collection
and curb tax cheating, the Kenya Revenue Authority has announced plans to
gain direct and warrantless access to M-Pesa transactions. While the
intentions of (KRA) may be noble, the methods proposed raise serious
concerns about privacy rights and the protection of personal data.
In fact, they constitute illegal searches and seizures contrary to Article
31 of the Constitution of Kenya, and well established jurisprudence on
privacy rights from around the world.
Article 31 provides for the right to privacy and states that every person
has the right to privacy, which includes the right not to have their
person, home or property searched; their possessions seized; information
relating to their family or private affairs unnecessarily required or
revealed; or the privacy of their communications infringed.
Kenya’s Data Protection Act of 2019, provides in Section 4 that a data
subject’s consent must be sought before their data is collected and
processed. Section 15 requires data controllers to obtain a warrant from a
court of law before accessing personal data. This is to ensure that the
collection, processing and sharing of personal data is necessary and
The High Court of Kenya, in the case of Center for Rights Education and
Awareness (CREAW) v Attorney General  , as well as in Maina Kiai v
Attorney General held that the government’s surveillance of citizens’
communications without a warrant is a violation of the right to privacy
protected under the Constitution.
KRA’s proposal in the Budget Policy Statement released by the National
Treasury last week, ironically came on the eve of Data Protection Week when
the world marks the International Data Protection Day, on 28th January.
In Europe, whose General Data Protection Regulation (GDPR) we largely
modelled our Act on, the principle of necessity and proportionality, in
collection of personal data, has repeatedly been upheld by courts when
government agencies have tried to access citizens’ telecommunications
information without warrants. The courts have ruled that general and
indiscriminate retention of personal data is incompatible with EU laws and
constitutional rights, because it represents a serious interference with
the right to privacy and the protection of personal data
In the Digital Rights Ireland vs. Minister for Communications case, as well
as another called the Tele2 case, the European Court of Justice (ECJ) ruled
that a law requiring telecommunications service providers to retain traffic
and location data for a period specified by national law in order to
detect, investigate and prosecute crime was invalid. The Court emphasized
that any interference with the right to privacy and the protection of
personal data must be proportionate to the legitimate aim pursued.
These cases reinforced the principle that any data retention measures must
be limited to what is strictly necessary to achieve a legitimate aim.
In Kenya’s case, it can be argued that KRA can achieve its mandate through
other means without large scale surveillance and interference with people’s
Further, granting KRA unfettered access to M-Pesa transactions data without
the need for court orders, violates constitutional protection against
illegal searches and seizures, also provided for under Article 31 of the
In the United States, for example, the Supreme Court has ruled that the
government’s warrantless access to historical cell phone location data is a
violation of the Fourth Amendment, which protects individuals against
unreasonable searches and seizures. The court found that the collection of
cell phone location data constitutes a search under the Fourth Amendment
and that the government must obtain a warrant based on probable cause
before accessing such data.
In Canada, the Supreme Court has ruled that the government’s warrantless
access to historical telecommunications data is a violation of the right to
privacy protected under the Canadian Charter of Rights and Freedoms. The
court found that the collection of telecommunications data constitutes a
search under the Charter and that the government must obtain a warrant
based on a reasonable expectation of privacy before accessing such data.