IMEI Numbers are Personal Data, Privacy Risks in the Absence of a Legal Framework – Katiba Institute v State Law Office and Kenya Revenue Authority

The High Court of Kenya's decision in Katiba Institute v State Law Office and Kenya Revenue Authority and 1 Others (Petition No. E6477 of 2024), delivered on July 18, 2025, at Milimani Law Courts, represents a significant judicial pronouncement on the intersection of privacy rights, administrative action, and regulatory measures in Kenya. The case addressed the constitutionality of public notices issued by the Communications Authority of Kenya (CAK) and the Kenya Revenue Authority (KRA), which mandated the collection and registration of International Mobile Equipment Identity (IMEI) numbers for mobile devices to curb tax evasion and illicit trade. The petitioner, Katiba Institute, a public interest litigant, challenged these notices, arguing they infringed on the constitutional right to privacy and other fundamental freedoms. The court's ruling in favor of the petitioner underscores the judiciary's role in safeguarding constitutional rights against overreaching administrative actions, particularly in the context of personal data and privacy in the digital age.

Background and Context

The dispute originated from two public notices issued by the CAK and KRA, published on their respective websites and X accounts. The CAK's notice, dated October 24, 2024, outlined requirements effective from January 1, 2025, mandating local device assemblers to upload IMEI numbers to a KRA portal, importers to disclose IMEI numbers in import documents, retailers and wholesalers to ensure devices were tax-compliant, and mobile network operators to verify device compliance via a whitelist database before connecting devices to their networks. Non-compliant devices faced grey-listing and potential blacklisting. The KRA's notice, issued on November 5, 2024, required travelers entering Kenya to declare IMEI numbers on the F88 passenger declaration form, alongside personal details such as passport numbers and flight information. These measures aimed to enhance tax compliance and prevent illicit trade in mobile devices.

Katiba Institute, supported by affidavits from Nora Mbagathi and Anand Venkatanarayanan, filed a petition in the Constitutional and Human Rights Division of the High Court, naming the CAK, KRA, and Attorney General as respondents. Additional parties, including the Data Privacy and Governance Society Kenya, International Commission of Jurists (Kenya), Law Society of Kenya, and Consumers Federation of Kenya, joined as interested parties, while Ideate Policy Africa Limited participated as amicus curiae. The petitioner argued that the notices violated the right to privacy under Article 31 of the Constitution of Kenya, as IMEI numbers, when linked to a user's device and network, constituted personal data capable of identifying individuals. The respondents countered that IMEI numbers were technical identifiers, not personal data, and their collection was justified for regulatory and revenue purposes.

Legal Issues

The case raised several critical legal questions:

1. Jurisdiction: Did the High Court have jurisdiction to hear the petition, given the availability of alternative remedies through administrative bodies like the Communications and Multimedia Appeals Tribunal or the Office of the Data Protection Commissioner?

2. Res Judicata: Was the petition barred by res judicata, as the respondents claimed, due to a prior case (Communications Authority of Kenya v Okiya Omtatah Okoth & 8 Others) addressing a related issue?

3. Privacy Rights: Did the mandatory collection of IMEI numbers infringe on the right to privacy under Article 31, and if so, was the limitation permissible under Article 24 of the Constitution?

4. Administrative Action: Were the notices lawful administrative actions, or did they constitute statutory instruments requiring parliamentary scrutiny under the Statutory Instruments Act?

5. Constitutional Violations: Did the notices violate other constitutional provisions, such as fair administrative action (Article 47), human dignity (Article 28), equality (Article 27), and the separation of powers (Articles 94 and 95)?

Petitioner's Arguments

Katiba Institute argued that IMEI numbers, while initially technical identifiers, become personal data once a device is purchased, activated, and registered with a mobile network. When linked with other data, such as a SIM card or personal details from the F88 form, IMEI numbers could reveal sensitive information, including a person's identity, location, and communication patterns. This, they contended, violated Article 31, which protects individuals from unnecessary disclosure of personal or private affairs and infringement of communication privacy. The petitioner further argued that the creation of a master database of IMEI numbers posed risks of mass surveillance and self-censorship, threatening freedom of expression and association.

The notices were also challenged as unconstitutional for lacking a legal basis. The petitioner asserted that they constituted statutory instruments under the Statutory Instruments Act, requiring parliamentary scrutiny, which was not undertaken. This failure, they argued, violated the separation of powers under Articles 94 and 95. Additionally, the notices were said to contravene the Data Protection Act, as they lacked provisions for genuine consent and a data protection impact assessment, as required by Sections 40 and 31. The petitioner highlighted the notices' discriminatory impact, particularly on marginalized groups, arguing that non-registration could block access to essential services like mobile banking, violating Articles 27 (equality) and 28 (human dignity). Finally, the notices were deemed unreasonable and procedurally unfair under Article 47 and the Fair Administrative Action Act, as they were issued without public participation or adequate justification.

Respondents' Arguments

The respondents, comprising the CAK, KRA, and Attorney General, defended the notices as lawful administrative actions within their statutory and constitutional mandates. The CAK cited its authority under the Kenya Information and Communications Act to regulate communications equipment, while the KRA relied on Articles 209 and 210 of the Constitution to ensure tax compliance. They argued that IMEI numbers were not personal data under Section 2 of the Data Protection Act, as they were technical identifiers assigned to devices, not individuals, and were collected for regulatory purposes, such as preventing tax evasion, counterfeiting, and unauthorized network access. The respondents maintained that the notices did not require parliamentary approval, as they were administrative directives, not statutory instruments.

The respondents further contended that the right to privacy was not absolute and could be limited under Article 24 for legitimate public interest objectives, such as consumer protection (Article 46) and revenue collection (Article 201). They argued that the whitelist system complemented existing blacklists for stolen devices, addressing distinct regulatory needs. The respondents denied surveillance risks, asserting that IMEI data remained anonymized and unrelated to personal information. They also challenged the court's jurisdiction, citing alternative remedies through administrative bodies, and raised res judicata, referencing the prior Okiya Omtatah case, which they claimed addressed similar issues.

Interested Parties and Amicus Curiae

The interested parties supported the petitioner, emphasizing the privacy risks of IMEI collection. The Data Privacy and Governance Society Kenya argued that linking IMEI numbers with personal data, such as passport details on the F88 form, made them personal data under the Data Protection Act. They criticized the respondents for failing to demonstrate less intrusive means of achieving tax compliance and for not conducting a data protection impact assessment. The Consumers Federation of Kenya highlighted the notices' impact on digital inclusion, particularly for marginalized groups reliant on mobile services. The amicus curiae, Ideate Policy Africa Limited, cited international precedents, including the EU GDPR and Nigerian Data Protection Regulations, to argue that IMEI numbers constituted personal data when linked to individuals, posing surveillance risks. They urged the court to apply the limitation test under Article 24 to assess the notices' constitutionality.

Court's Analysis and Findings

Jurisdiction

The court affirmed its jurisdiction under Article 165(3)(b) and (d) of the Constitution, which empowers the High Court to determine whether a right or fundamental freedom in the Bill of Rights has been violated or threatened and whether actions are inconsistent with the Constitution. The respondents' argument that alternative remedies through administrative bodies ousted the court's jurisdiction was rejected. The court noted that such bodies, like the Communications and Multimedia Appeals Tribunal, lacked the mandate to address constitutional questions or provide effective remedies for the petitioner's claims. Citing Albert Chaurembo Mumma & 7 Others v Maurice Munyao & 148 Others and In re the Matter of the Interim Independent Electoral Commission, the court emphasized that its jurisdiction stemmed directly from the Constitution and could not be curtailed by alternative remedies unless those remedies were demonstrably effective.

Res Judicata

The court dismissed the respondents' res judicata claim, finding that the Okiya Omtatah case addressed a different issue: government surveillance through a specific device management system, not the IMEI registration framework. The parties and issues in the present case were distinct, and the prior case did not determine the constitutionality of IMEI collection. The court applied the test from John Florence Maritime Services Limited v Cabinet Secretary Transport & Infrastructure & 3 Others, requiring identical parties, issues, and a final determination by a competent court, none of which were satisfied here.

Privacy Rights

The central issue was whether IMEI numbers constituted personal data and whether their mandatory collection violated Article 31. The court adopted a purposive interpretation, aligning with the Data Protection Act and the EU GDPR, which define personal data as information relating to an identified or identifiable person. While IMEI numbers are initially technical identifiers, the court found that they become personal data once a device is purchased, activated, and registered with a mobile network, as they can be linked to personal details like phone numbers, location data, and communication patterns. The F88 form's requirement to pair IMEI numbers with passport details further reinforced this linkage.

The court held that the notices threatened the right to privacy under Article 31, which protects against unnecessary disclosure of personal affairs and communication infringement. The respondents failed to demonstrate a lawful basis for the limitation under Article 24, which requires that any restriction on a fundamental right be prescribed by law, reasonable, and justifiable in a democratic society. The notices, as administrative actions, lacked a statutory foundation and were not tabled in Parliament as required for statutory instruments. The court also found that the respondents did not conduct a data protection impact assessment or ensure genuine consent, violating the Data Protection Act.

Administrative Action and Constitutional Violations

The court ruled that the notices were procedurally unfair under Article 47 and the Fair Administrative Action Act, as they were issued without public participation, adequate justification, or stakeholder consultation. The respondents' failure to demonstrate less restrictive means of achieving tax compliance further undermined the notices' legitimacy. The court also found violations of Article 27 (equality), as the notices disproportionately affected marginalized groups by risking access to essential services, and Article 28 (human dignity), due to the potential for surveillance and self-censorship. The separation of powers argument was upheld, as the notices usurped Parliament's legislative role by imposing mandatory requirements without statutory backing.

Court's Orders

The court issued the following orders:

1. Declared the notices unconstitutional and unlawful for lacking a legal basis and threatening privacy rights.

2. Declared that the mandatory disclosure of IMEI numbers violated Article 31.

3. Issued an order of certiorari quashing the notices.

4. Issued an order of prohibition preventing the respondents and other state agencies from implementing the notices.

5. Ordered each party to bear their own costs, recognizing the public interest nature of the litigation.

Implications and Significance

The decision reinforces Kenya's constitutional commitment to protecting privacy in the digital era, particularly as personal data becomes increasingly vulnerable to misuse. By recognizing IMEI numbers as personal data when linked to individuals, the court sets a precedent for scrutinizing regulatory measures that involve data collection. The ruling emphasizes the need for a clear legal framework, public participation, and adherence to data protection principles, aligning Kenya's jurisprudence with international standards like the EU GDPR.

The judgment also highlights the judiciary's role in checking administrative overreach. By invalidating the notices for bypassing parliamentary scrutiny, the court reaffirms the separation of powers and the requirement for statutory instruments to undergo legislative oversight. The decision protects marginalized communities by acknowledging the notices' potential to exacerbate digital exclusion, ensuring that regulatory measures do not disproportionately harm vulnerable groups.

However, the ruling poses challenges for regulatory bodies like the CAK and KRA, which must balance legitimate objectives like tax compliance with constitutional protections. The court's insistence on less restrictive means suggests that future measures must explore alternative methods, such as enhanced blacklisting systems, to achieve regulatory goals without compromising privacy.

Conclusion

The Katiba Institute case is a landmark decision that underscores the primacy of constitutional rights in the face of administrative actions. By striking down the CAK and KRA notices, the High Court reaffirmed the right to privacy as a cornerstone of Kenya's Bill of Rights, requiring robust legal safeguards for personal data collection. The ruling serves as a cautionary tale for state agencies, emphasizing the need for transparency, public participation, and statutory compliance in regulatory frameworks. As Kenya navigates the complexities of digital governance, this decision provides a critical framework for balancing public interest with individual rights, ensuring that technological advancements do not come at the expense of fundamental freedoms.