The High Court has struck down the government’s IMEI registration directive, ruling it unconstitutional and lacking a legal basis, effectively halting plans for a central mobile device database linked to tax compliance.
- •In a ruling delivered on Friday, Justice Chacha Mwita held that the notices issued by the Communications Authority of Kenya (CA) and the Kenya Revenue Authority (KRA) were “not based on any law” and thus violated Articles 24 and 31 of the Constitution, which guarantee the right to privacy.
- •He issued an order prohibiting the government from implementing the directive, citing its potential to enable “unchecked state surveillance.”
- •The judgment closes a months-long legal standoff triggered by public notices posted in October and November 2024 by the two state agencies, which would have taken effect on January 1, 2025.
Under the proposed framework, all device importers, manufacturers, retailers, and even passengers entering Kenya were to declare the IMEI numbers of mobile phones in their possession. Mobile service providers would only be permitted to connect devices listed in a national database, effectively blocking unregistered phones from accessing Kenyan networks.
Why it Matters
“This judgment is important in establishing IMEI numbers can be personal data and countering the risk of pervasive surveillance through our devices. The court continues to protect our constitutional rights against the infringements of technological advancements,” Executive Director at Katiba Institute, Nora Mbagathi said.
IMEI numbers, which are uniquely tied to a phone’s hardware, serve as digital fingerprints. When combined with subscriber information, they can be used to trace the location of a device within a 100-meter radius and to link a user to their communication history. Privacy advocates argued that such centralized collection would have enabled mass tracking of individuals without judicial oversight.
The petition brought by Katiba Institute and supported by the Data Privacy and Governance Society of Kenya and the Law Society of Kenya, challenged the constitutionality of the directives on multiple fronts: a breach of privacy rights, unlawful limitation of rights without legislation, lack of public participation, failure to conduct a data protection impact assessment, and usurpation of Parliament’s lawmaking authority.
“The unnecessary creation of a master database of IMEI numbers threatens the right to privacy and is a building block towards unwarranted and unmitigated mass surveillance,” the petitioners said.
In its legal filings, Katiba Institute warned that the state was building the foundations of a surveillance regime through executive fiat and doing so without the legislative legitimacy required by Article 94 of the Constitution. The notices, though framed as regulatory instruments, had not been tabled before Parliament as required by the Statutory Instruments Act, and lacked a clear legal mandate.
The petitioners further argued that the directive violated the Data Protection Act by failing to obtain genuine, informed consent from data subjects. Citizens were faced with a coercive ultimatum to register their devices or face digital exclusion. According to the law, consent must be freely given, a standard not met when denial results in disconnection from mobile services.
Critics also highlighted the absence of a data protection impact assessment, which is mandatory under Section 31 of the Data Protection Act where personal data processing poses a high risk to individual rights. Neither CA nor KRA disclosed any such assessment, even though the proposed IMEI collection scheme would have involved large-scale processing of sensitive, trackable information.
While the government defended the plan as an anti-counterfeit and tax compliance measure, the court found that the goal did not justify the means. Justice Mwita ruled that the directive went too far and was not the least restrictive means of achieving its stated aims.
The court also faulted the blanket requirement for IMEI disclosure by visitors entering Kenya, terming it disproportionate and lacking in procedural safeguards. Under the now-nullified framework, travelers would have had to declare their devices at the border, an obligation critics said was invasive, poorly explained, and unworkable.
In supporting documents, petitioners noted that existing anti-counterfeit solutions already rely on anonymized blacklists of stolen or non-compliant phones, a less intrusive alternative widely used internationally. The proposed whitelist system, in contrast, would have collected data from all lawful users and tied it to state-managed controls on mobile network access, creating what the petitioners called an “Orwellian architecture” of surveillance.
The ruling reaffirms Parliament’s exclusive authority to make laws affecting fundamental rights and signals judicial willingness to push back against executive overreach. It also sets a new bar for digital-era policymaking, requiring transparency, consultation, and evidence-based assessments whenever state action touches on personal data and civil liberties.
