Katiba Institute & Another v Attorney General & Another [2021] EKLR

1. Case Citation and Basic Information

• Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others; Katiba Institute & another (Ex parte)
• Alternative citation: Katiba Institute & another v Attorney General & another [2021] eKLR
• Court: High Court of Kenya at Nairobi
• Date of Decision: 14 October 2021
• Judge: Justice Jairus Ngaah

2. Introduction

This case is a landmark in Kenya’s constitutional and statutory jurisprudence on data protection. The government sought to roll out Huduma Cards as part of the National Integrated Identity Management System (NIIMS), consolidating citizens’ personal data into a single digital identity. Petitioners, led by Katiba Institute, challenged the rollout on grounds that the government had failed to comply with Section 31 of the Data Protection Act, 2019, which requires a Data Protection Impact Assessment (DPIA) for projects likely to pose high risks to personal data.

The High Court agreed, declaring the rollout unconstitutional and unlawful without compliance with statutory safeguards. This judgment is significant because it was the first to apply Kenya’s newly enacted Data Protection Act, reinforcing the principle that state projects involving personal data must undergo rigorous risk assessment. It established a binding precedent that privacy rights are not optional in digital governance, but a constitutional and statutory requirement.

3. Facts of the Case

The government introduced Huduma Cards in 2020 as part of NIIMS, intended to replace existing national ID cards. Citizens were required to register and provide biometric and biographical data. Petitioners argued that the rollout lacked transparency and failed to comply with the Data Protection Act, particularly the requirement for a DPIA.

Section 31 of the Act mandates that any project likely to pose high risks to personal data must undergo a DPIA before implementation. Petitioners contended that Huduma Cards involved sensitive biometric data and therefore required strict safeguards.

The Attorney General and Ministry of ICT defended the rollout, arguing that NIIMS was lawful and necessary for modernization of service delivery. They claimed that existing administrative measures were sufficient to protect data. The High Court was tasked with determining whether the rollout violated constitutional privacy rights and statutory obligations under the Data Protection Act.

4. Legal Issues

1. Whether the rollout of Huduma Cards without a DPIA violated Section 31 of the Data Protection Act, 2019.
2. Whether the government’s actions infringed the constitutional right to privacy under Article 31 of the Constitution of Kenya.
3. Whether administrative measures alone, absent statutory compliance, were sufficient to safeguard citizens’ personal data.
4. Whether the Huduma Card initiative could lawfully proceed in the absence of demonstrable compliance with Kenya’s data protection framework.

5. Arguments Presented

5.1 Petitioners’ Arguments

• Section 31 imposes a mandatory obligation to conduct a DPIA for projects likely to pose high risks to personal data. Huduma Cards clearly fell within this category.
• Rolling out Huduma Cards without safeguards violated Article 31 of the Constitution.
• Comparative frameworks such as the EU’s GDPR require DPIAs for high‑risk processing, underscoring Kenya’s obligations under global best practice.
• Without a DPIA, citizens faced risks of surveillance, misuse of sensitive data, and erosion of trust in government systems.

5.2 Respondents’ Arguments

• Huduma Cards were necessary to modernize service delivery, reduce fraud, and enhance efficiency.
• Administrative measures and existing statutes provided adequate safeguards.
• The DPIA requirement was not intended to halt ongoing projects but to guide implementation, and compliance could be achieved progressively.
• Because NIIMS began in 2019, before the Data Protection Act was enacted, the government argued it should not be forced to retrospectively comply.

6. Court’s Reasoning and Analysis

Justice Jairus Ngaah began by situating the dispute within the framework of Kenya’s 2010 Constitution and the Data Protection Act, 2019. He emphasized that the right to privacy under Article 31 is a fundamental right, and any state initiative involving collection and processing of personal data must comply with both constitutional and statutory safeguards.

The court noted that Huduma Cards involved the processing of sensitive biometric and biographical data, which by its nature posed a high risk to individual privacy. Section 31 of the Data Protection Act explicitly requires a Data Protection Impact Assessment (DPIA) for projects likely to result in such risks. The judge rejected the government’s argument that administrative measures were sufficient, holding that statutory compliance was mandatory and not optional.

In interpreting Section 31, the court stressed that the DPIA requirement was designed to ensure accountability and transparency before implementation of large‑scale data projects. It was not a mere procedural formality but a substantive safeguard intended to identify risks, propose mitigation measures, and protect citizens against misuse of their personal information. By failing to conduct a DPIA, the government had acted unlawfully and in violation of both the Constitution and the Data Protection Act.

The court also examined comparative jurisprudence, particularly the European Union’s General Data Protection Regulation (GDPR), which similarly mandates DPIAs for high‑risk processing. Justice Ngaah observed that Kenya’s Data Protection Act was modeled on international best practice, and therefore compliance with its provisions was essential to align Kenya with global standards of privacy protection.

On the government’s claim of legitimate state interest, the court acknowledged that modernization of identity systems and efficiency in service delivery were valid objectives. However, it held that such objectives could not override constitutional rights. The principle of proportionality required that state initiatives balance public interest with individual rights, and in this case, the absence of a DPIA meant that the balance was skewed against citizens’ privacy.

The court further rejected the argument that compliance could be achieved progressively. It held that the law required a DPIA before rollout, not after. Allowing retrospective compliance would defeat the purpose of the safeguard and expose citizens to risks without prior assessment.

Ultimately, the court concluded that the rollout of Huduma Cards without a DPIA was unconstitutional, unlawful, and procedurally improper. It declared the rollout invalid until the government conducted a DPIA in accordance with Section 31 of the Data Protection Act. This reasoning underscored the judiciary’s role in enforcing constitutional rights and statutory obligations, even in the face of state projects framed as modernization initiatives.

7. Judgment and Ratio Decidendi

Justice Jairus Ngaah ruled decisively in favor of the petitioners, finding that the rollout of Huduma Cards was unconstitutional and unlawful due to non‑compliance with Section 31 of the Data Protection Act, 2019. The court emphasized that a Data Protection Impact Assessment (DPIA) was a mandatory condition precedent – a safeguard that must be completed before any high‑risk data processing project could lawfully proceed.

On the government’s argument that NIIMS began before the Data Protection Act was enacted, the court rejected the claim of retrospectivity. Justice Ngaah clarified that data processing is an ongoing act, and since the rollout of Huduma Cards was happening after the Act came into force, the government was obligated to comply with the law as it exists today. He famously remarked that the state had “put the cart before the horse,” attempting to reap the benefits of data collection without planting the seeds of protection required by law.

To give effect to this reasoning, the court issued three prerogative orders:

• Certiorari: Quashing the government’s decision of 18 November 2020 to roll out Huduma Cards.
• Mandamus: Compelling the government to conduct a DPIA in accordance with Section 31 of the Data Protection Act before any rollout.
• Prohibition: Barring the government from further rollout of Huduma Cards until the DPIA was completed and validated by the Office of the Data Protection Commissioner (ODPC).

Ratio decidendi: The binding principle established is that large‑scale data processing projects, such as national identity systems, cannot lawfully proceed without prior compliance with Section 31 of the Data Protection Act. Privacy rights under Article 31 of the Constitution require proactive safeguards, and statutory obligations must be fulfilled before implementation.

This judgment reinforced the centrality of privacy in Kenya’s digital governance and underscored the judiciary’s role in ensuring that modernization initiatives respect constitutional and statutory protections.

8. Critical Analysis

8.1 Significance of the Decision

The Huduma Card ruling was a landmark in Kenya’s constitutional and statutory jurisprudence on privacy. It was the first major application of the Data Protection Act, 2019, and it firmly established that compliance with statutory safeguards is a condition precedent to any large‑scale data processing project. By declaring the rollout unconstitutional without a Data Protection Impact Assessment (DPIA), the court elevated privacy from a theoretical right to a practical requirement in governance. Justice Ngaah’s “cart before the horse” analogy captured the essence of the ruling: modernization cannot precede protection.

8.2 Implications and Impact

The immediate impact was to halt the rollout of Huduma Cards until a DPIA was conducted and validated by the Office of the Data Protection Commissioner (ODPC). This reinforced the ODPC’s role as a statutory watchdog, ensuring accountability in data governance. The ruling also clarified that retrospectivity arguments cannot shield ongoing projects – once the law is enacted, continuing data processing must comply.

In practice, the government did conduct a DPIA after the judgment, filed it with the ODPC, and secured clearance to resume rollout. Yet the precedent continues to shape Kenya’s digital governance. In 2023–2024, the government introduced Maisha Namba (Unique Personal Identifier), which has faced similar legal challenges regarding DPIAs and public participation. Privacy advocates consistently invoke Justice Ngaah’s ruling as their primary weapon, demonstrating its enduring influence.

8.3 Critical Evaluation

The judgment’s strengths lie in its clarity and insistence on statutory compliance. By rejecting retrospective arguments, the court ensured that rights evolve with the law and remain enforceable. The issuance of three prerogative orders – Certiorari, Mandamus, and Prohibition – underscored the seriousness of the violation and provided layered remedies: quashing the rollout decision, compelling compliance, and prohibiting further action until safeguards were in place.

One limitation was that the court did not define the substantive standards for DPIAs, leaving room for minimal compliance. However, this gap was later addressed by the Data Protection (General) Regulations, 2021, which provided detailed guidance on what a DPIA must contain. In this way, the ruling and subsequent regulations worked in tandem: the court established the principle, and the regulations supplied the operational detail.

Critics argue that the ruling slowed innovation and delayed service delivery. Yet the decision struck a necessary balance between efficiency and rights, reminding the state that modernization cannot come at the expense of constitutional guarantees.

9. Conclusion

The Huduma Card ruling in Katiba Institute & another v Attorney General & another [2021] eKLR marked a turning point in Kenya’s data protection jurisprudence. By halting the rollout until a Data Protection Impact Assessment (DPIA) was conducted, the High Court underscored that privacy safeguards are not optional but a constitutional and statutory requirement. Justice Ngaah’s “cart before the horse” analogy captured the essence of the judgment: modernization must follow, not precede, protection.

The court’s issuance of three prerogative orders – Certiorari, Mandamus, and Prohibition – provided layered remedies that quashed the rollout decision, compelled compliance, and barred further action until safeguards were in place. This reinforced the authority of the Office of the Data Protection Commissioner (ODPC) and elevated the DPIA into a central accountability mechanism.

The ruling’s legacy extends beyond Huduma Cards. It set a precedent that continues to shape Kenya’s digital governance, influencing subsequent projects such as Maisha Namba. While the government later conducted a DPIA and resumed rollout, the case remains a benchmark for privacy advocates and a reminder that efficiency cannot override fundamental rights. Its lasting impact is the entrenchment of privacy as a cornerstone of Kenya’s constitutional order in the digital age.

10. Reference(S):

Primary Sources

• Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology & 2 others; Katiba Institute & another (Ex parte) [2021] eKLR.
• Nubian Rights Forum & 2 others v Attorney General & 6 others [2020] eKLR (Consolidated Petitions 56, 58 & 59 of 2019).
• Constitution of Kenya, 2010, art 31.
• Data Protection Act, No 24 of 2019 (Kenya).
• Data Protection (General) Regulations, 2021 (Kenya).

Secondary/Comparative Sources

• European Union General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
• Office of the Data Protection Commissioner (Kenya), Guidance on Data Protection Impact Assessments (ODPC, 2022).
• Katiba Institute, Press Statement on Huduma Namba Ruling (October 2021).