{"id":124954,"date":"2025-11-19T07:07:49","date_gmt":"2025-11-19T07:07:49","guid":{"rendered":"https:\/\/chezaspin.com\/blog\/index.php\/2025\/11\/19\/facts-kenyas-new-sim-rules-and-the-biometric-data-controversy\/"},"modified":"2025-11-19T07:07:49","modified_gmt":"2025-11-19T07:07:49","slug":"facts-kenyas-new-sim-rules-and-the-biometric-data-controversy","status":"publish","type":"post","link":"https:\/\/chezaspin.com\/blog\/facts-kenyas-new-sim-rules-and-the-biometric-data-controversy\/","title":{"rendered":"Facts: Kenya\u2019s new SIM rules and the biometric data controversy"},"content":{"rendered":"<p><strong>NAIROBI, Kenya, Nov 19 \u2014 Newly revised SIM-card registration regulations have sparked public concern over the scope of personal data referenced in the law \u2014 particularly the inclusion of highly sensitive biometric identifiers such as DNA, retinal scans, earlobe geometry and fingerprints.<\/strong><\/p>\n<p>While the regulations <em>mention<\/em> these categories, they do not instruct mobile operators to collect them. Instead, their appearance stems from an expanded legal definition that has left many Kenyans questioning what the regulations actually empower and what they do not.<\/p>\n<p>The rules \u2014 formally titled the <em>Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025<\/em> \u2014 took effect through Legal Notice No. 90 of 30 May 2025. They replace Kenya\u2019s previous SIM-registration framework with stricter verification and data-governance obligations designed to curb identity theft, SIM-box fraud and misuse of mobile-enabled digital services.<\/p>\n<p>The controversy centres on Regulation<strong> 2<\/strong>, which defines <em>biometric data<\/em> as personal data derived from physical, physiological or behavioural attributes. The illustrative list includes DNA analysis, fingerprints, retinal scans, voice recognition and other markers typically classified as highly sensitive.<\/p>\n<p>This means the law acknowledges DNA and retinal scans within its definition \u2014 but this is not the same as requiring their collection. The operative provisions that follow set out what telcos must do, and none of them mandate taking biometric samples.<\/p>\n<h3 class=\"wp-block-heading\"><strong>What mobile operators must collect<\/strong><\/h3>\n<p>Under the new rules, telcos must:<\/p>\n<p>Register subscribers using original identification documents \u2014 such as national IDs, passports or birth certificates;<\/p>\n<p>Authenticate these documents through relevant government databases;<\/p>\n<p>Securely store registration records and update subscriber information within seven days of any change;<\/p>\n<p>Implement data-protection and cybersecurity controls consistent with the Data Protection Act, 2019.<\/p>\n<p>The Communications Authority (CA) also gains enhanced audit powers, allowing it to access operator systems, records and infrastructure to verify compliance.<\/p>\n<h3 class=\"wp-block-heading\"><strong>When service can be suspended<\/strong><\/h3>\n<p>The regulations limit suspension or disconnection to cases where a subscriber provides false information or fails repeatedly to complete registration. Operators must issue prior notice before taking such action.<br \/>Complaints over wrongful registration must be resolved within 30 days, during which affected subscribers are entitled to a fair hearing.<\/p>\n<h3 class=\"wp-block-heading\"><strong>Why privacy advocates are concerned<\/strong><\/h3>\n<p>Despite CA\u2019s assurances, the broad definition of biometrics has unsettled data-rights groups. They argue that the gap between what is defined and what is required could leave room for future policy overreach, especially given that the Data Protection Act classifies biometric information as sensitive personal data that can only be collected under strict necessity and proportionality tests.<\/p>\n<h3 class=\"wp-block-heading\"><strong>CA\u2019s clarification<\/strong><\/h3>\n<p>Amid public unease, the CA has repeatedly stressed that no operator has been instructed \u2014 formally or informally \u2014 to gather biometric identifiers such as fingerprints, retinal scans or DNA samples.<\/p>\n<p>\u201cFor the avoidance of doubt, CA has NOT issued any directives for the collection of biometric data by our licensees.\u201d<\/p>\n<p>\u201cThe new SIM Card Regulations do not contain any provision requiring the collection of biometric data.\u201d<\/p>","protected":false},"excerpt":{"rendered":"<p>NAIROBI, Kenya, Nov 19 \u2014 Newly revised SIM-card registration regulations have sparked public concern over the scope of personal data referenced in the law \u2014 particularly the inclusion of highly sensitive biometric identifiers such as DNA, retinal scans, earlobe geometry and fingerprints. While the regulations mention these categories, they do not instruct mobile operators to [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-124954","post","type-post","status-publish","format-standard","hentry","category-uncategorized","entry"],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/posts\/124954","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/comments?post=124954"}],"version-history":[{"count":0,"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/posts\/124954\/revisions"}],"wp:attachment":[{"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/media?parent=124954"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/categories?post=124954"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chezaspin.com\/blog\/wp-json\/wp\/v2\/tags?post=124954"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}