KRA phone monitoring: How legal is it and should you be worried?

The government has announced that the Kenya Revenue Authority (KRA) will from January 1, 2025, begin monitoring all locally assembled and imported mobile phones sold in the country to ensure tax compliance.

Under the new guidelines published by the Communication Authority of Kenya (CA) this week, phone manufacturers, importers and retailers, as well as mobile network operators are required to upload International Mobile Equipment Identity (IMEI) numbers of all devices assembled or imported after November 1, 2024, into a KRA portal for tax compliance monitoring.

For starters, an IMEI number is a 15-digit number unique to each device, which mobile network providers use to identify valid devices.

In most countries worldwide, IMEI numbers are often used for security purposes, not tax compliance.

Law enforcement agencies, through these network operators, use them to track devices that may be stolen or compromised and block them from accessing the network. Most jurisdictions handle tax compliance at customs and clearance points.

This is why KRA’s compliance monitoring push through IMEI numbers has raised eyebrows for potentially infringing on Kenyans’ right to privacy and the risks it poses.

Under the Data Protection Act which governs data privacy, a data subject has a right to, among others, be informed of the use to which their personal data is to be put.

The law also gives a data controller or data processor permission to collect, store or use personal data for a purpose which is lawful, specific and explicitly defined.

A data controller or data processor is further required to, before collecting personal data, inform the data subject of the rights of the data subject specified; that personal data is being collected; and the purpose for which the personal data is being collected.

They are also required to disclose the third parties whose personal data has been or will be transferred to; the contacts of the data controller or data processor and whether any other entity may receive the collected personal data, among others.

‘EXCESS DATA’

In this case, the law gives data processors and controllers such as banks, telecommunication companies or government agencies permission to collect people’s data so long as there is a basis for it, such as legal obligations as in the case of KRA when they need to capture information for revenue purposes.

However, analysts say the latest move by the government is questionable under the data minimisation principle, which means collecting the minimum amount of personal data you need for your service.

Data minimisation essentially means one cannot collect more data than one needs to provide the elements of a service one wants to use it for.

“If you are collecting an IMEI number from someone, you need to prove that information is absolutely necessary for the purpose you need, otherwise that is excess. If whatever KRA wants to do with these numbers can be done with other data, then this can be seen as an excessive request,” a Nairobi-based intellectual property and technology lawyer who requested anonymity told Citizen Digital.

“If you are looking for unique identifiers for tax purposes, isn’t there other information you can use that is not as intrusive?”

The concern stems from the power IMEI numbers carry, such as the ability to track devices, compared to other details like phone serial numbers which are also unique and could be used to identify handsets but cannot be used to track them.

A device’s IMEI number primarily helps network carriers like Airtel, Safaricom and Telkom track devices, block stolen phones, and implement security measures.

Sarah Mumbua, a commercial lawyer, added that the directive also raises the question of who exactly is to be tax-compliant.

“Is it stakeholders and end users or is it a mobile device and whether a mobile device can in the strict sense be regarded as tax compliant?” she posed.

And then there is the risk of possible misuse of this data, such as for state surveillance.

With every connection a phone makes, its IMEI number is shared with the network provider, Raymond Kamau, a cybersecurity specialist explains.

This helps locate the phone and guide it to the local connections so that one’s stolen phone will be easy to locate where the last connection was.

“It is often used to locate missing people and understand the calls that were made from their devices to track their movements,” says Kamau.

It is on this premise, says Mumbua, the lawyer, that concerns of a revenue body using IMEI numbers to track people’s locations without any prior authorisation emerge, leading to infringement of individuals' right to privacy.

The Kenyan government has previously been accused of obtaining mobile network operators' customer data for surveillance purposes.

At the height of Kenya’s anti-government protests in June over proposed tax hikes, there were concerns some telcos were conspiring with the police in sharing customers’ location information to track and arrest Kenyans in what was seen as the State’s suppression of opposition.

“We have to live to the reality of the current government,” says the intellectual property and technology lawyer, “we do not know if this information will be shared with other government agencies for whatever reason.”

Kamau, the cybersecurity expert, adds: “Sharing IMEI numbers should only be done to network service providers, so does that mean KRA will now be a network service provider?”

He however says IMEI numbers could be used to track genuine and non-genuine products in the Kenyan market, an issue the government has previously tried addressing through the similarly controversial Device Management System (DMS).

The program, first introduced in 2016, allows the CA to access the unique identification number for each mobile device active in Kenya, so it can deny services to counterfeit devices.

But local telcos and activists raised surveillance and privacy infringement concerns. Activist Okiya Omtatah sued CA over the issue and the court in 2017 ruled against DMS, calling it “a threat to the subscribers’ privacy,” and directed the regulator to use less intrusive measures.

The battle dragged to the Court of Appeal and subsequently the Supreme Court, and ended in April last year with the apex court permitting CA to implement the DMS.

COMPLIANCE MONITORING

It is still not clear if the communication regulator’s new guidelines are linked to the DMS program, but CA has now directed all local phone assemblies to submit the IMEI number of each assembled device to KRA, similar to all mobile phones imported for sale, testing, research “or any other purpose.”

Retailers and wholesalers on the other hand are directed to only sell compliant devices.

Network carriers have meanwhile been directed to only connect devices to their networks after verifying the tax compliance status through a whitelist database of compliant devices, which KRA will provide.

The communications regulator said the new requirements only apply to all devices imported or assembled in the country from November 1, 2024.

It said all existing devices on the mobile networks by October 31, 2024, will not be affected.