A newly updated SIM-card registration framework is stirring controversy after it surfaced that the law cites unusually sensitive biometric details, including DNA samples, retinal imagery, earlobe measurements, and fingerprint data. The revelation has fueled a nationwide debate about digital privacy and what the regulations actually require. Although these data types appear in the legal definition, the rules do not instruct mobile operators to collect them, which has raised questions among Kenyans who want clarity on the limits of the law.
What Do the New SIM Regulations Actually Require?
The Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025, took effect through Legal Notice No. 90 of May 30, 2025. They replace the previous SIM-registration framework with stricter verification and data-governance obligations intended to curb identity theft, SIM-box fraud, and the misuse of mobile-enabled digital services. The main source of controversy is Regulation 2, which defines biometric data as personal data derived from physical, physiological, or behavioral attributes. The law lists DNA analysis, fingerprints, retinal scans, voice recognition, and other sensitive markers as examples.
The inclusion of these categories in the definition has caused alarm, but the rules that follow outline what telecom operators must do, and none require the collection of biometric samples. Instead, operators must register subscribers using original identification documents such as national IDs, passports, or birth certificates. They must authenticate these documents through relevant government databases and securely store registration records. Subscriber information must be updated within seven days of any change, and operators must implement data-protection and cybersecurity controls consistent with the Data Protection Act, 2019.
The Communications Authority also gains expanded audit powers that allow it to access operator systems, records, and infrastructure to verify compliance with the regulations. Suspension or disconnection is limited to cases in which a subscriber provides false information or repeatedly fails to complete registration. Operators must give prior notice before taking action, and complaints over wrongful registration must be resolved within 30 days, during which subscribers are entitled to a fair hearing.
Why Are Privacy Groups Concerned About the Biometric Definition?
Despite assurances from the Communications Authority, the broad definition of biometric data has unsettled data-rights advocates. They argue that the gap between what the regulations define and what they require could leave room for future overreach, since the Data Protection Act classifies biometric information as sensitive personal data that can only be collected under strict necessity and proportionality tests.
The Communications Authority has attempted to calm public concern by issuing a clear statement. It said, “For the avoidance of doubt, CA has NOT issued any directives for the collection of biometric data by our licensees. The new SIM Card Regulations do not contain any provision requiring the collection of biometric data.” This clarification aims to reassure the public that no operator has been instructed, formally or informally, to gather identifiers such as fingerprints, retinal scans, or DNA samples.
As the conversation continues, the focus remains on how Kenya can balance security, digital innovation, and the protection of personal information. The updated framework signals an effort to tighten oversight, but its wording has also highlighted the need for transparency and public communication as the country adapts to more advanced digital governance.
By Yockshard Enyendi