A recent High Court judgment in Kenya has established that a duly registered phone number constitutes a personal digital identifier that must be adequately protected from data breaches and privacy violations. The ruling underscores the growing recognition of mobile numbers as central to digital identity systems and personal data security in an increasingly digital society.
The decision, delivered by the Milimani High Court, arose from a case filed in June 2024 by prisoner Erastus Ngura Odhiambo against the Kenyan state. Odhiambo challenged the practice of telecommunications companies recycling dormant phone numbers, arguing that such actions could expose sensitive personal data linked to the original user. In its ruling, the court directed the Kenyan government—through the Office of the Attorney General—to develop a comprehensive regulatory framework within six months to safeguard phone numbers connected to individuals’ personal data.
Justice Lawrence Mungambi determined that reassigning registered phone numbers without the original owner’s consent violates Articles 31(c) and (d) of the Kenyan Constitution, which guarantee the right to privacy. The court therefore prohibited telecommunications companies from recycling or reassigning dormant numbers unless explicit and verifiable consent is obtained from the person to whom the number was initially registered.
The judgment also introduced additional safeguards for inactive numbers, particularly those belonging to vulnerable groups such as prisoners. It emphasized that individuals who are temporarily unable to use their numbers should not lose control over them in ways that could compromise their privacy or identity. According to the ruling, a phone number may only be reassigned, recycled, or deactivated after a public notice period has expired and after sufficient protections are implemented to ensure that the previous user’s data is not disclosed or transferred to a new user without authorization.
For many observers in Kenya, the verdict represents a significant advancement in personal data protection and digital identity governance. The country has experienced repeated legal disputes over digital identification programs, with courts previously halting biometric enrollment initiatives due to concerns about privacy, human rights, and data protection.
The ruling aligns Kenya more closely with international data protection standards. Frameworks such as the European Union’s General Data Protection Regulation (GDPR) classify phone numbers as personally identifiable information that requires strict safeguards against unauthorized sharing or misuse. Overall, the judgment sets an important legal precedent, reinforcing the principle that mobile numbers are not merely communication tools but critical components of an individual’s digital identity that demand robust legal protection.