Data privacy concerns as KRA targets mobile phones in new tax push

The Kenya Revenue Authority (KRA) is seeking to register all mobile devices used in the country in a new push to ensure tax compliance.

In a public notice issued earlier this week, the Communication Authority (CA) stated that all phone manufacturers, retailers and mobile network operators must upload the International Mobile Equipment Identity (IMEI) number of each device to a KRA-provided portal.

“All mobile phone importers will be required to disclose the IMEI Number in their respective import documents submitted to the KRA,” stated the notice from the CA.

“This disclosure is mandatory for the registration of the devices in the National Master Database on Tax compliant devices.”

CA further says that mobile network operators must ensure that they only connect devices to their networks after verifying the tax compliance status through a whitelist database of compliant devices at the Authority.

“Operators will also be required to provide for the grey-listing of non-compliant devices to facilitate regularisation within a prescribed period, failure to which the devices will thereafter be blacklisted,” states the notice.

The directive has however raised concerns among the public and data privacy advocates with the CA being accused of opaqueness in disseminating the crucial policy shift.

“There is no clarity from the CA on the systems or database that are in place to facilitate such an important exercise,” stated Odanga Madung, a technology policy researcher based in Nairobi.

“The IMEI number is a very important identifier with a lot of implications and this is not like the government asking you to register your car chassis number,” he explained.

The IMEI number is the 15-digit number that is unique to each device. It can be defined as the fingerprint of the device. It is often used to track lost or stolen mobile devices.

“There is inadequate information from the CA regarding who will have access to this database of IMEI numbers, how long the government will hold on to that data and if this is the only means through which the authorities can ensure tax compliance,” explained Madung.

In December last year, former ICT and Digital Economy Cabinet Secretary Eliud Owalo said the CA will install a device management system (DMS) aimed at nabbing counterfeit devices in the country.

CA has sought to set up the DMS since 2016 but faced a long legal challenge which the Supreme Court dismissed last year in favour of the State firm.

Mobile network operators in the country had opposed setting up the DMS, raising concerns that having a third-party application on their secure networks could heighten their cyber security risk and that of subscribers.

Data from the latest statistics from the regulator indicates that the country has 68.8 million SIM subscriptions as of June this year, a mobile penetration rate of 133 per cent attributed to some subscribers having more than one SIM card.

Smartphones continue to dominate the number of new connections and currently stand at 35.2 million devices compared to 30.9 million feature phones.