PARIS — Data Rights and their Kenyan partner organisations the Kenya Human Rights Commission and the Nubian Rights Forum (NRF) are suing IDEMIA, one of the leading biometric tech companies in the world, before the Paris judicial tribunal. The case alleges that IDEMIA failed to adequately address human rights issues in its vigilance plan. The claimants specify that the company did not undertake human rights due diligence in the course of its 2018/2019 contract with the Kenyan government to furnish technology to capture the population's biometric data for the development of a national digital ID system in Kenya, so-called National Integrated Identity Management System (NIIMS) or Huduma Namba.

The claimants argue that NIIMS runs the risk of excluding already marginalized communities who struggle to register. At the same time, the centralised storage of data without proper checks and balances carries the risk of being exploited for new purposes, including surveillance. Despite these apparent risks to human rights, IDEMIA sold the enabling technology to Kenya without conducting proper due diligence as required under the French Due Vigilance Law.

Under French law, companies like IDEMIA must identify adverse human rights risks that may result from their business operations and take mitigating measures”, said the claimants' attorneys Henri Thulliez and Slim Ben Achour. “Looking at IDEMIA's due vigilance plan, it is clearly lacking any considerations of the risks that the use of their technology entail.

The claimants are asking the Parisian court to order that IDEMIA adequately assess the risks inherent in Information Technology System (ITS) products and design appropriate mitigating measures. Data Rights emphasises the need for tech companies to adopt proper and efficient human rights due diligence procedures, especially when entering business relationships with governments.

Biometric digital ID systems are often seen as an efficient way to modernise the public sector, but if this is done without due regard to their human rights impact, it can cause more harm than good”, said Lori Roussey from Data Rights. “Any new biometric technology and personal data processing solution can be misused. Companies must pay particular attention to whom they sell their services to.

More context on Kenya's identity management system: NIIMS has already been challenged in domestic courts by civil society and human rights groups for both breaching data protection and the exclusionary nature of the system. In 2020, the Kenyan High Court called the NIIMS legal framework on privacy as "inadequate and totally wanting". In 2021, the Kenyan High Court declared the roll-out of NIIMS illegal for being in conflict with the Kenyan Constitution, as it upholds the right to privacy. The High Court's ruling successfully blocked the continuation of NIIMS' nation-wide implementation.

Nota - The earlier version of this release had a typo mentioning the Kenyan Suprem Court. This court has impacted Idemia's work but not in relation with NIIMS.

Media Enquiries

About Data Rights

Data Rights is a non-governmental organisation founded in 2020, with a mission to empower users, organisations and communities, to control their data. We gather activists, hackers, cybersecurity experts, lawyers, designers, programmers: people who care about the impact of data, and want to fight for a vibrant Internet, free from unfair State or business surveillance.