NGOs and IDEMIA agree to Vigilance Plan Improvements in Settlement over Kenyan Digital ID Human Rights Challenge

PARIS — Further to efforts of two Kenyan NGOs and a French digital rights group and fruitful exchanges, the NGOs and identity technologies multinational IDEMIA Group SAS have agreed on amendments to IDEMIA’s vigilance plan, to provide for stronger safeguards to avoid adverse impact of the use of its products by governments, as part of a settlement under France’s Due Vigilance law.

In 2018, IDEMIA entered into an agreement with the Kenyan government for the supply of hardware equipment to be used in connection with the implementation of its National Integrated Identity Management (NIIMS) digital ID system, through which individuals would be issued a unique identity “service number” required to access public services. The digital ID system was vehemently criticized by human rights groups for the absence of safeguards around how data would be safeguarded and used, the lack of transparency around its implementation, and the potential exclusion of groups that have historically struggled to secure official identity documents. In 2020, a Kenyan court ordered the government to ensure constitutionally sound framework was in place to govern the system before operationalization.

In January 2021 and April 2022, the Kenya Human Rights Commission, the Nubian Rights Forum, and the French organization Data Rights, issued formal notices to identity technologies multinational IDEMIA as the first steps in bringing a complaint forward under France’s Due Vigilance law, which was adopted in 2017 and requires large companies in France to effectively manage their human rights, health and safety and environmental risks.

The three organizations requested that IDEMIA amend its vigilance plan to meet the standards set out by the law. The human rights groups notably raised that the absence of an appropriate risk mapping and inadequate mitigation measures would not prevent IDEMIA’s products from being diverted by governments to contribute to human rights abuses, including discrimination against minority groups.

In July 2022, the claimants filed a petition before Paris courts requesting that the judge order IDEMIA to adopt a vigilance plan that would match the obligations set out by France’s Corporate Duty of Vigilance law, which triggered a process for mediation.

“IDEMIA’s new Due Vigilance plan includes important improvements from their previous plan. Acknowledging that our complaint was in relation only to very specific aspects of IDEMIA’s Due Vigilance plan, we are glad to see that IDEMIA has expanded the section on digital ID safeguards, and incorporated several, though not all, of our comments on human rights safeguards,” said Shafi Ali Hussein, director of Nubian Rights Forum. “This is a sign in certain cases, that the Duty of Vigilance law can be powerful in ensuring, in a timely manner, that civil society has a say in developing plans to mitigate human rights risks.”

“This agreement whereby IDEMIA commits to adopting a better vigilance plan is still far from what we hoped for. As a multinational company, it could do more to use its leverage to make sure that its activities do not have an adverse impact,” said Damaris Onyancha, KHRC’s legal officer. “However, IDEMIA has committed to enforcing a vigilance plan which is now closer to the essence of the law, and we will monitor whether or not it sticks to its commitments.”

“The French Duty of Vigilance Law allowed us to sit down with a multinational for it to hear our claims and improve its vigilance plan” said Lori Roussey of Data Rights. “While no agreement was reached on key provisions regarding the risk of exclusion through digital ID systems, the legal action led IDEMIA to engage in genuine dialogue with us, showing the value of this law in bringing corporations to the table”.