Kenya’s ICT regulator, the Communications Authority (CA), has clarified that proposed SIM registration rules will not demand biological identifiers such as DNA or blood type, despite earlier reports suggesting otherwise.
The clarification comes after a week of industry anxiety and public outcry sparked by media reports that claimed SIM card holders would need to provide DNA information, along with legal definitions that raised fears of state surveillance.
The CA said the Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025, only define “biometric data” broadly, stressing that the wording is technical and does not require operators to collect that information.
“This definition does not mean that all this information will be collected from subscribers during registration of SIM cards,” the CA said in a Tuesday statement seen by . “As a matter of fact, the Authority has not issued any directive to licencees to collect this data.”
For operators like Safaricom, the dominant player in Kenya with a 65.1% market share in SIM subscriptions, the regulatory environment remains ambiguous. The initial gazettement of the rules threatened to place telcos in a precarious double bind, facing fines of up to KES million ($7,700) or jail terms for non-compliance, while simultaneously risking violations of the country’s strict Data Protection Act, which champions data minimisation.
The CA’s explanation highlights the delicate balancing act facing African regulators as they attempt to digitise their economies while curbing cybercrime. The regulator argues the tightened rules are essential to combat identity theft and “SIM box” fraud, which undermines the integrity of mobile money ecosystems.
Despite the clarification, the inclusion of physiological traits in the regulatory text has unsettled privacy legal experts, who argue that codifying such definitions creates a legal framework for future overreach, regardless of current intent.
Two legal analysts, Oscar Onsarigo and Dennis Wambugu, told that the wording leaves room for future demands. Onsarigo said it opens space for later requirements even if none are planned now, while Wambugu added that “it creates a path a later administration could use to seek more intrusive data.”
