By Linet Amuli - Reporter
Kenya, 18 November 2025 - The Communications Authority (CA), Kenya's primary regulator for the telecommunications sector, has moved decisively to ease mounting public anxiety over its upcoming SIM card registration requirements.
The Authority made an explicit clarification that the new mandates will not require citizens to provide biological identifiers like DNA profiles or blood type information, directly countering claims that had caused significant industry and public alarm.
The definitive statement from the CA follows nearly a week of intense national debate and operational uncertainty across the telecom industry. The uproar was initially sparked by various media reports suggesting that the revised rules would compel SIM card holders to submit DNA data.
Further fueling the fire was the expansive legal language within the drafted framework, which privacy advocates immediately flagged as creating potential pathways for excessive government surveillance.
In its clarifying statement, released on Tuesday, the CA addressed the technical source of the confusion. The Authority pointed out that the Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025, incorporates a highly technical and broad definition of "biometric data."
The CA stressed that including this comprehensive term in the legal document is purely for definitional scope and does not translate into an active instruction for data collection.
“This definition does not mean that all this information will be collected from subscribers during registration of SIM cards,” the CA asserted. “As a matter of fact, the Authority has not issued any directive to licencees to collect this data.”
More from Kenya
The initial broad language had placed telecommunication providers, including Safaricom (the dominant market leader commanding a vast 65.1% of Kenyan SIM subscriptions) in a profoundly difficult position. The gazetted rules initially created a dual legal risk for the operators.
They faced the possibility of incurring hefty non-compliance penalties for failing to adhere to the new registration rules, including fines up to KES 1 million (approximately $7,700) or potential jail terms. Conversely, collecting overly sensitive data would risk violating the nation's stringent Data Protection Act, a law specifically structured to champion the principle of data minimization.
The regulator’s official explanation underscores the challenging balance faced by African governments as they strive to advance the digitalization of their economies. This ambitious goal must be pursued while simultaneously implementing robust, strict measures to counteract the growing threat of cybercrime and fraud.
The CA firmly argues that the reinforced registration rules are not punitive but are, in fact, essential instruments for combating pervasive issues. These include identity theft and sophisticated "SIM box" scams, fraudulent activities that severely compromise the security and integrity of Kenya's widely successful mobile money ecosystem. The regulator's goal is to ensure the integrity of the registration database remains a solid foundation for digital trust.
While the regulator's assurances are intended to calm the waters, the initial inclusion of physiological traits in the regulatory text continues to concern privacy legal experts. They contend that codifying such expansive definitions in law, even without current intent to use them, establishes a legal framework for future overreach, setting a worrying precedent for any future administration seeking more intrusive data collection powers.
More from Kenya
Unit trusts boom as new investors flood Kenya, assets hit Sh679.6bn
Nov 29, 2025
Business
Read more →
Nyong’o Commissions Rice Mill in Ahero to Boost Farmer Incomes and Food Security
Nov 29, 2025
NewsBusiness
Read more →
New Fund Targets Startups Using Digital Tools to Close Africa’s Insurance Protection Gap
Nov 29, 2025
Business
Read more →