Why Judge quashed KRA, CA plan to use mobile IMEI numbers in tax compliance
National
By
Kamau Muthoni
| Jul 19, 2025
The High Court in Nairobi has quashed a directive by the Kenya Revenue Authority (KRA) and the Communications Authority (CA) to have all mobile phones used in the country registered in a push for tax compliance.
Judge Chacha Mwita, in his judgment on Friday, said that the move was in breach of the right to privacy and the notices were not grounded on any law.
Justice Mwita further stated that allowing unfettered access to the International Mobile Equipment Identity (IMEI) number would give the two entities unlimited access to personal information.
“The requirement to submit IMEI numbers violated Articles 24 and 31 of the Constitution, infringing on the right to privacy. The collection of IMEI numbers enabled unchecked state surveillance, making it unconstitutional,” said Justice Mwita.
READ MORE
Eight Kuscco staff on police radar over leaked documents
How shrinking wallets are pushing Kenyans to brand switching
Airtel, Vodacom ink network infrastructure sharing pact
Co-op Bank posts Sh14.1b profit amid branch, digital expansion
Fuel prices drop marginally in latest Epra review
Lessons Kenya can take from Azerbaijan
Lenders given 6-months to roll out risk-based loan pricing model
KCB shareholders set for record Sh13b dividend boom on half-year profit jump
Sudan moves to unlock disputed key trade corridor with Kenya
Bulk buyers: What the property market misses in turnaround plan
In a public notice, CA directed that all manufacturers, retailers and mobile network operators must upload the IMEI number of each device to a KRA-provided portal.
“All mobile phone importers will be required to disclose the IMEI Number in their respective import documents submitted to the KRA. This disclosure is mandatory for the registration of the devices in the National Master Database on Tax compliant devices,” stated the notice.
CA further directed that mobile network operators must ensure that they only connect devices to their networks after verifying the tax compliance status through a whitelist database of compliant devices at the Authority.
“Operators will also be required to provide for the grey-listing of non-compliant devices to facilitate regularisation within a prescribed period, failure to which the devices will thereafter be blacklisted,” stated the notice.
The directive however raised concern among members of the public and data privacy advocates with the CA accused of opaqueness in disseminating the crucial policy shift.
“There is no clarity from the CA on the systems or database that are in place to facilitate such an important exercise,” stated Odanga Madung, a tech policy researcher based in Nairobi.
“The IMEI number is a very important identifier with a lot of implications and this is not like the government asking you to register your car chassis number,” he explained.
In court Katiba Institute argued that the notices were neither tabled in Parliament nor subjected to public participation as required by the Constitution.
“Contrary to the requirement that free and informed consent must be obtained prior to the collection of personal data, the respondents have resorted to duress by threatening to deregister any mobile phone device whose IMEI number is not disclosed,” argued Katiba’s lawyer Joshua Malidzo.
He said that the move by KRA and CA was meant for unwarranted and unmitigated mass surveillance.
The IMEI number is the 15-digit number that is unique to each device and can be defined as the fingerprint of the device and is often used to track lost or stolen mobile devices.
In December last year, former ICT CS Eliud Owalo said the CA will install a device management system (DMS) aimed at nabbing counterfeit devices in the country. CA has sought to set up the DMS since 2016 but faced a long legal challenge, which the Supreme Court dismissed last year.
Mobile network operators in the country had opposed setting up the DMS, raising concerns that having a third-party application on their secure networks could heighten their cyber security risk and that of subscribers.
Data from the regulator indicated that the country has 68.8 million SIM subscriptions as at June this year, a mobile penetration rate of 133 per cent attributed to some subscribers having more than one SIM card.