Every day, our lives unfold across screens. We shop, pay bills, communicate, and even access government services through digital portals. At the center of this interconnected world is one deceptively simple tool: our mobile phone number. In Kenya, it has become more than a contact detail; it is our “digital identity,” the key to everything from banking to health records.
Yet, as our dependence on these digital identifiers grows, a pressing question emerges: are we truly safeguarding the lives, data, and privacy tethered to these numbers, or are we merely ticking regulatory boxes?
In the past month, this question has taken on renewed urgency. A recent High Court ruling has elevated mobile phone numbers to a protected element of an individual’s digital identity under the constitutional right to privacy, placing limits on how telecommunications providers can recycle or reassign them without adequate safeguards such as informed consent and strict verification processes. At the same time, Safaricom has begun rolling out a feature that masks users’ phone numbers in payment notifications to reduce risks such as fraud, spam, and unwanted contact.
Taken together, these developments suggest a shift both legal and practical in how digital identity is understood and protected in Kenya. But do they amount to a meaningful strengthening of consumer protection, or are they still incremental responses to a rapidly evolving risk landscape?
The Central Role of Mobile Numbers in Digital Identity
In Kenya, a mobile phone number is the gateway to participation in the digital economy. It links individuals to mobile money platforms, government services, and private-sector systems, often serving as the primary means of authentication via one-time passwords (OTPs).
This centrality means the risks associated with mobile numbers are not theoretical. When a number is deactivated and reassigned, the new holder may inadvertently gain access to sensitive information intended for the previous user, ranging from financial alerts to personal communications. For individuals and businesses alike, the consequences can be immediate and severe.
Also Read: Court Rules on Recycling and Reassigning of Inactive Mobile Numbers
It is this reality that has forced a rethinking of what a mobile number represents: not just a utility, but a critical component of personal identity.
Legal Recognition: Closing the Gap Between Law and Practice
The High Court’s recognition of mobile numbers as part of an individual’s protected digital identity marks a significant development in Kenyan jurisprudence. By grounding this protection in Article 31 of the Constitution, the Court has clarified that privacy rights extend fully into the digital space.
This position aligns with the Data Protection Act, which already defines personal data broadly to include identifiers that can link information to an individual. A registered mobile number clearly meets this threshold.
However, the ruling also highlights a longstanding disconnect between legal principles and industry practice. The recycling of mobile numbers, often after relatively short periods of inactivity, has been driven by operational necessity rather than constitutional scrutiny. What the Court has done is introduce that scrutiny, requiring that such practices be balanced against the individual’s right to privacy.
The move to mask phone numbers in payment notifications represents an important step toward reducing exposure to fraud, spam, and the misuse of personal data. It signals an awareness within the industry that even seemingly minor disclosures can pose significant risks.
Yet, this measure addresses only one aspect of a broader issue. It mitigates visibility but does not fully resolve concerns around number reassignment, consent, or the protection of historical data linked to a number.
In that sense, current interventions can be seen as necessary, but not sufficient. They are targeted solutions within a system that requires more comprehensive safeguards.
Any discussion of stronger protections must also account for practical constraints. Mobile numbers are a finite resource, and prolonged retention periods or restrictions on reassignment may place pressure on their availability. Implementing robust consent and verification processes also introduces additional operational and financial demands for service providers.
This creates a delicate balance. On one hand, there is a clear constitutional obligation to protect privacy and personal data. On the other hand, there are legitimate operational considerations that cannot be ignored.
Also Read: How to Stop Safaricom Promotional Messages
The challenge for regulators and industry alike is to ensure that efficiency does not come at the expense of fundamental rights.
Recent developments make it evident that Kenya is beginning to treat digital identity with the seriousness it deserves. The recognition of mobile numbers as protected identifiers, coupled with steps to reduce data exposure, reflects an evolving understanding of risk in a hyper-connected society.
However, these changes remain incremental at present. Legal standards are becoming clearer, but a fully integrated framework governing the lifecycle of mobile numbers from registration to deactivation and reassignment is still taking shape.
Conclusion: From Recognition to Responsibility
The recent High Court ruling and industry responses mark an important step toward stronger consumer protection in Kenya’s digital landscape. They signal a shift from viewing mobile numbers as mere communication tools to recognizing them as extensions of personal identity deserving of constitutional protection.
But recognition alone is not enough. For this shift to be meaningful, it must translate into consistent practice, clear regulations, enforceable standards, and systems that prioritize user protection at every stage.
The question, then, is no longer whether digital identity deserves protection. It is whether the current momentum will be sustained to deliver it fully.
This article was written by Aisha Hassa, Pupil, Alakonya Law LLP.
