Why Reassignment of Phone Numbers Is Now a Data Privacy Crisis Telcos Banks and Regulators Cannot Ignore

Why Reassignment of Phone Numbers Is Now a Data Privacy Crisis Telcos Banks and Regulators Cannot Ignore

Posted on March 31st, 2026

data protection
dispute resolution
media law
telecommunications media and technology
tmt

Authors

  • James Ochieng’ Oduol SC, C.Arb, FCIArb

  • Benson Odiwuor

On March 19, 2026, in Erastus Nguura Odhiambo & another v State Law & another (High Court Constitutional Petition No. E290 of 2024), Justice Lawrence Mugambi delivered a judgment that redefined what a mobile phone number means in Kenyan law. Two prisoners lost their mobile numbers after 90 days of inactivity. Strangers began receiving their bank alerts, tax reminders, and one-time passwords. The court held that a registered mobile phone number constitutes a digital identifier protected under Article 31 of the Constitution. It ordered the Attorney General to develop new regulations within six months and prohibited telcos from reassigning numbers without the original owner’s informed and verifiable consent.

The headlines celebrate a victory for privacy. But beneath the surface lies a far more unsettling reality. The court gave the government six months to fix what the telecommunications industry has spent decades building. And no one is asking the question that will determine whether those six months produce meaningful reform or regulatory theater.

What happens when the person who owns the number cannot be reached? What happens when the number belongs to a patient in a coma, a student in boarding school, a migrant worker abroad, or a deceased person whose family cannot go through the bureaucracy of the telco’s? The court’s judgment speaks of consent. But consent presupposes presence. It presupposes the ability to say yes or no. For millions of Kenyans, that ability does not exist at the precise moment the telco decides to deactivate.

This is not a problem of prisoners alone. It is a problem of design. And the regulatory framework the court has ordered into existence must confront questions that the judgment only gestures toward.

The Gap at the Heart of the Judgment

The court’s reasoning rests on a straightforward proposition that a registered mobile number links to personal data. Unfettered reassignment creates a threat to privacy. Therefore, the state must regulate reassignment to ensure consent and technical safeguards.

But the judgment does not resolve what consent means when the subscriber is absent. Regulation 17 of the Kenya Information and Communications (Registration of Telecommunication Service Subscribers) Regulations, 2025 permits deactivation after 90 days of suspension. The court did not strike down this period. It did not declare it unconstitutional. Instead, it superimposed a consent requirement onto a system designed without one.

This creates a structural mismatch. The telco’s duty to obtain consent collides with the telco’s inability to locate the subscriber. The court acknowledges this indirectly by ordering the Kenya Prisons Service to develop mechanisms for notifying telcos about incarcerated subscribers. But what of the other categories of absence? Hospitalisation. International travel without roaming. Mental incapacity. Imprisonment in a foreign country. The death of the subscriber. The regulations the court demands must account for all of these, or they will fail the very privacy interests they aim to protect.

The Property Question the Court Did Not Decide

Under Article 40 of the Constitution, every person has the right to acquire and possess property. The court declined to declare a mobile number property. But the logic of its judgment pushes inexorably toward that conclusion.

Consider the registration regime. Section 27A of the Kenya Information and Communications Act requires telcos to collect the subscriber’s full name, identity card number, date of birth, gender, and physical address before selling a SIM card. Section 27C makes the subscriber prima facie liable for all activities carried out using that SIM card. The state treats the number as an extension of the subscriber’s legal identity for purposes of accountability. It attaches liability to the subscriber but does not treat the number as the subscriber’s asset when the telco decides to reclaim it.

This asymmetry is not merely a drafting oversight. It reflects a deeper conceptual confusion. A mobile number is neither purely a service nor purely property. It is a hybrid. The subscriber pays for it, registers it with their national ID, uses it to access banking and government services, and builds a digital life around it. The telco provides the infrastructure but does not create the value embedded in the number’s associations. When a bank sends a one-time password to that number, the value of that transaction belongs to the subscriber, not to the telco. The telco merely transmits it.

Yet under the current regulatory framework, the telco reclaims the number as if it were a leased asset, reverting to the lessor at the end of a term. The court’s consent requirement disrupts this model. But it does not replace it with a coherent alternative. If consent is required for reassignment, then the subscriber retains a residual interest in the number even after deactivation. That residual interest looks very much like property rights. And property rights require due process before deprivation.

Section 40 of the Data Protection Act reinforces this reading. It gives data subjects the right to rectification and erasure of personal data. When a number is reassigned, the telco effectively erases the subscriber’s link to that data. But it does so without the subscriber’s request and without any mechanism for the subscriber to object. The right to erasure becomes a right exercised by the telco, not by the data subject.

The Data Spillover Problem No One Has Solved

The court ordered technical safeguards to prevent unauthorised exposure or transfer of personal data linked to the previous owner when a number is reassigned. But what does that mean in practice?

A mobile number is not a container of data. It is a pointer. When a bank sends a message to a particular number, it does not consult the telco’s registry of current subscribers. It sends the message to the number. The telco delivers it to whatever SIM card currently bears that number. The bank has no way of knowing whether the number has changed hands unless the telco tells it. And the telco has no obligation to tell it, at least in terms of what the law is at the moment.

This means that data spillover is not a failure of the telco’s internal systems. It is a feature of the architecture. The number itself carries no memory of its prior associations. The problem is not that the telco fails to “scrub” the line. The problem is that the line has no independent existence. It is merely an identifier that third parties use to route information. When that identifier changes hands, the third parties do not learn of the change automatically. They continue routing information to the same address, now occupied by a different person.

The court’s solution was to require technical safeguards. But the only technical safeguard that would work is a notification mechanism that alerts every data controller who has ever associated that number with a data subject that the number has changed hands. No such mechanism exists in Kenya. Building one would require telcos to maintain a permanent registry of every association between every number and every data controller. That registry would itself be a massive database of personal data, creating new privacy risks.

Alternatively, the safeguard could operate at the point of reassignment. The telco could reset the number’s associations by notifying the data controllers it knows about. But telcos do not know which data controllers have the number. They know only the number and the subscriber’s identity. They do not know which banks, which insurers, and which government agencies have that number on file. The gap between what the court ordered and what is technically possible is wide enough to swallow the entire reform effort.

What Informed Consent Looks Like When the Subscriber Is Absent

The court required reassignment only with the previous owner’s informed and verifiable consent. This is the provision that will prove most difficult to implement.

Consent under Section 30 of the Data Protection Act must be express, unequivocal, free, specific, and informed. A subscriber cannot consent to reassignment at the time of registration because they do not know the circumstances of the future deactivation. The consent must occur at the point of deactivation. But at the point of deactivation, the subscriber may be unreachable. This is the condition that triggered the deactivation in the first place.

The court implicitly recognised this problem by ordering the Kenya Prisons Service to notify telcos about incarcerated subscribers. But this solution is prisoner-specific. It does not address the student in a boarding school who cannot use a phone for three months. It does not address the patient in a coma whose family does not know about the impending deactivation. It does not address the migrant worker who has moved to a country without roaming and whose Kenyan number sits dormant.

For these cases, the consent requirement creates an impossible loop. The telco must obtain consent from a person it cannot reach. The person cannot give consent because they cannot be reached. The number remains in limbo. But the number cannot remain in limbo indefinitely because numbering resources are finite. Something must give.

The court’s answer is to require a public notice and a thorough verification process before reassignment. But a public notice reaches the general public, not the specific subscriber. It assumes the subscriber is looking for notices about their number. The subscriber who is hospitalised, incarcerated, or travelling abroad is not scanning the newspapers or the telco’s website for a notice about their number. The verification process similarly assumes the subscriber can be located. If the subscriber cannot be located, the verification process proves nothing except the telco’s inability to find them.

The 90 Day Threshold No One Defended

The court did not question whether 90 days is a reasonable period for deactivation. But the logic of its judgment compels that question.

Ninety days is not a constitutional standard. It is an operational convenience. The court’s own reasoning suggests that a period tied to an arbitrary duration rather than to the circumstances of the subscriber’s absence cannot satisfy the proportionality test under Article 24.

Consider the categories of absence that the court itself identified. Incarceration regularly exceeds 90 days. Hospitalisation for serious illness can exceed 90 days. International travel without roaming can exceed 90 days. Students in boarding school may go a full academic term without phone access. The 90-day threshold catches all of these cases, not because they are unreasonable periods of absence, but because the telco has no mechanism to distinguish between voluntary abandonment and involuntary deprivation.

Under Article 24, a limitation on a fundamental right must be reasonable and justifiable in an open and democratic society. The limitation must serve a purpose that is pressing and substantial. The measures taken must be rationally connected to that purpose. There must be no less restrictive means available. And there must be a proper balance between the importance of the purpose and the importance of the right.

The telcos must make this showing. They must demonstrate that 90 days is the minimum period necessary to manage numbering resources. They must show why a longer period, say 12 months or 24 months, etc., would be unworkable. They must determine whether they have explored alternatives like placing numbers in a dormant status that preserves the subscriber’s rights while preventing use by a third party. The court’s judgment opens the door to a challenge to the 90-day period itself, but that challenge remains to be litigated.

 The Data Controller’s Unspoken Obligation

The court’s judgment addresses telcos. But its logic applies equally to every data controller that uses mobile numbers as the primary means of authenticating data subjects.

Section 25 of the Data Protection Act requires data controllers to ensure that personal data is accurate and, where necessary, kept up to date. Section 26 gives data subjects the right to be informed about the use of their data. Section 36 gives data subjects the right to object to processing.

When a bank continues sending one-time passwords to a number that no longer belongs to the data subject, the bank is processing personal data in reliance on an identifier that is no longer accurate. The bank does not know this. But ignorance does not excuse the breach. Under Section 43 of the Act, data controllers must notify the Data Commissioner of any personal data breach within 72 hours. A breach includes unauthorised disclosure of personal data. When a stranger receives your bank alerts, that is an unauthorised disclosure. The bank is the disclosing party. The telco merely delivered the message.

The judgment does not resolve whether the bank or the telco bears primary liability for such a breach. But the Data Protection Act’s allocation of responsibility is clear. The data controller determines the purpose and means of processing. The data processor processes on the controller’s behalf. When a bank sends a message to a number without verifying that the number still belongs to the data subject, the bank is the controller. The telco is the processor. The controller bears ultimate responsibility for ensuring the accuracy of the personal data it processes.

This means that third parties like banks, insurers, and government agencies cannot hide behind the telco’s deactivation policy. They must develop their own mechanisms for verifying that the contact information they hold remains accurate. Periodic re-verification, alternative contact methods, and multi-factor authentication that does not rely solely on SMS are all tools available to them. The judgment creates the conditions for data controllers to be held accountable for their continued use of numbers that have changed hands.

 The Regulatory Challenge Ahead

The Attorney General has been directed to develop regulations within six months. The court’s order lists four specific requirements, namely:

  • informed and verifiable consent,
  • public notice and verification,
  • technical safeguards, and
  • a scheme for prisoners.

It is our considered view that the regulations must go further.

First, they must define what constitutes “informed” consent for purposes of reassignment. Consent given at registration cannot satisfy this standard because the circumstances of deactivation are unknown. Consent obtained after deactivation requires reaching the subscriber. The regulations must specify what efforts constitute reasonable efforts to reach the subscriber and what happens when those efforts fail.

Second, they must establish a hierarchy of interests. When the subscriber cannot be reached, whose interest prevails? The telco’s interest in managing finite numbering resources? The subscriber’s interest in preserving their digital identity? The third party’s interest in receiving a working number? The court’s order suggests that the subscriber’s interest should prevail unless the telco can demonstrate that the subscriber has “unequivocally revoked the rights to the number”. This is a high standard. It requires positive evidence of abandonment, not merely the absence of use.

Third, they must specify the technical safeguards the court ordered. The Data Protection Act already requires data controllers and processors to implement appropriate technical and organisational measures to ensure the security of personal data. But the specific measures appropriate to number reassignment are not obvious. The regulations should require telcos to maintain a registry of number reassignments and to provide that information to data controllers who request it. They should require data controllers to periodically re-verify the numbers they hold. And they should establish a mechanism for data subjects to reclaim numbers that were reassigned without their consent.

Fourth, they must address the deceased subscriber. The judgment mentions that families of deceased persons should have priority in retaining the numbers of their kin. But it does not resolve the legal question. Is the number property that passes under the law of succession? Or is it a service contract that terminates on death? The regulations should provide a clear answer. Families should have a reasonable period after death to request transfer of the number to a surviving relative. The telco should be required to preserve the number during that period.

 What the Telcos Will Fight

The telecommunications industry will most likely resist these reforms. Not because they oppose privacy, but because the reforms disrupt a business model built on frictionless reassignment.

Telcos currently treat numbers as disposable inventory. When a number is deactivated, it is added to a pool for reassignment. The process is automated. It requires no human judgment. The court’s consent requirement introduces a manual intervention that will slow reassignment and increase costs.

The telcos will argue that numbering resources are finite. They will cite the Communications Authority’s limit of ten SIM cards per person and the growing demand for numbers. They will warn that preserving numbers for absent subscribers will lead to numbering exhaustion. These arguments have weight. But they do not justify the current system’s complete disregard for the subscriber’s interest.

The less restrictive alternative is a tiered system. Numbers that have been inactive for 90 days could be placed in a dormant status. The subscriber retains the number but cannot use it. The telco does not reassign it. The subscriber can reactivate it upon return without losing their associations. This preserves the numbering resource without sacrificing the subscriber’s digital identity. It requires the telco to hold numbers in reserve, but that is a cost of doing business, not an insurmountable obstacle.

The telcos will also resist the retroactive application of these rules. They have already reassigned millions of numbers. The families of deceased subscribers have lost numbers. Prisoners have lost numbers. Students have lost numbers. The regulations must address whether these past reassignments can be undone or whether the protections apply only prospectively. The court’s order does not answer this question. The regulations must.

The Unfinished Litigation

The judgment leaves several issues unresolved. The property question remains open. The constitutionality of the 90-day period remains untested. The liability of data controllers for post-reassignment disclosures remains unclear. These issues will be returned to court someday.

The Data Protection Commissioner has an independent role to play. Section 8 of the Data Protection Act gives the Commissioner the power to enforce compliance. The Commissioner can issue enforcement notices requiring telcos to cease reassigning numbers without consent. The Commissioner can investigate breaches resulting from reassignment. The Commissioner can impose penalties under Section 63, which provides fines up to three million shillings for unlawful disclosure of personal data.

The Commissioner’s office has been active since its establishment. It imposed a five-million-shilling fine on Oppo Kenya in 2022 for processing personal data without consent. It has issued guidance on data protection impact assessments. It has registered data controllers and processors. The number reassignment issue gives the Commissioner an opportunity to define what compliance looks like in the telecommunications sector.

The court’s deadline of September 19, 2026, is both a spur and a trap. If the regulations are not in place by that date, the automatic prohibition on reassignment takes effect. That means telcos cannot reassign any numbers, even those that have been inactive for years. The numbering system could grind to a halt. The Attorney General must take the deadline seriously. The telcos must engage constructively. And the public must pay attention.

 The Deeper Question

This case was about prisoners. But its significance extends far beyond the prison walls. It asks what happens to our digital selves when we are absent. It asks whether the companies that control the infrastructure of our lives owe us a duty to preserve our identities when we cannot preserve them ourselves.

The court answered that question in the affirmative. But the answer is not self-executing. It requires regulations that think through the hard cases. It requires telcos that see subscribers as stakeholders, not inventory. It requires data controllers who verify their data. And it requires a public that understands that their phone number is not a rented convenience but a piece of their digital identity.

The six months the court gave is not a grace period. It is a countdown. And when it expires, the system that has operated without oversight for decades will face a reckoning. The question is whether we will have built a better system by then or whether we will be watching the old system collapse under the weight of its own neglect.

Conclusion

The views in this article draw from deep litigation experience and sustained engagement with data protection law. Not theory. From cases litigated to client consultations. That is what sharpens the litigator’s eye. Standing at the waterline, a litigator sees what approaches before it arrives. This is the work of lawyers who have stood in the gap. The compliance audit you are about to conduct. The regulatory review you are about to face. The litigation risk you have not yet measured. All of it is already moving toward you. The question is whether you will see it coming.

Disclaimer

This article is provided for informational and educational purposes only. It is important to consult qualified legal counsel for advice on specific matters, including those of the authors.