A landmark ruling has seen Safaricom and Becton Dickinson (BD) fined Sh.250,000 each for unlawfully using a customer ID. This case highlights the growing importance of Kenya’s Data Protection Act and its enforcement. The incident reveals gaps in corporate data practices and sets a precedent for accountability.
Understanding the Incident
The case arose when Catherine Murithi, an employee of Becton Dickinson (BD), submitted her national ID and personal documents as part of her onboarding process on August 16, 2021. BD requested her to convert her personal Airtel line into a corporate Safaricom number, following company policies. However, after terminating her employment on September 30, 2024, BD shared her ID with Safaricom to transfer the line back to her name—without informing her.
Safaricom processed the request without obtaining Murithi’s consent or verifying her authorization. Feeling that this action violated her rights, Murithi filed a complaint with the Office of the Data Protection Commissioner (ODPC).
What the Data Protection Act Says
Kenya’s Data Protection Act, enacted in 2019, governs how personal data is collected, processed, and shared. The law prioritizes:
- Consent: Organizations must obtain explicit approval before processing personal data.
- Transparency: Companies must inform individuals about why they collect and use their data.
- Accountability: Data handlers must ensure compliance with the Act and uphold data security.
In this case, BD did not seek Murithi’s consent before sharing her personal information with Safaricom. Likewise, Safaricom failed to notify her about the line transfer or confirm her approval, breaching key provisions of the Act.
The Ruling: A Call for Accountability
Data Commissioner Immaculate Kassait investigated the complaint and found both Safaricom and BD guilty of violating the Data Protection Act. The violations included:
- Ignoring Consent Requirements: BD transferred Murithi’s data without her explicit consent.
- Lack of Transparency: Safaricom failed to inform her about the data transfer.
- Unlawful Data Processing: Both entities mishandled her personal information, infringing on her privacy.
Each company was fined Sh.250,000, totalling to Sh.500,000, signaling the seriousness of data privacy violations. Commissioner Kassait emphasized that organizations must adopt robust data protection measures to avoid such breaches.
Lessons for Kenyan Organizations
1. Prioritize Consent in Data Handling
Consent forms the cornerstone of the Data Protection Act. Organizations should ensure that they obtain clear and explicit approval before processing or sharing customer data.
2. Adopt Transparent Practices
Transparency builds trust. Companies should clearly communicate with customers about how their data will be used, ensuring no ambiguities.
3. Conduct Regular Audits
Regular audits of data management practices can identify gaps and improve compliance with data protection laws.
4. Train Employees on Data Privacy
Staff members must understand the importance of compliance. Training programs can help employees handle personal data responsibly and mitigate the risk of breaches.
Safaricom’s Role and Challenges
Safaricom has invested significantly in data protection, employing measures such as:
- Fraud Management Systems: These systems monitor for unauthorized access to customer data.
- Global Privacy Certifications: Safaricom holds ISO 27701 certification, reflecting its adherence to global privacy standards.
- Strict Data Sharing Policies: Safaricom claims to only share data when legally required.
Despite these efforts, the case demonstrates that systemic weaknesses persist. Safaricom must improve its internal processes to ensure full compliance with the Data Protection Act.
Broader Implications for Kenya’s Data Privacy Landscape
1. Strengthened Enforcement of Privacy Laws
The ODPC has shown its commitment to enforcing the Data Protection Act. This ruling sends a strong message to organizations, urging them to comply with privacy regulations.
2. Increased Public Awareness
Cases like this one empower citizens to assert their data privacy rights. More people are likely to file complaints if they suspect data misuse.
3. Rising Accountability in Corporations
Organizations are now under pressure to implement stringent measures that protect customer data and avoid hefty penalties.
4. Legislative Improvements
As technology evolves, Kenya’s government may strengthen the Data Protection Act to address emerging challenges and align with global standards.
The Role of the ODPC
The Office of the Data Protection Commissioner plays a pivotal role in Kenya’s data privacy ecosystem. Its responsibilities include:
- Investigating complaints related to data misuse.
- Imposing penalties for non-compliance with the Data Protection Act.
- Educating the public about their data privacy rights.
By ruling on high-profile cases like this one, the ODPC establishes itself as a key enforcer of data privacy regulations.
Challenges Facing Data Privacy in Kenya
Despite progress, data privacy enforcement faces several challenges:
- Low Awareness Levels
Many individuals remain unaware of their data privacy rights under the law. - Compliance Gaps
Organizations often lack adequate systems to ensure full compliance with the Data Protection Act. - Rapid Technological Advancements
New technologies, such as artificial intelligence, present unique privacy challenges that existing laws may not fully address. - Resource Constraints at the ODPC
The ODPC requires more resources to handle an increasing number of complaints and enforce penalties effectively.
Looking Ahead: The Future of Data Privacy
As Kenya continues to embrace digital transformation, data privacy will remain a critical concern. Key trends to watch include:
- Enhanced Public Education: More efforts will likely be made to educate citizens about their privacy rights.
- Corporate Investments in Compliance: Companies will adopt advanced systems and frameworks to ensure adherence to privacy laws.
- Increased Litigation: More individuals may seek legal recourse when their data rights are violated.
Read: Britam Ordered to Pay Sh83.6 Million Bond
Final Verdict
The Sh250,000 fine imposed on Safaricom and Becton Dickinson serves as a stark reminder of the importance of data privacy in Kenya. Organizations must take proactive steps to comply with the Data Protection Act, ensuring transparency and accountability in their data practices.
This case highlights the critical role of the ODPC in safeguarding customer privacy rights and enforcing compliance. As Kenya advances in its digital transformation journey, protecting personal data will remain a cornerstone of ethical business practices.
By learning from this incident, companies can build trust with customer and avoid reputational damage. Data privacy is not just a legal obligation—it is an essential component of sustainable growth in the digital age.
