A petition against leading telcos giant, Safaricom PLC has been filed with the Office of the Data Protection Commissioner (ODPC) alleging breach of the Kenya Data Protection Act (DPA) of 2019 by the service provider.
According to a complaint in our possession dated November 20, 2024, Victor Odhiambo accuses Safaricom for allegedly violating the DPA Act of 2019 in its data collection, processing, and use, particularly through its use of AI-powered systems and technologies.
Odhiambo is thus seeking the Data Commissioner Immaculate Kassait’s led body to compel Safaricom to lay bare through full disclosure of personal data the telco holds.
Further, the complainant wants Safaricom prohibited from using the data in its possession for AI development without explicit opt-in consent.
“I seek implementation of transparency and fairness measures in AI systems.” Odhiambo’s complaint reads in part.
He claims that Safaricom failed to respond to Data Subject Access Request (DSAR) which seeks access to personal data and information about its processing and disclosures.
Safaricom allegedly provided an incomplete and insufficient response, violating transparency and accountability requirements under the DPA.
Odhiambo further accuses Safaricom of using personal data, such as call records and browsing history, to train AI systems for commercial purposes, without obtaining explicit consent, violating Section 37 of the DPA.
“Data collected for operational purposes (billing, network optimization) is allegedly being used for unrelated purposes like AI development, contrary to the principle of purpose limitation under the DPA.” The letter reads in part.
He adds that the :”Jitambulishe” voice biometric system, used for customer authentication, raises concerns about privacy, data security, algorithmic bias, and susceptibility to spoofing or misuse.
Further, Odhiambo says Safaricom’s Zuri Health platform processes sensitive health data, raising concerns about informed consent, transparency, and compliance with health data protection requirements.
“Safaricom’s AI systems allegedly lack safeguards, such as Data Protection Impact Assessments (DPIAs), necessary to evaluate and mitigate risks of automated decision-making and algorithmic bias.” He adds.
Odhiambo also wants administrative penalties and compensatory relief for breaches of the DPA and constitutional rights and regular audits and safeguards for data processing activities.
Safaricom is not new to allegations of data breach.
Early this month, Safaricom denied claims that it is abusing its customers’ data privacy by sharing their information with security agencies and other third parties.
This was a rejoinder by the Chief Executive Officer (CEO) Peter Ndegwa’s led entity following an exposé by the Daily Nation that alleged that the police have been using mobile phone data to track down and capture suspects with the help of telcos, particularly during the Gen Z protests that saw over 60 protesters killed.
According to the article, Safaricom allegedly embedded Neural Technologies, a data management system in its internal systems allowing security services virtually unrestricted real-time access to Kenyans’ call data, allegations that the telco denied.
“As such, we do not share any customer data unless explicitly required of us via a court order.” Safaricom Said through a statement.
The telco said it on boarded Neural Technologies in July 2012 to implement a fraud management system (FMS) on all its business lines including its money system
“Neural Technologies is a global brand operating in over 30 countries providing support to Telcos and utility companies to prevent and detect fraud with no third-party access. Finally, we would like to reassure our customers that we have always been transparent and honest in how we engage with our stakeholders, and we will continue to do so in order to maintain the trust that we have built over the years.” The statement said in part.
In previous court rulings, Safaricom has been cited as being liable for losses incurred by customers from lost funds in M-PESA and M-Shwari accounts.
For example, the High Court upheld a ruling that Safaricom was liable for a customer’s loss of Sh751,680 due to a delayed response in disabling a SIM card.
In the case, the High Court ordered Safaricom to compensate a customer with a sum of Sh452,868.
The customer had fallen victim to fraudsters who hacked into his M-Shwari account.
High Court Justice Asenath Ongeri upheld the decision of the Small Claims Court, stating that Safaricom was liable for the funds withdrawn from the client’s M-Pesa account after he reported his SIM card stolen.
Justice Ongeri ruled that Safaricom had breached its duty of care towards the customer, resulting in the loss of Sh452,868.
The judge found Safaricom accountable for the losses suffered by the customer, as he had taken all necessary steps to block the transactions on his line.
The incident occurred when the customer, Kafwa, lost his phone on October 10, 2021.
He immediately contacted Safaricom’s customer care to disable his M-Pesa account.
However, he was informed that his line could not be disabled immediately due to his subscription to the “Advantage hybrid Tariff.”
He was advised to visit a retail center and was also asked to obtain a police abstract.
During this time, the fraudsters accessed Kafwa’s accounts and withdrew Sh298,812 from his M-Pesa account.
The following day, an additional Sh116,505 was withdrawn from his M-Shwari account.
Kafwa took legal action against Safaricom, demanding a refund of Sh751,680, the total amount withdrawn from his M-Pesa account.
The Small Claims Court magistrate ruled in favor of Kafwa, holding Safaricom responsible for the loss of Sh452,868 and ordering the company to refund the amount along with the cost of the suit and interest.
Dissatisfied with the ruling, Safaricom filed an appeal with the High Court.
The recent decision by the High Court affirms the initial ruling, emphasizing Safaricom’s duty of care towards its customers and holding the company liable for the losses incurred by Kafwa.
Safaricom has also been faced with cases of internal fraud orchestrated by their staff members.
In January this year, David Obwanga Adoyo, a Safaricom Trade Development Representative (TDR) was charged with fraud charges for allegedly using national ID numbers to register mobile lines and embezzling over Sh29.5 million ($186,604.04) from the National Police DT Savings and Credit Cooperative Organisation (SACCO) Society Limited.
He was charged with six counts of fraud before Gilbert Shikwe, Milimani Senior Principal Magistrate.
Adoyo is said to have have committed the fraud between August 28, 2021, and April 15, 2022.
The prosecution testified that Adoyo unlawfully used the identification documents of Godfrey Njuguna Lucas, Peris Njoki Mwangi, Kesia Wangari Maina, and Beth Wambui Murage.
The prosecution said Adoyo will be tried alongside M-PESA agents accused of the same fraud in 2023.
The accusation implies that Adoyo and others conspired to steal from the National Police DT SACCO Society.
The allegations include linking mobile lines to Sacco members’ accounts to withdraw Sh12,954,937 ($81,953.36) from their savings via M-PESA agents.