Provision of digital credit services in Kenya raises several market conduct concerns such as information asymmetries, fraud, false advertisement, money laundering and terrorism financing risks, data privacy infringement among others. This article focuses on the data privacy concerns.
Digital credit in Kenya refers to instant, automated and remote loans accessed through a mobile device or through the internet. Examples of digital credit service providers include Tala, Branch, Okash and Opesa.
Digital credit has in the past five years become a popular method for the unbanked population to access previously unavailable credit. Unlike traditional credit provided by commercial banks, it leverages on non-traditional data such as phone use, mobile money transaction and social media data. This data is analysed with the aim of predicting consumer behaviour which translates into a risk rating on a consumer’s creditworthiness.
A majority of the digital credit consumers are unsophisticated and do not care to read or understand the terms and conditions for accessing digital credit which are more often drafted in long and complicated language. Upon installing a digital credit application, most consumers unknowingly permit the applications to access their phone records, text messages, call logs and social media applications. It is however inevitable that a consumer grants this access rights because to reject this request means that the consumer will not be able to access the application and by extension obtain a loan. The consumers barely understand the consequences of sharing personal information.
Consequently, there have been increased instances of cyber bullying, fraud and identity theft. In this advent of big data analytics where personal information is used to evaluate the credit-worthiness or loan eligibility of a consumer and for the most part to the disadvantage of consumers, the justification for the protection of consumer data privacy arises.
It is important to point out that there is currently no specific law in Kenya governing digital credit in Kenya. However, there are general consumer protection provisions that consumers can rely on to seek redress against digital lenders.
The provisions are drawn from the Constitution of Kenya, Consumer Protection Act and the Competition Act. With respect to data privacy, Articles 31(c) and 31(d) of the Constitution guarantee the right to privacy including the right to not have information relating to a person’s family or private affairs unnecessarily required or revealed or the privacy of their communications infringed. In giving life to Article 31 of the Constitution, the Kenyan Parliament in 2019 enacted the Data Protection Act (DPA) which mirrors the EU General Data Protection Rules.
The DPA applies to digital lenders as data controllers because they determine how the data collected will be used and processed. Similarly, data analytics companies and professionals are considered to be data processors because they process the data on behalf of the digital lenders. Further, given the nature of the digital credit market and the amount and sensitivity of data that they process, digital lenders should expressly be required to register as data controllers. As a corollary to the above, digital lenders should also designate a data protection officer who will be responsible for matters data protection within their firms.
Under the DPA, consumers have rights to be informed of how their personal information will be used and they can object to the processing of all or part of their personal data. While digital lenders inform consumers how their data will be used, the applications do not contain an option for objection to processing of some or all of the data.
A consumer is therefore obliged to give uninformed consent because he/she has no option but to grant access to his/her records otherwise he/she will not be able to obtain a loan.
The applications should therefore contain options for a consumer to opt in or out. Consumers also have rights of access information that is held about them and rights of correction and rectification of misleading data about them.
Digital lenders should request the borrowers for permission every time the data is used for a different purpose that is not specifically authorised by the consumer. In this regard, the initial purpose for the use of the data is to evaluate the creditworthiness of a borrower. There are instances where lenders have used phone book data to reach out to the family members and employers of consumers in order to threaten the consumer and demand repayment. This is an outright breach of a consumer’s right to data privacy.
While the DPA contains a number of protection provisions for consumers of digital credit, digital lenders have successfully been able to escape financial supervision because of the lack of a specific regulatory framework. It therefore remains to be seen how the DPA will be applied to the digital credit market.
Notably, despite the lack of a regulatory framework, the CBK has recently stretched its regulatory reach and cracked the whip on digital lenders by withdrawing approvals granted to the lenders to forward names of loan defaulters to credit reference bureaus as third-party credit information providers citing misuse of the information by the unregulated digital and credit-only lenders.
Ms Odenyis an LL.M Candidate (Corporate and Commercial Law) at Queen Mary University of London and an Advocate of the High Court of Kenya.