Tighter privacy regulations have turned the spotlight on digital credit service providers who have for years topped the list of violations of the Data Protection Act 2019.
A review of recent determinations by courts and the Office of the Data Protection Commissioner (ODPC) showed that digital lenders dominated the non-compliance list, also putting their regulator, the Central Bank of Kenya (CBK), in the spotlight.
Violations by digital lenders and other corporates have, in recent months, attracted millions of shillings in fines from the ODPC, with some attempts to challenge the sanctions in court falling flat.
This year alone, authorities have awarded more than Sh13 million in fines and damages to consumers who raised complaints against unwarranted contact or spamming from companies without their consent.
In one case, the High Court last month ruled in favour of the ODPC, which had fined digital lending firm Ceres Tech Sh2.6 million after three Kenyans filed a complaint over unsolicited promotional messages and calls.
This came just three months after the court threw out a petition by Mulla Pride, another digital lending firm, that sought to challenge a Sh2.9 million penalty from the regulator over the same offense.
These violations come even as regulators, including the ODPC, the Communications Authority of Kenya(CA), and CBK, stayed silent on the implementation of crucial policies on data minimisation, which are enshrined in the law and aimed at safeguarding consumers’ personal information.
The legal disputes have further raised concerns over the liability burden facing companies that process consumers’ financial transactions on one hand, and the role of the different regulators in implementing safeguards enshrined in data protection laws on the other.
In 2024, digital financial services providers accounted for a third of determinations issued by the ODPC from more than 5,000 consumer complaints.
The complaints included improper consent management, unsolicited communication, harassment of third parties, and aggressive debt collection practices.
At the centre of many of the formal complaints is the violation of data minimisation principles as stipulated in the Data Protection Act 2019, which requires companies to collect only the data that is necessary for their service delivery.
Data privacy advocates have raised concerns that the amount of data collected by companies, which range widely from the manual registration required upon entry into many buildings to personal data provided when applying for a digital loan, is excessive.
“The principle of data minimisation, requiring collection and sharing of the personal information necessary for a specific, lawful, and clearly defined purpose, is one of the most fundamental safeguards in data protection law. Yet, it remains one of the least observed in practice,” Mugambi Laibuta, a data protection compliance expert, said in a commentary published in the Business Daily last week.
“The consequences are no longer theoretical. They are tangible, personal, and dangerous. The failure to apply data minimisation has exposed Kenyans to heightened risks,” he added.
Mobile phone subscribers have also raised concerns over spamming from companies in sales and marketing promotions, and in some cases, doxing once their information is leaked to the public.
Data Protection Commissioner Immaculate Kassait last year flagged the rising cases of doxing following the Finance Bill protests, where some politicians saw private details, including their home addresses, spouses' names, and children's schools, leaked to the public.
Doxing refers to collecting and disseminating someone’s personal information to shame, embarrass, expose, or intimidate them. This information can come from private sources, but is often obtained from public records.
“Is there any difference between a digital lender who bombards you with unsolicited messages and a Gen Z who bombards a private citizen with messages?” Asked Ms Kassait during an address on the State of Data Protection in Kenya at the Strathmore Business School. “The principle is, it is still unsolicited, and it is still my private number.”
Financial services providers and fintechs have pushed regulators, including the CBK, ODPC, and CA, to allow them free hand to deploy technological features such as masking of mobile numbers during financial transactions to limit cases of data leakage and privacy infringement.
According to the 2024 banking sector innovation survey by the CBK, a substantial 34 percent of banks and 64 percent of microfinance institutions cited growing data protection and privacy risks as impediments to innovating new products and services.
According to the survey, one out of three institutions emphasised the critical need for robust regulations that would address cybersecurity threats and data privacy concerns.
“This includes standards for data encryption, authentication, and protocols for handling sensitive information,” states the CBK in its report in part.
Commercial banks have instituted data minimization in handling of consumer data in credit and debit card transactions as part of requirements by the CBK. Mobile service providers are also beefing up their digital security infrastructure to ensure consumers share as little personal data as possible when making payments.
Safaricom, which counts more than 30 million daily active users on M-Pesa, developed a tool in 2021 that masks users’ mobile phone numbers when making purchases through Till and PayBill numbers, but has been unable to deploy the feature due to regulatory restrictions.
In a change of tune, however, the CA, last week clarified that it welcomes such initiatives from service providers and signalled a willingness to okay its deployment.
“With the rise of digital services, including e-commerce, privacy features such as number masking on mobile payment platforms are important for digital trust and consumer protection,” stated the CA in a press statement.
“The Authority reiterates its support for innovations that uphold privacy and undertakes to roll out privacy-enhancing features consistent with the law in partnership with industry stakeholders.” It added.
This leaves the CBK as the State regulator that is yet to give a green light for the deployment of new technologies to enforce stricter standards for the protection of subscribers’ personal data, even as the regulator issues new guidelines for the financial services sector.
In August this year, CBK released new guidelines for non-deposit-taking Credit Providers that, among other things, stipulate adherence to the Data Protection Act, 2019, and that they obtain clearance certificates from the ODPC.
“A non-deposit-taking provider shall, where applicable, develop an information and technology policy which shall at a minimum cover data encryption standards and guidelines, information security guidelines and application security,” explains the regulations in part.
Other checklists for service providers when developing their IT systems include network access, password security for mobile applications and web platforms, and a backup policy.
As consumers turn to the legal system to address cases of personal data infringement and as service providers grapple with the cost of compliance, the ball is in the court of the CBK, which spans both fintech and banking sectors, to implement its own policies to safeguard consumers’ rights.
Kevin Mutiso, the chairperson of the Digital Financial Services Association of Kenya, told the Business Daily that the organisation is deploying a complaints portal to enhance internal oversight of the violations.
“The portal will interlink the regulator and the businesses such that everyone has visibility of the complaints being lodged. We’re gearing up for rollout by June next year,” he said in a phone interview.
