Kenya Insights

Tag: Data commissioner Immaculate Kassait

  • Zuku Hit with Sh500K Fine for Spam Texts: Pandora’s Box Opens for Future Lawsuits

    Zuku Hit with Sh500K Fine for Spam Texts: Pandora’s Box Opens for Future Lawsuits

    Ex-Customer’s Victory Over Relentless Spam Texts Sparks Legal Avalanche for Kenyan Firms

    In a ruling that could redefine corporate accountability in Kenya’s digital age, internet provider Zuku has been ordered to pay a former customer Sh500,000 for bombarding him with unsolicited promotional messages years after he ditched their services.

    The penalty, issued by Data Commissioner Immaculate Kassait, not only exposes glaring gaps in data privacy compliance but sets the stage for a potential wave of lawsuits against Zuku and other firms flouting consumer rights.

    The case, stemming from a November 2024 complaint by ex-client Yasin Abukar, reveals a Kafkaesque ordeal. Abukar argued that despite repeatedly demanding—via calls, emails, and even showing up at Zuku’s offices—that the company delete his personal data and stop spamming him, the messages kept coming.

    “I felt harassed. They treated my privacy like an afterthought,” Abukar stated in his submission. His frustration deepened when Zuku’s listed customer service email bounced back as invalid, leaving him trapped in a corporate runaround.

    Zuku, owned by Wananchi Group, denied ever receiving Abukar’s requests, claiming a system audit showed no record of his pleas. But the Data Commissioner’s office uncovered a far thornier reality.

    An ODPC investigation found that the email address provided on Zuku Fibre’s website for data protection inquiries was inactive, making it difficult for Abukar to exercise his right to data deletion. Despite Zuku’s denial of receiving formal deletion requests, the ODPC found evidence that the company continued processing Abukar’s data and obstructed the investigation.

    The regulator ruled that Zuku Fibre violated Sections 26 and 40 of the Data Protection Act by failing to honor Abukar’s data deletion request, unlawfully processing his personal data, and providing an invalid contact channel for data protection inquiries.

    “The right to data deletion is fundamental, and organizations must comply with the law or face the consequences,” the ODPC stated.

    During a court-sanctioned raid last week, Zuku’s staff reportedly stonewalled investigators, refusing access to digital records and systems despite being presented with a search warrant.

    “Their lack of cooperation turned this into a witch hunt,” Kassait wrote, accusing Zuku’s directors of obstruction—a charge that could now land them in criminal court.

    A Precedent for “Data Vigilantes”

    The ruling, dated February 15, 2025, is more than a win for one aggrieved customer. It sends a seismic warning to Kenyan Zuku and other firms: ignore data deletion requests at your peril. With Kassait pushing for prosecutions beyond fines, companies risk both financial bleeding and reputational ruin.

    Legal experts predict a surge in similar cases

    “Consumers are waking up to their rights under the Data Protection Act. This verdict is a green light for others to demand respect—or sue,” says Nairobi-based privacy advocate Miriam Wanjiku on X.

    The timing couldn’t be sharper: Kenya’s data watchdog recently vowed to clamp down on foreign violators, signaling a no-nonsense era of enforcement.

    Zuku’s Mounting Woes

    The firm’s claim of innocence—“We found no trace of his complaints”—collapsed under scrutiny, with Kassait dismissing it as “convenient denials.” Worse, their defiance during the probe paints a picture of a company clinging to opacity in a transparency-driven market.

    Abukar’s lawyer, speaking anonymously, hinted at broader implications: “This isn’t just about spam texts. It’s about companies hoarding your data like gold long after you’ve left them. That ends now.”

    Zuku has 30 days to appeal, but the court of public opinion may already be leaning toward Kassait’s stance. As Kenyans increasingly guard their digital footprints, the message is clear: respect privacy, or pay the price—one lawsuit at a time.

    For consumers drowning in spam, Yasin Abukar’s fight is a rallying cry. For corporations? A chilling wake-up call: delete responsibly, or brace for the flood.

  • Data Breach: NCBA Bank Fined For Disclosing A UK Customer’s Confidential Information To A Third Party

    Data Breach: NCBA Bank Fined For Disclosing A UK Customer’s Confidential Information To A Third Party

    NCBA Bank has been ordered to pay United Kingdom based solicitor Sh250,000 for disclosing her data to a third party.

    Data commissioner Immaculate Kassait slapped the lender with the fine as compensation to the Kenyan and UK-based solicitor Rose Wambui Muigai.

    The ODPP noted that the lender failed to process personal data in accordance with the right to privacy resulting in unlawful and unauthorized disclosure of Muigai’s personal data.

    “Having found that NCBA Bank did not process Wambui’s personal data in accordance with the right to privacy under Section 25(a) of the Act, NCBA Bank is hereby ordered to compensate Wambui in the amount of Sh 250,000,” ruled the Data commissioner.

    The lawyer filed a complaint alleging that NCBA Bank disclosed her personal data to third parties, who were the lender’s former employees without lawful basis.She alleged that alleged that on diverse dates between 20th May, 2023 and 28th May, 2024, NCBA Bank processed her personal data in violation of data protection laws.

    She said the former employees of the Bank were using her personal data to contact her to assist her with renewal of her insurance cover.

    Data commissioner Immaculate Kassait.

    Data Commissioner heard that or about June 2021, Wambui subscribed to one of the NCBA’s services, where the lender provided financing for her to acquire a motor vehicle, as well as an additional facility for an annually renewable insurance premium.

    On 25th May, 2023 she stated that she received a call from a third party, who disclosed information that included her full name, mobile phone number and her motor vehicle details, car registration number.
    Additionally, the third party informed her that her motor vehicle insurance was due for renewal.

    Wambui said she received another call from another number and the person introduced himself and an employee of the NCBA.

    “This third party disclosed the Wambui’s full name, mobile phone number and motor vehicle details and additionally informed her that the motor vehicle insurance was due for renewal and that he could assist with this,” states the decision.

    On 20th May 2024, she received another call from the same person, who again disclosed Wambui’s personal data and further stated that since the Respondent’s portal had an issue with access, he was requesting that she furnish him with a copy of her logbook so he may assist with the renewal of the motor vehicle insurance.
    On 22rd May 2024, she received an email from NCBA notifying her that her motor vehicle insurance was due for renewal on 28th May 2024.

    She responded to the email dated May 22, 2024 requesting NCBA to proceed with the fulfillment of the vehicle motor insurance.

    The Bank defended itself by claiming the individual who called the lawyer were former employees and the ceased working for the institution.