Kenya Insights

Tag: Safaricom data privacy

  • Safaricom Faces Avalanche of Lawsuits Over Data Privacy as Acquitted Student Demands Sh200mn Compensation in 48 Hours

    Safaricom Faces Avalanche of Lawsuits Over Data Privacy as Acquitted Student Demands Sh200mn Compensation in 48 Hours

    Safaricom PLC, Kenya’s dominant telecommunications operator with more than 46 million subscribers, finds itself at the centre of an escalating legal storm that lawyers warn could unleash a torrent of constitutional petitions challenging how the company has handled customer data when cooperating with law enforcement agencies.

    The crisis was triggered by a ruling handed down on February 19 by Principal Magistrate Carolyne Nyaguthii Mugo at the Milimani Chief Magistrate’s Court in Nairobi, which acquitted David Oaga Mokaya, a 24-year-old university student, of cybercrime charges.

    Prosecutors had alleged that Mokaya published a manipulated social media image depicting a funeral procession with a casket draped in the Kenyan flag, captioned as showing President William Ruto’s body leaving Lee Funeral Home.

    The magistrate threw out the charges under Section 215 of the Criminal Procedure Code, finding that the prosecution had failed to prove its case beyond reasonable doubt. Crucially, she excoriated investigators for seizing and forensically examining Mokaya’s electronic devices without first obtaining valid court orders — a procedural failure she said rendered the evidence obtained constitutionally inadmissible.

    Within hours of the acquittal, Mokaya’s legal team — comprising advocates Danstan Omari, Shadrack Wambui, and Martina Swiga — issued a 48-hour demand notice to Safaricom PLC, seeking Sh200 million in damages for what they describe as the unlawful disclosure of their client’s location data and personal information to investigators in the absence of a court order.

    The demand threatens constitutional proceedings at the High Court’s Constitutional and Human Rights Division should Safaricom decline to admit liability.

    ‘For the police to obtain your location or personal data from Safaricom, they must first obtain a court order. Without that order, any disclosure is unconstitutional.’ Danstan Omari, advocate for David Mokaya

    The ‘Hard Place and the Rock’ Dilemma

    Legal analysts and market observers are already describing Safaricom’s predicament as a no-win situation. If the company contests the claim and loses at trial, it faces the prospect of opening the floodgates to thousands of similar lawsuits from Kenyans who believe their data was shared with the Directorate of Criminal Investigations (DCI) or other security agencies without judicial authorisation.

    Conversely, should the company settle out of court, the precedent set by even a confidential agreement could embolden further claimants.

    The stakes are particularly high given what lawyers describe as systematic and longstanding data-sharing practices between Safaricom and law enforcement.

    In November 2024, an investigation by journalists Namir Shabibi and Claire Lauterbach, published in partnership with Kenya’s Daily Nation, alleged that Safaricom had, for years, given security agencies virtually unfettered access to subscriber data — including call data records (CDRs) and real-time location information — without court orders, facilitating the tracking of suspects later linked to enforced disappearances and extrajudicial killings.

    The Kenya Human Rights Commission (KHRC) and Muslims for Human Rights (MUHURI) issued a formal open letter to Safaricom in late 2024 demanding an accounting of the allegations and warning of legal consequences.

    Safaricom, through its lawyers, denied the allegations as “not only false but also malicious.” The company has maintained publicly that it shares customer data only when “explicitly required via a court order.”

    A Company Already Besieged

    The Mokaya case is far from the only data-related litigation confronting the Nairobi Stock Exchange-listed company.

    In 2025, Safaricom was named as a defendant in a KES 1.432 billion lawsuit filed in February, arising from an alleged breach of a central development server in its finance department that is claimed to have exposed approximately 43 million customer records.

    That suit also names the Attorney General and the Director of Public Prosecutions, with the complainant alleging that the DCI and the Serious Crimes Unit conspired with Safaricom to suppress evidence and fabricate exhibits.

    Separately, two former senior Safaricom managers stand accused in both civil and criminal proceedings of extracting and attempting to sell personal data belonging to 11.5 million subscribers — approximately 23 per cent of the company’s customer base — to a major sports betting firm.

    That data cache included full names, national ID numbers, passport numbers, M-Pesa transaction histories, precise location data, and gambling records, representing what some have characterised as potentially the largest corporate privacy violation in African history. The civil case, in which settlement talks collapsed in October 2025, is now headed for a full hearing.

    In February 2025, the Office of the Data Protection Commissioner (ODPC) ordered Safaricom and Becton Dickinson East Africa to pay damages of Sh250,000 each for unlawfully processing the personal data of a former employee, Catherine Kainyu Murithi, without her consent — a ruling that, while modest in quantum, established a precedent for regulatory accountability.

    ‘The David Mokaya case is a landmark decision that is going to bring sanity to the telecommunications sector.’ Danstan Omari, advocate

    The Constitutional Framework

    Kenya’s Data Protection Act, enacted in 2019, established comprehensive obligations on data controllers and processors, including telecommunications companies, prohibiting the sharing of personal data without the data subject’s consent or a lawful basis such as a court order.

    The Act is enforced by the ODPC, which has gradually stepped up its regulatory posture in recent years.

    The constitutional dimension of the Mokaya claim rests primarily on Article 31, which guarantees every person the right to privacy including in respect of their communications, home, and personal information, and Article 28, which protects human dignity.

    The legal team argues that personal data — messages, contacts, location, and financial records — are extensions of a person’s dignity and are entitled to heightened protection.

    The Milimani ruling reinforces a growing body of Kenyan jurisprudence holding that electronic devices attract “heightened constitutional protection” by virtue of the extensive personal data they contain, and that any search or extraction of that data must be preceded by proper judicial authorisation.

    The magistrate’s explicit condemnation of the investigators’ failure to produce valid warrants during the Mokaya trial is already being cited by legal practitioners as a significant elaboration of digital rights standards.

    Potential Floodgate of Claims

    Human rights lawyers and civil society organisations warn that the Mokaya judgment, if the constitutional petition proceeds and succeeds, could open the way for a far larger wave of litigation.

    Thousands of Kenyans who were arrested, prosecuted, or subjected to surveillance in cases that relied on subscriber data shared by Safaricom without a court order may now have a constitutional cause of action against the company.

    The 2024 anti-Finance Bill protests, during which civil society groups accused Safaricom of facilitating the tracking of demonstrators in real time, generated particular public anger and are likely to produce their own tranche of potential claimants.

    Advocate Omari described the forthcoming petition as “potentially precedent-setting,” arguing it would compel the courts to definitively resolve how telecommunications companies must balance cooperation with law enforcement against their constitutional and statutory obligations to subscribers.

    Danstan Omari.

    “This case could redefine how telecom companies cooperate with law enforcement agencies,” he said, adding that its implications for digital surveillance practices would be “far-reaching.”

    In Kenya, courts have already allowed class action suits to proceed against Safaricom, with the High Court in an earlier case permitting senior counsel to publish notices inviting subscribers to join constitutional petitions.

    The legal infrastructure for aggregated claims therefore already exists and is familiar to the judiciary.

    Safaricom’s Position and Commercial Exposure

    Safaricom, which reported revenues of Sh311.6 billion in its most recent financial year and holds a dominant position in Kenya’s mobile money ecosystem through its M-Pesa platform, has not publicly responded to the Mokaya demand notice as of the time of publication.

    The company’s published privacy policy states that it does not share customer information unless required by law or a court order, and it holds multiple internationally recognised data security certifications, including ISO 27701 and ISO 27001.

    It is regulated by the ODPC, the Communications Authority of Kenya, and the Central Bank of Kenya.

    The company has historically maintained that interactions with its Law Enforcement Liaison Office operate within the bounds of the law.

    However, critics argue that the very existence of a dedicated liaison structure facilitating data flows to security agencies — particularly given findings about CDR handling and alleged manipulation of records surfaced in investigative journalism — points to systemic practices that courts have yet to fully scrutinise.

    Investors tracking Safaricom’s shares on the Nairobi Securities Exchange will note that a sustained legal campaign, particularly one that captures public attention and attracts additional petitioners, carries not only direct financial liability but reputational damage in a market where trust in data stewardship is increasingly valued by both consumers and institutional stakeholders.

    What Happens Next

    The 48-hour ultimatum issued to Safaricom expired on February 22, 2026. Should the company fail to respond or decline to admit liability, Omari has committed to filing a constitutional petition at the High Court the following Monday morning.

    A successful petition seeking Sh200 million in damages would, legal practitioners note, not be the end but the beginning: it would crystallise a cause of action that tens of thousands of Kenyans could replicate.

    The case also arrives at a moment of heightened scrutiny for the relationship between African telecommunications companies and state security apparatus more broadly.

    From Nigeria to Ethiopia to South Africa, regulators and civil society groups have pushed for clearer legal frameworks governing when and how network operators may disclose subscriber data to authorities.

    The outcome of the Mokaya constitutional petition, and any eventual class action that follows, is therefore likely to be watched beyond Kenya’s borders.

    For Safaricom, caught between the demands of law enforcement agencies that depend on its cooperation and the constitutional rights of the 46 million subscribers whose data it holds, the Mokaya case has crystallised a tension that the company can no longer defer.

    The question now is not whether it will face a wave of data privacy litigation, but how large and how organised that wave will be.

  • Safaricom Under Storm As Acquitted Student Vows Massive Lawsuit After Teleco Admits Handing DCI His Private Data Without Court Order

    Safaricom Under Storm As Acquitted Student Vows Massive Lawsuit After Teleco Admits Handing DCI His Private Data Without Court Order

    The acquittal of Moi University student David Mokaya by the Milimani Law Courts has opened a legal Pandora’s box that threatens to embarrass both Kenya’s dominant telecommunications company and the Directorate of Criminal Investigations in equal measure, as the young man’s lawyers announced plans to pursue the State for malicious prosecution while the court itself placed Safaricom on notice over what it described as a blatant and illegal breach of a subscriber’s constitutional rights.

    Magistrate Caroyne Mugo, in a ruling delivered on February 19, 2026, did not merely acquit Mokaya of charges that he published false information about President William Ruto.

    She went further, pointedly flagging Safaricom as a company with serious questions to answer after it emerged during trial that the telecommunications giant had surrendered Mokaya’s private subscriber data to police investigators without any court order authorising the disclosure.

    The magistrate’s remarks were not obiter.

    They were deliberate, targeted and carry the weight of judicial censure that Safaricom’s legal and regulatory affairs teams will find impossible to ignore.

    The facts of the case, as they emerged during weeks of testimony, paint a disturbing picture of a security apparatus that moved with remarkable speed and remarkable disregard for constitutional safeguards once a social media post touching on the President’s name entered the system.

    On November 13, 2024, a post appeared on platform X under the username “Landlord @bozgabi” depicting a funeral procession with a military escort carrying a casket draped in the Kenyan flag, accompanied by a caption that investigators said referenced President Ruto.

    Within twenty-four hours, a senior police officer identified in court as Michael K. Sang had written directly to Safaricom demanding the subscriber details behind the account.

    By November 15, a team of detectives from the Serious Crimes Unit had descended on Eldoret, tracked Mokaya to an area opposite Moi University’s Annex, and arrested him.

    A Samsung phone, a laptop and his identity card were seized before anyone had troubled themselves to obtain a search warrant.

    It was Chief Inspector Bosco Kisau who delivered the most damaging admissions from the prosecution’s own witness stand.

    Under cross-examination by defence lawyers Danstan Omari, Ian Mutiso and Shadrack Wambui, Kisau conceded that he had not been served with a court order authorising the investigation of Mokaya’s devices. He admitted he was unaware of a High Court ruling requiring law enforcement to obtain judicial authority before compelling mobile service providers to release subscriber details.

    He further admitted that he could not confirm the origin, source or geographic location of the disputed post.

    He could not confirm whether the SIM card linked to the account had been properly registered. He had not recorded a statement from the complainant, President Ruto.

    And crucially, when pressed directly, he conceded that the post in question did not actually contain a photograph of the President.

    Safaricom employee Daniel Hamisi, who also took the stand, confirmed that he had released Mokaya’s details upon a written request from a senior police officer, without any court order having been presented or demanded.

    Safaricom shop.

    His testimony crystallised what civil liberties advocates have long argued: that Kenya’s Data Protection Act of 2019 and the constitutional right to privacy exist on paper in a manner that is, in practice, subordinate to a phone call or a letter bearing a senior officer’s signature when matters touching on political figures are involved.

    The magistrate was unsparing.

    She found that police had failed miserably in their duty, that the accused had been framed, and that no direct evidence linked Mokaya to the alleged offence.

    She noted that Mokaya’s social media account was shared with three other individuals who were never traced or called as witnesses, creating reasonable doubt that could not be resolved by the prosecution’s threadbare evidence.

    She noted that the alleged offence was said to have been committed in Nairobi while Mokaya was physically in Eldoret.

    She noted the complete absence of forensic or digital evidence tying him to the post. She observed that the court could not rule out the possibility that the post itself had been fabricated and planted on an account associated with his name.

    She also noted something that ought to concern the leadership of the Safaricom corporation and its board.

    The company’s compliance with an unlawful police request, without demanding judicial authorisation, may constitute a violation of the Data Protection Act.

    That legislation imposes clear obligations on data controllers and processors regarding the circumstances under which personal data may be disclosed to third parties, including law enforcement.

    Disclosure without a court order, in circumstances where one is legally required, is not a procedural technicality.

    It is a substantive breach carrying potential regulatory consequences from the Office of the Data Protection Commissioner and civil liability in the courts.

    Omari and Mutiso, who led Mokaya’s defence and who are no strangers to high-profile constitutional litigation, wasted no time in signalling what comes next.

    They told the court after the ruling that they intend to sue the State for malicious prosecution. Legal analysts familiar with their track record consider this not an idle threat but a certainty.

    A malicious prosecution claim would require establishing that the prosecution was initiated without reasonable and probable cause, that it was actuated by malice, and that it terminated in the accused’s favour. On the facts as found by the magistrate, all three elements appear to be richly available.

    Mokaya’s tweet he made after being freed by the court.
    Mokaya’s tweet he made after being freed by the court.

    The civil suit, when filed, will almost certainly name Safaricom as a defendant or at minimum as a party from whom discovery is sought.

    The company will need to account for its internal processes around law enforcement data requests. It will need to explain why its compliance team released subscriber data without demanding what the law requires.

    It will need to address whether this was an isolated incident or systemic practice. These are questions that Safaricom’s corporate communications machinery cannot deflect with a press statement.

    For Mokaya himself, the personal cost of this ordeal is not easily quantified.

    He was charged on November 13, 2024, and the case dragged through a full trial over a period of roughly three months.

    His lawyer told the court that the student could not even speak in the immediate aftermath of the ruling due to mental trauma and shock that had gripped him since his arrest.

    He spent the duration of the case on a bond of one hundred thousand shillings or a cash bail of fifty thousand shillings, money that a finance student at a public university would not easily produce. His devices were confiscated. His movements were constrained. His studies were disrupted.

    David Mokaya during a past court session.
    David Mokaya during a past court session.

    The broader significance of this case extends well beyond one young man’s acquittal.

    It arrives at a moment when the relationship between digital speech, state power and telecommunications infrastructure is under intense scrutiny across Africa.

    Kenya’s Data Protection Act was celebrated when it passed as a significant step toward aligning the country with international data protection standards.

    The Mokaya case suggests that the legislation’s practical force remains weak in the face of political pressure and institutional habit.

    When a senior police officer can write a letter to a telecommunications company on a Tuesday and have subscriber location data by Wednesday morning without a magistrate or judge having been involved at any point, the statute’s protections are nominal at best.

    The Law Society of Kenya, through Mutiso’s involvement in the case, has effectively placed its institutional weight behind the argument that telecom companies must resist unlawful data requests regardless of who is making them and regardless of whose name appears in the underlying social media post.

    That argument will now be tested in the civil courts, where Mokaya’s lawyers say they will press it with full force.

    Safaricom has not issued a public statement on the matter at the time of publication.

    The company, which controls the overwhelming majority of Kenya’s mobile subscriber market and whose M-Pesa platform is embedded in the economic life of tens of millions of Kenyans, has significant reputational exposure if the civil litigation proceeds and produces further uncomfortable disclosures about the ease with which law enforcement has historically been able to extract personal data from its systems.

    The magistrate reminded police, in terms that deserve to be read widely, that the duty to observe the law does not diminish because the name of the President or any other powerful figure appears in a social media post.

    She reminded them that cases of this nature must be handled with caution and free from public or political pressure.

    She reminded them that the criminal procedure code and the Constitution are not suspended when someone posts something uncomfortable about a head of state.

    For a twenty-four-year-old finance student from Moi University who spent months answering charges that a court ultimately found may have been built on a fabricated foundation, those reminders came at significant personal cost.

    The question that will now occupy Kenya’s legal community is whether the institutions that failed him will be made to pay one.

  • Safaricom’s Licence Renewals Could Lock In Dominance and Open a New Era of Costly Telecom Bills

    Safaricom’s Licence Renewals Could Lock In Dominance and Open a New Era of Costly Telecom Bills

    Renewal of NFP-T1 and IGSS licences could increase data and call prices

    Safaricom is seeking to renew its two most powerful licences, a move that could cement its control over Kenya’s telecom infrastructure and push consumer costs higher at a time when households are already strained by rising prices.

    The applications, quietly tucked into a November 21 Gazette notice, relate to the NFP-T1 and IGSS licences which give Safaricom sweeping authority over national infrastructure and international communication routes.

    Industry analysts warn that renewal without new safeguards could deepen a monopoly that has thrived for years under weak regulation.

    The NFP-T1 licence allows Safaricom to operate the infrastructure backbone that every Kenyan relies on, from cell towers to data centres, while giving it access to critical spectrum bands.

    Previous studies show that markets dominated by a single operator often suffer data prices up to 30 percent higher than those with strong competition.

    The IGSS licence places Safaricom at the heart of international traffic, making it the gatekeeper of all inbound and outbound calls and data.

    Ongoing disputes over spectrum fees and penalties are expected to shape the renewal terms and could translate into higher tariffs as the company moves to protect its revenue.

    However, the biggest public concern is data privacy.

    In recent years, Safaricom has faced multiple accusations of leaking subscriber information to law enforcement without due process.

    Rights groups say the company’s relationship with state agencies exposes millions to surveillance risks while Parliament continues to probe alleged breaches.

    The CA is now inviting public comments for 30 days.

    For the first time in years, Kenyans have an opportunity to influence the conditions placed on Safaricom’s power.

    Whether the public intervenes could determine whether connectivity becomes more affordable and secure, or whether the next chapter belongs to an even stronger telecom giant.