Tag: Whitepath Company Limited

Nairobi businessman Dennis Caleb Owuor has been awarded Sh250,000 in compensation after a digital lending company listed him as a loan guarantor without his knowledge, marking a major victory in the fight against predatory lending practices in Kenya.

The Office of the Data Protection Commissioner has found Whitepath Company Limited guilty of unlawfully processing personal data and ordered the firm to pay the hefty fine to Owuor, who was subjected to harassment through multiple phone calls demanding payment for a loan he knew nothing about.

In a determination dated February 21, 2025, Data Commissioner Immaculate Kassait ruled that the digital lender violated the Data Protection Act 2019 by processing Owuor’s personal information without a lawful basis and listing him as a guarantor without his consent.

The case, which began when Owuor lodged a complaint on November 24, 2024, has sent shockwaves through Kenya’s digital lending sector, with consumer rights activists hailing it as a watershed moment in protecting borrowers from unscrupulous lenders.

According to the determination, Owuor received multiple calls from agents of Whitepath Company demanding payment for a loan for which he had allegedly been listed as a guarantor.

The bewildered businessman had no knowledge of the loan, had never agreed to guarantee it, and had not provided consent for his personal information to be used in this manner.

The Commissioner found that the respondent’s unauthorized disclosure of the complainant’s personal data constituted a serious offense under the Act. An enforcement notice has been issued compelling Whitepath Company to erase all data relating to Owuor and furnish proof of compliance.

The ruling invoked Article 31 of the Constitution of Kenya, which guarantees the right to privacy, and cited multiple provisions of the Data Protection Act that require explicit consent before processing personal data. The Commissioner emphasized that data controllers must operate with transparency and accountability, principles that Whitepath Company flagrantly violated.

Legal experts say this case sets an important precedent for thousands of Kenyans who have fallen victim to similar practices by digital lenders. The ruling makes it clear that lending apps cannot simply harvest personal data from phone contacts or other sources and use it to harass individuals who never agreed to be part of a loan transaction.

Consumer protection advocates have long complained about the aggressive tactics employed by some digital lenders, including accessing phone contacts without permission, making threatening calls to borrowers’ relatives and friends, and publicly shaming defaulters through social media.

The Central Bank of Kenya has been under pressure to regulate the digital lending sector more strictly following numerous complaints about exorbitant interest rates, hidden charges, and invasive data collection practices. Several digital lenders have faced sanctions in recent years, but enforcement has been inconsistent.

The ODPC determination makes it clear that victims of such practices have legal recourse. The Commissioner noted that the office was established specifically to regulate the processing of personal data, ensure compliance with data protection principles, protect individual privacy, and provide remedies when personal data is processed unlawfully.

For those who find themselves in similar situations, the process is straightforward. Complaints can be lodged directly with the Office of the Data Protection Commissioner, providing details of the unauthorized use of personal information. The office is mandated to investigate such complaints and has the power to issue enforcement notices and award compensation.

Industry insiders say the Sh250,000 fine, while significant for an individual case, should be high enough to serve as a deterrent. They argue that digital lenders must invest in proper data protection systems and ensure they have explicit consent before processing anyone’s personal information.

Whitepath Company has 30 days to appeal the determination to the High Court of Kenya. The company did not respond to requests for comment by the time of publication.

The case highlights the growing importance of data protection in Kenya’s digital economy. As more financial services move online, the risk of personal information being misused increases exponentially. The Data Protection Act provides robust safeguards, but enforcement depends on individuals being aware of their rights and willing to pursue complaints.

Consumer rights groups are urging anyone who has been similarly harassed by loan apps to come forward and file complaints with the ODPC. They point out that many Kenyans suffer in silence, unaware that they have legal protections against such practices.

The ruling also serves as a warning to other digital lenders operating in Kenya. The era of cavalier treatment of customer data is over. Companies that fail to comply with data protection laws face not only financial penalties but also reputational damage that could prove fatal in a competitive market.

For Dennis Caleb Owuor, the ruling represents vindication after months of harassment. More importantly, his courage in pursuing the complaint has potentially helped thousands of other Kenyans who may find themselves in similar circumstances.

The Data Protection Commissioner’s office has indicated it will continue to vigorously pursue cases of data misuse, sending a clear message that Kenya’s digital economy must be built on a foundation of trust and respect for individual privacy rights.

Whitepath Company Limited that was previously flagged as a rogue lender and fined for data breach by data commission is now back to old dirty ways.

The firm is yet again being accused of harassing Kenyans, sending threatening messages to lenders and in-line violating the very laws that they were fined for.

“This month Whitepath sent a message to my contacts debt shaming me even after I gave them a repayment plan.” A complainant said.

“I do not even know how these people get access to contacts because I think Google banned them from requesting permissions for contacts.” He adds that he’s not the only victim as there are other cases that he’s aware of.

Evidence of harassment

Rogue lenders fined

Last year in April, mobile money lender WhitePath Company Limited and workspace provider Regus Kenya were both slapped with a Sh5 million penalty as per the Data Protection Act and Complaints Handling Procedure and Enforcement Regulations.

This followed a barrage of complaints received by the commission on WhitePath with close to 150 users claiming that their applications have been accessing their phone contacts without permission and bombarding them with unwanted text messages. To make matters worse, WhitePath’s staff was alleged to been harassing the complainants and their contacts. Same things they’re doing again.

As for Regus Kenya, they’ve were accused of spamming improper information to a complainant despite attempts to make them stop.

They suffered such an expensive penalty for refusing to cooperate with the Office of the Data Protection Commissioner (ODPC).

According to the ODPC, WhitePath failed to comply with an enforcement notice dated January 10, 2023, while Regus Kenya was non-cooperative and ignored multiple complaints, reminders and an enforcement notice.

The Data Commissioner, Immaculate Kassait, sternly emphasised that it’s the responsibility of every company to prioritise protecting personal data and challenged businesses to do so by design and by default.

Headache of unregulated digital lenders

In the latest positive development, the Data Protection Commissioner Immaculate Kassait has revealed the investigations following complaints over digital lenders who have breached the confidentiality of personal information.

The firms are accused of resorting to “debt shaming” tactics to recover loans.

This includes use of debt collection agents pursuing borrowers either by informing their friends and family using contact information scraped from their phones or by threatening to tell their employers.

The Data Protection Act bars sharing of data with third parties without consent and gives individuals the right to be told when their data is being shared and for what purposes.

“The Office received complaints from data subjects regarding digital money lending applications. Towards this end, my office has commenced investigations on a total of 67 such complaints in line with the office mandate,” Ms Kassait said without divulging additional information.

Scores of unregulated microlenders have invested in Kenya’s credit market in response to the growth in demand for quick loans, where borrowers can get loans in minutes via their mobile phones.

Borrowers share personal information, including their professions and monthly earnings, when registering with digital lenders.

But besides the pursuit of unpaid loans, digital lenders share personal information with data analysing firms and for marketing.

The Central Bank of Kenya (CBK) has previously raised concerns about the abuse of the personal data of borrowers and called on lawmakers to fast-track legislation to provide for the regulation of digital lenders.

Lobbies that had petitioned Parliament during the review of the Bill also said that loan applications are private affairs that should be treated as confidential information.

Digital lenders have saddled borrowers with high-interest rates, which rise up to 520 percent when annualised, leading to mounting defaults and an ever-ballooning number of defaulters.

The Data Protection Act further compels firms to disclose to individuals and customers the reasons for collecting their data and ensure that the confidential information is safe from infringement by unauthorised parties.

Offences under the Data Protection Act attract a fine of up to Sh5 million and or imprisonment for a term not exceeding to 10 years or both.

“Infringement of provisions of the Kenya Data Protection Act (DPA) will attract a penalty of not more than Sh5 million or, in the case of an undertaking, not more than 1 percent of its annual turnover of the preceding financial year, whichever is lower,” the Act says.

“Individuals will be liable to a fine not exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both.”

Scores of unregulated microlenders have invested in Kenya’s credit market in response to the growth in demand for quick loans, where borrowers can get loans in minutes via their mobile phones.

The firms are accused of resorting to “debt shaming” tactics to recover loans.

This includes use of debt collection agents pursuing borrowers either by informing their friends and family using contact information scraped from their phones or by threatening to tell their employers.

The Data Protection Act bars sharing of data with third parties without consent and gives individuals the right to be told when their data is being shared and for what purposes.