Cases
Austine Taabu Musungu & 10 others vs Safaricom PLC
Case Summary
Eleven petitioners lodged a constitutional petition against Safaricom PLC. The Petitioners alleged that the Respondent’s employees unlawfully extracted and disseminated sensitive personal data, including M-Pesa transactions, identity information and betting behaviour to third parties for commercial gain. The Petitioners contended that the Respondent, acting as a data custodian, failed to implement adequate technical and institutional safeguards, thus violating their rights to privacy, dignity and consumer protection. The Respondent however, claimed that the data breach was the result of independent criminal acts attributable to rogue employees, and objected to the case wholly, citing that the matter brought about the existence of parallel proceedings, due to the ongoing Criminal Case No. 962 of 2019 and 979 of 2019, HCC No. 194 of 2019, and HCCPET No. 247 of 2019, which also speak on the subject matter of the present case.
Issues for Determination
- Whether the petition was incompetent, an abuse of the Court process, or barred by reason of alleged multiplicity of proceedings.
- Whether there occurred a data breach involving subscriber information held by the Respondent between 2018 and 2019, and if thus breach resulted in the extraction, processing or dissemination of the Petitioners’ personal data in violation of constitutional guarantees.
- Whether the Respondent bore constitutional, statutory or vicarious liability for the alleged acts of its employees in relation to the data breach.
- Whether the Petitioners established the violation of their constitutional rights to privacy, dignity and consumer protection.
Determination
The judge ruled in favour of the Petitioners, finding Safaricom PLC constitutionally liable for the data breach and dismissing the argument that parallel proceedings made the petition an abuse of process. The Court established that a systemic, large-scale breach occurred between 2018 and 2019, explicitly rejecting Safaricom's "rogue employee" defense by ruling that Article 31 of the Constitution imposes a positive, non-delegable duty on data controllers to safeguard information. Furthermore, the Judge held that the unauthorized exposure of financial and betting records infringed upon the rights to dignity and consumer protection, clarifying that the resulting psychological distress, stigma, and reputational harm are legally sufficient to claim data breach damages without proving direct financial loss. Ultimately, while the Court declined to grant the requested global compensation fund for the broader 11.5 million subscribers, it awarded each of the 11 named Petitioners KShs 900,000 in general damages, alongside interest and the costs of the suit.
Analysis
This case highlights the importance of the affirmative and non-delegable duty of data controllers to protect the information privacy of their subjects from both external and internal threats. The Respondent failed to comply with its constitutional obligations under Article 31, which mandates that personal information must not be unnecessarily revealed and requires custodians to implement robust safeguards. Furthermore, the unauthorized access and dissemination of sensitive subscriber data, including M-Pesa transaction records and betting patterns to third parties violated Article 28, which guarantees that the inherent dignity of every person must be respected and protected.
By allowing a systemic breach that affected its subscribers, the Respondent violated the rights to privacy and consumer protection under Article 26 of the Constitution of Kenya. Its failure to implement rigorous data protection systems against the risk of insider exploitation highlights the importance of institutional accountability against an employee’s actions. Additionally, the court’s award of damages of Kshs 900,000 to each Petitioner emphasizes that the violation of privacy is a substantive injury that warrants meaningful judicial relief to affirm the sanctity of personal data
The judgement reinforces the need for telecommunication providers and other large scale data controllers to implement rigorous data governance measures, maintain transparency, and ensure that the digital systems that they deploy to consumers do not expose consumers to latent risks of data misuse.