Cases Detail

Cases

Austine Taabu Musungu & 10 others vs Safaricom PLC

Country: Kenya
Court: High Court of Kenya at Nairobi, Constitutional and Human Rights Division
Status: Judgement
Tags: privacy breaches,data controllers’ duty,vicarious liability

Case Summary

Eleven petitioners lodged a constitutional petition against Safaricom PLC. The Petitioners alleged that the Respondent’s employees unlawfully extracted and disseminated sensitive personal data, including M-Pesa transactions, identity information and betting behaviour to third parties for commercial gain. The Petitioners contended that the Respondent, acting as a data custodian, failed to implement adequate technical and institutional safeguards, thus violating their rights to privacy, dignity and consumer protection. The Respondent however, claimed that the data breach was the result of independent criminal acts attributable to rogue employees, and objected to the case wholly, citing that the matter brought about the existence of parallel proceedings, due to the ongoing Criminal Case No. 962 of 2019 and 979 of 2019, HCC No. 194 of 2019, and HCCPET No. 247 of 2019, which also speak on the subject matter of the present case.

Issues for Determination

  1. Whether the petition was incompetent, an abuse of the Court process, or barred by reason of alleged multiplicity of proceedings.
  2. Whether there occurred a data breach involving subscriber information held by the Respondent between 2018 and 2019, and if thus breach resulted in the extraction, processing or dissemination of the Petitioners’ personal data in violation of constitutional guarantees.
  3. Whether the Respondent bore constitutional, statutory or vicarious liability for the alleged acts of its employees in relation to the data breach.
  4. Whether the Petitioners established the violation of their constitutional rights to privacy, dignity and consumer protection. 

Determination

The judge ruled in favour of the Petitioners, finding Safaricom PLC constitutionally liable for the data breach and dismissing the argument that parallel proceedings made the petition an abuse of process. The Court established that a systemic, large-scale breach occurred between 2018 and 2019, explicitly rejecting Safaricom's "rogue employee" defense by ruling that Article 31 of the Constitution imposes a positive, non-delegable duty on data controllers to safeguard information. Furthermore, the Judge held that the unauthorized exposure of financial and betting records infringed upon the rights to dignity and consumer protection, clarifying that the resulting psychological distress, stigma, and reputational harm are legally sufficient to claim data breach damages without proving direct financial loss. Ultimately, while the Court declined to grant the requested global compensation fund for the broader 11.5 million subscribers, it awarded each of the 11 named Petitioners KShs 900,000 in general damages, alongside interest and the costs of the suit.

Analysis

This case highlights the importance of the affirmative and non-delegable duty of data controllers to protect the information privacy of their subjects from both external and internal threats. The Respondent failed to comply with its constitutional obligations under Article 31, which mandates that personal information must not be unnecessarily revealed and requires custodians to implement robust safeguards. Furthermore, the unauthorized access and dissemination of sensitive subscriber data, including M-Pesa transaction records and betting patterns to third parties violated Article 28, which guarantees that the inherent dignity of every person must be respected and protected.

By allowing a systemic breach that affected its subscribers, the Respondent violated the rights to privacy and consumer protection under Article 26 of the Constitution of Kenya. Its failure to implement rigorous data protection systems against the risk of insider exploitation highlights the importance of institutional accountability against an employee’s actions. Additionally, the court’s award of damages of Kshs 900,000 to each Petitioner emphasizes that the violation of privacy is a substantive injury that warrants meaningful judicial relief to affirm the sanctity of personal data

The judgement reinforces the need for telecommunication providers and other large scale data controllers to implement rigorous data governance measures, maintain transparency, and ensure that the digital systems that they deploy to consumers do not expose consumers to latent risks of data misuse.


 

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.