High Court awards 11 subscribers Sh900,000 each in data privacy case

The High Court has ordered Safaricom PLC to pay Sh900,000 each to 11 subscribers after finding that their constitutional rights to privacy, dignity, and consumer protection were violated.

The petition was filed by Austine Taabu Musungu, Joseph Ojiambo, Sabastian Fredrick Ogoma, George Ogemo, Ann Kongo, Linus Kura, Alex Wang’oma, Martin Ogalo, Augustine Odari, Mwathi Kithinji, and Augustine Onalo Buonya.

According to the judgment, the petitioners moved to court alleging that between 2018 and 2019, their employees unlawfully accessed and transmitted sensitive subscriber data to third parties, including betting companies, without consent or lawful authority.

“Information includes financial transaction data, betting activity, device identifiers, and geolocation data to third parties without consent or lawful authority,” the judgment states.

They contended that the breach was facilitated by their internal controls that allowed employees unrestricted access to the subscriber database.

The petitioners further relied on forensic material and internal communications to support claims that data was repeatedly shared through platforms such as WhatsApp, Google Drive, and email for commercial gain.

They also pointed to alleged admissions by Safaricom in correspondence with investigative agencies acknowledging internal compromise affecting millions of subscribers.

On liability, the petitioners argued that Safaricom bore both direct and vicarious responsibility for the breach.

They maintained that the telecommunications giant had a non-delegable constitutional duty under Articles 31, 28, and 46 of the Constitution to safeguard personal data.

Safaricom opposed the petition, arguing that it was incompetent and an abuse of court process due to parallel criminal and civil proceedings involving similar allegations.

The company insisted that the alleged breach arose from criminal conduct by former employees acting outside the scope of their employment for personal gain.

It maintained that there was no proof that the petitioners’ specific data had been accessed or compromised, and that forensic materials relied upon were inconclusive and did not establish individualised harm.

“On evidentiary grounds, the Respondent (Safaricom) contends that the Petitioners have failed to demonstrate that their personal data formed part of any allegedly compromised dataset,” court documents add.

The company further argued that its communication to investigative authorities was not an admission of liability but a report of suspected criminal activity.

It also disputed the existence of a verified dataset of 11.5 million affected subscribers, stating that claims of mass exposure originated from third-party assertions rather than authenticated internal records.

In determining the matter, Justice Bahati Mwamuye first dismissed the preliminary objection on abuse of process, holding that although related proceedings existed, the petitioners were distinct parties asserting personal constitutional violations under Articles 22 and 258, and the issues raised extended beyond the scope of the parallel cases.

On evidence, the court found that it was sufficiently corroborated by independent records, including internal communications and material produced by Safaricom itself.

According to the judgment, the communications showed that subscriber and betting-related data “was repeatedly disseminated and transmitted to multiple third parties for commercial purposes” between June 2018 and May 2019.

Justice Mwamuye further observed that the communications referenced several alleged recipients of the data, including persons or entities identified as “Andrew”, “Odibet”, “the Mburus”, “Betika”, “Charles”, and “the Mule”.

The court found that there was sufficient evidence of a systemic data breach within Safaricom’s systems during the relevant period.

“In constitutional litigation of this nature, particularly where the Respondent is the exclusive custodian of the relevant data systems, the evidential burden does not remain static,” the judge said.

“Once a prima facie case showing systemic compromise is made, the evidential burden shifts to the data controller to demonstrate the integrity of its systems and the exclusion of the claimants from the affected dataset.”

The court therefore concluded that the subscribers' rights to privacy, dignity, and consumer protection were violated.

As a remedy, it awarded each of the 11 petitioners Sh900,000 each in general damages, translating to a total payout of Sh9.9 million, plus costs and interest.