ODPC COMPLAINT NO. 778 OF 2023
1. Introduction
This case involved complaints by Arnold Mwaura and Alex Karanja against Mulla Pride Limited, a digital lender, for unlawful processing of personal data through aggressive debt collection practices.
Table of Contents
2. Nature of Complaints
- 1st Complainant (Arnold Mwaura):
- Received threatening messages about unknown loan
- Listed as referee without consent
- Threatened with CRB listing and occult references
- 2nd Complainant (Alex Karanja):
- Received abusive calls about stranger’s loan
- Contact obtained from borrower’s phonebook
- No prior relationship with lender
3. Respondent’s Defense
- Claims phonebook access requires customer consent
- Contacts only used for reaching referees
- Admits some agents may be “overzealous”
- Denies disclosing data to third parties
- Provides privacy policy as evidence
4. Key Issues
- Consent Verification:
- No evidence of direct consent from complainants
- No opt-out mechanism for referees
- Notification Duty:
- Failed Section 29 DPA notification requirements
- No disclosure of data collection purpose
5. Rights Violations
Section 26 DPA Violations:
- Right to be informed about data use
- Right to object to processing
- Right to protection from unlawful collection
Section 28 Violation: Collected data indirectly from third parties without consent
6. Final Determination
Findings:
- Respondent found liable for unlawful data processing
- Enforcement notice issued against Mulla Pride Limited
- Right of appeal to High Court preserved
7. Significance of the Case
Digital Lending Regulation
- Establishes that digital lenders cannot assume consent from phonebook contacts
- Sets precedent against aggressive debt collection practices using third-party data
- Clarifies that borrowers’ consent doesn’t extend to their contacts
Consent Standards
- Affirms requirement for explicit opt-in mechanisms for referee contacts
- Confirms that indirect collection from phonebooks violates DPA Section 28
- Reinforces burden of proof for consent rests with data controllers
Consumer Protection
- Protects non-customers from harassment by lending apps
- Establishes liability for abusive communication practices
- Provides recourse for victims of unauthorized debt collection
Compliance Requirements
- Mandates proper notification under Section 29 DPA
- Requires lenders to implement proper referee consent systems
- Sets standards for debt collection communication content
Industry Impact: This ruling forces digital lenders to fundamentally overhaul their contact collection and debt collection practices to comply with data protection laws, particularly regarding third-party communications.
For full determination, click 🗃️
