Chepkoech Lorna & 22 Others vs. Firch International (Pesa Pay)

1. Introduction

Parties:

• Complainants: 23 individuals including Chepkoech Lorna
• Respondent: Firch International Company Limited (T/A Pesa Pay)

Core Issue: Unauthorized access to phone contacts and unlawful processing of personal data under Kenya’s Data Protection Act, 2019.

2. Background of Complaint

Allegations against Pesa Pay:

• Unauthorized access to users’ phone contacts (March 2023)
• Sending loan repayment demands to non-borrowers
• Disclosure of personal data to third parties without consent
• Using employee’s personal number on app without consent

3. Key Violations Found

1. Illegal Data Collection:
   • Harvested contacts from users’ phones without secondary consent
   • No mechanism for contacts to decline being listed as guarantors
2. Privacy Violations:
   • Posted employee Morris Simba’s personal number on app without consent
   • Failed to remove number despite repeated requests
3. Regulatory Non-compliance:
   • Obstructed ODPC investigation by refusing service of documents
   • No proper data protection mechanisms for third-party data

4. Respondent’s Defense

• Claimed contacts were obtained through app permissions
• Blamed external partners (Gleannmore Ltd & Brites Management) for messages
• Announced business termination in Kenya to “rectify data processes”
• Removed Pesa Pay app from Google Play Store as evidence of closure

5. ODPC’s Determination

Legal Basis: Violations of Data Protection Act 2019:

• Section 26: Rights to information, access, and objection
• Section 28(1): Failure to collect data directly from subjects
• Section 61(a): Obstruction of Data Commissioner

6. Final Ruling

1. Respondent found liable for data protection violations
2. Enforcement notice issued against Firch International
3. Right to appeal to High Court of Kenya preserved

7. Significance of the Case

This landmark ruling establishes important precedents in Kenyan data protection law:

• Third-Party Data Protection: Clarifies that companies must obtain direct consent from all individuals whose data they process, including contacts harvested from users’ phones.
• Accountability for Partners: Affirms that data controllers remain responsible for violations committed by their service providers/partners.
• Employee Privacy Rights: Reinforces that employees’ personal data cannot be used for business purposes without explicit consent.
• Regulatory Authority: Demonstrates ODPC’s willingness to enforce compliance, including against fintech companies.
• Global Implications: Sets a benchmark for digital lending apps in emerging markets regarding contact harvesting practices.