In a courtroom revelation that could redefine the debate on privacy in Kenya, a Safaricom officer admitted to releasing a student’s personal data to the Directorate of Criminal Investigations (DCI) without a court order.
The admission came during proceedings in the case of student David Mokaya, where the officer testified that he acted on a DCI letter dated November 14, 2024, requesting the student’s contact details. He further conceded that he neither questioned the reason for the request nor demanded a court order before handing over the data.
This testimony directly contradicts Safaricom’s long-standing public assurances that it only shares subscriber information when compelled by a court order.
Who Should Be Held Responsible?
The revelation has ignited heated debate in legal and data protection circles. The central question: Who bears liability – the individual employee or the corporation?
- Primary Liability: Under the Kenya Data Protection Act (KDPA), Safaricom, as the data controller, carries primary responsibility.
- Individual Liability: Employees may also face sanctions if they knowingly act outside the law. “Orders from above” cannot excuse criminal conduct.
Observers note the officer’s casual account suggests the practice may not have been an isolated incident. If proven to be routine, this could open the door to class action litigation and even directors’ liability under Kenyan law.
The Bigger Picture: A Systemic Breach of Trust?
Several experts argue the case exposes systemic weaknesses:
- Routine Requests Without Oversight: The officer’s testimony suggests a culture where police letters are treated as sufficient authority.
- Weak Internal Safeguards: Telcos are legally required to put in place systems that prevent such lapses.
- Criminal Sanctions Possible: Company leadership could face criminal penalties if systemic non-compliance is established.
As one analyst put it: “It should be ingrained in employees to ask for a court order before extracting and handing over personal data.”
Privacy vs. Security – The Legal Tightrope
Kenya’s laws recognize that privacy is not absolute. At least three statutes allow for lawful interception in national security cases – but only with judicial oversight. The Safaricom case exposes the danger of bypassing these safeguards.
Some commentators argue that telcos should publish transparency reports, as global tech giants do, to educate subscribers and manage public perception. Others warn that, even with disclosure, mass surveillance risks remain frighteningly high.
One voice compared the situation to the U.S. welfare system described in Virginia Eubanks’ book Automating Inequality, where state access to citizen data enabled patterns of discriminatory policing and control.
Why This Case Matters
The Mokaya case underscores the urgent need to:
- Strengthen enforcement of the KDPA to deter unlawful disclosures.
- Demand transparency from telcos and state agencies alike.
- Push back on blanket legal powers that would give state agencies unfettered access to personal data.
Until then, millions of Kenyans remain vulnerable to quiet data handovers—without their knowledge, without oversight, and without recourse.
This isn’t just about one student’s data—it’s about whether every Kenyan’s phone number, location, and digital footprint can be served up to state agencies at the stroke of a pen.