about us

Safaricom Cannot Sell Customer Data to Third Parties Without Consent – Ministry

GBR Team 08/01/2020

The Ministry of Information and Communications Technology is fine-tuning data protection regulations and working with the Public Service Commission to develop the job requirements for the Office of the Data Protection Commissioner to begin enforcing Data Privacy Laws in the country.

ICT Cabinet Secretary Joe Mucheru, speaking to GBR on phone, said in the meantime, that telcos like Safaricom would be infringing on customers’ rights if they sold their location-based data to third parties without their consent.

However, the CS noted that all location-based data is given to Safaricom and other platforms willingly when users sign for certain services, and that on that count alone, the companies collecting user data do not infringe on individual’s rights.

This in light of a recent advertisement by Safaricom, Kenya’s largest telco, for qualified bidders to apply for provision of a location tracking and intelligence platform. The Ad has since been pulled down.

The main concern is that the advertised Location Intelligence service would infringe on subscribers privacy by passing on their data to third parties for commercial gain without their consent as per the recently enacted Data Protection Act 2019.

Location Intelligence (LI)

Location intelligence involves the use of customer’s geographical location data, with other information such as age, gender, income status, spending habits and so on, to create profiles that businesses can use to target their products to them, or, position their businesses to take advantage of this location information.

Among the big users of this information include telcos like Vodafone, food-chains like KFC, Dominos and Pizza Hut, FMCG companies like Red Bull, furniture makers IKEA, real-estate companies amongst others.

Domino’s for instance uses location intelligence for franchisee planning and site selection for its restaurants in areas with high potential for new business.

“Accurate territories mean we do not waste time and energy marketing to dead addresses or missing out on new opportunities. It also minimises any territory disputes.” Wayne McMahon, CIO, Domino’s Pizza is quoted as saying on the website of PitneyBowes, a company that provides location intelligence software services.

But personal data collected by telcos and sold to third parties has also landed in the hands of, or been resold to unsavoury individuals such as bounty hunters and kidnappers, paedophiles, spouses tracking their partners, criminals and scam artists.

Globally, laws on protection of individuals’ data collected by companies have tightened with the European Union’s General Data Protection Regulation leading the way. In the US, efforts are underway to pass a Federal Law that would criminalize the sale of location data by telcos to third parties.

Safaricom Massive Data Chest on Kenyans

With the explosion of smartphones, Safaricom has mammoth user data that not only shows location, but also other information such as socio-demographics, foot traffic on certain streets or malls, financial status especially through its MPESA platform including disposable income, spending habits and so on.

According to Safaricom’s Data Privacy Statement issued in October 2019, the other types of data it collects from users include:

“Your identity and SIM-card registration information, including your
name, photograph, address, location, phone number, identity
document type and number, date of birth, email address, age, gender and mobile number portability records.”

Also, your credit or debit-card information, information about your
bank account numbers and SWIFT codes or other banking information.

The company says it also collects:

“Your call data records: phone numbers that you call or send messages to (or receive calls and messages from), log of calls, messages or data sessions on the Safaricom network and your approximate location.”

All this works out to a massive treasure trove of personal data collected and processed over the years from its more than 27 million subscribers.

Monetization of the Data

Using Business Intelligence methods, Artificial Intelligence and Geographical Information Systems, Safaricom can create rich visualizations of user-location information that businesses can use to readily target customers or set up businesses in prime locations.

Personal Privacy Protection

Article 31(d) of the constitution of Kenya grants individuals the right not to have the privacy of their communications infringed.

From this, the Data Protection Act 2019 was enacted and spells out how companies that collect personal data from individuals should process, store or use that data in order to protect the privacy of individuals.

“If (the data collected) is a part of the service you have asked for, then Safaricom cannot be said to have infringed on your rights,” CS Mucheru, who himself once headed big data miner, Google Africa, told GBR.

“But if they are selling to third parties, then that is not allowed. They would be infringing.”

The CS further said that the ICT Ministry is working with the Public Service Commission, the civil servants staffing body, on the job terms of a Data Commissioner to head the enforcement body for data privacy laws in the country.

Under the Act, the Data Commissioner should hold a degree in Data Science, Law or Information Technology.

According to Mugambi Laibuta, a lecturer at the Kenya School of Law and an authority on Data Privacy and cyber-security laws, the legality of what Safaricom may do with location data would depend on its identifying characteristics for specific individuals.

If sufficiently anonymous, he reckons, it would be within the legal confines of the Act.

“If it is just aggregated data, let’s say, if in Kariobangi we have 10,000 subscriber, then that would be okay,” said Laibuta.

“However, if it will be able to identify specific customers, then that may pose a problem.”

He adds that Safaricom will have to revise or update its Data Policy to conform with the Data Protection Act.

Both CS Mucheru, and Advocate Mugambi Laibuta agree that customers may have to give express consent for their data to be used by third parties especially if it is able to identify them.


The Law

Both the Constitution, and the Data Protection Act both provide for the protection of privacy and especially the protection of personal communication majority of which these days happens electronically through smartphones and computers linked to the intern