In a landmark ruling last week, Justice Joe Omido Mkutu upheld an award of Ksh 900,000 against Credit Watch Investment Limited (CWIL) for violating the privacy rights of three individuals listed by a borrower as emergency contacts. This ruling follows a similar decision in which Azura Credit, operating as TruePesa, was found guilty of data privacy violations and fined Ksh 250,000 for a similar infraction just a month earlier
Digital lenders in Kenya are under scrutiny for serious data privacy violations, with recent investigations revealing disturbing practices aimed at recovering defaulted loans in breach of the Data Protection Act. These lenders, often relying on agents paid on commission, have been accused of instructing agents to harass, abuse, and threaten borrowers to force repayment, putting both the lenders and their agents in direct violation of data protection laws.
In a landmark ruling last week, Justice Joe Omido Mkutu upheld an award of Ksh 900,000 against Credit Watch Investment Limited (CWIL) for violating the privacy rights of three individuals listed by a borrower as emergency contacts. This ruling follows a similar decision in which Azura Credit, operating as TruePesa, was found guilty of data privacy violations and fined Ksh 250,000 for a similar infraction just a month earlier.
The court found that CWIL’s actions went beyond merely trying to reach the borrower by phone. The company had used the personal information of the emergency contacts for the sole purpose of pressuring the borrower into paying a defaulted loan. Justice Omido ruled that CWIL’s failure to inform the emergency contacts about how their data would be used violated Section 26(a) of the Data Protection Act, which mandates that individuals must be informed about the specific purposes for which their data will be processed.
“To claim that CWIL used the emergency contacts’ data based on the assumption that they had consented is a clear violation of the Act,” said Justice Omido in his ruling. “The obligation to inform individuals about the use of their personal data lies solely with the party collecting it.” The court had previously ordered CWIL to compensate the three individuals Ksh 300,000 each for violating their right to privacy.
These violations are not limited to CWIL. In a similar case, Azura Credit was found to have harassed a complainant, Musa Wesutsa, and his senior managers over a loan taken by one of his employees. Despite not being listed as a guarantor or referee, Wesutsa’s data, including his email and phone number, was collected by the lender without prior notification or consent. This prompted the Office of the Data Protection Commissioner (ODPC) to issue a stop order against the company, instructing it to cease the harassment.
The company, licensed by the Central Bank of Kenya (CBK), has faced multiple complaints about privacy violations, including one that suggested prosecuting its directors for obstructing investigations by the ODPC. Azura Credit’s practices, such as using borrowers’ data to harass unrelated individuals, are in clear contravention of the Data Protection Act, which guarantees the right to be informed and to object to the use of personal data.
Another mobile lender, Instar Cash, has also faced complaints of sending numerous harassment messages to a person not listed as a borrower’s guarantor or referee. Despite initial denials, investigations suggest that managers of such companies may be turning a blind eye to these abuses or attempting to cover them up, sometimes feigning ignorance or claiming that affected clients were “harassed by rogue agents.”
The rise in data privacy violations and the harsh tactics employed by digital lenders in Kenya highlights a growing concern over consumer rights in the country’s rapidly expanding digital finance sector. The Data Protection Act, which came into effect in 2019, provides a framework for protecting individuals’ data, yet many digital lenders continue to flout these regulations, undermining the trust of borrowers and leading to multiple complaints lodged with the ODPC.
As investigations continue, consumers are being urged to report any harassment or misuse of personal data, while the ODPC intensifies efforts to hold companies accountable for their actions.
