In a digital age where data privacy is paramount, allegations that a major telecommunications provider—Safaricom—shared student data with the police without legal authorization have sparked outrage and concern across Kenya. Safaricom, known for its dominant market presence, has firmly denied such claims, insisting that customer information is only disclosed when a valid court order is presented. This blog delves into the controversy, examines the evidence, highlights stakeholder concerns, and explores the broader implications for privacy rights.
The Allegations: What Sparked Public Outcry?
Amid growing unrest and protests, social media exploded with accusations that Safaricom handed over student subscribers’ personal data—possibly including call detail records (CDRs) and location information—to police agencies without any court order. These claims were especially inflammatory given Kenya’s troubled history of enforced disappearances and extrajudicial actions.
Although the original Daily Nation article could not be accessed in full due to technical restrictions, widespread concerns over surveillance and unauthorized data sharing were already permeating public discourse.
Safaricom’s Response: Denials and Reaffirmations
Safaricom has consistently responded to these allegations by asserting strict adherence to Kenya’s data protection laws. The company emphasized that it only shares customer data when explicitly required via a court order. They reiterated this position multiple times across various media outlets:
In a statement dated 25 June 2024, Safaricom declared they had not received any court order to share customer data with any government agency .
On Wednesday, 31 October 2024, Safaricom stated again that customer data is safeguarded unless a valid court directive is issued, and clarified that CDR systems cannot provide real-time location tracking—those records are generated post-call or SMS .
Following allegations around the Gen Z protests, CEO Peter Ndegwa affirmed Safaricom would only release information upon a court request and emphasized compliance with the Data Privacy Act .
Investigative Reports and Human Rights Concerns
Despite Safaricom’s repeated assurances, investigative reports and rights organizations have raised serious questions:
A Daily Nation investigation published in October 2024 alleged that Safaricom, in collaboration with a UK-based firm (Neural Technologies), enabled near-unrestricted access to customer CDRs for law enforcement—sometimes without court orders—and that these records were used to track, abduct, or even facilitate extrajudicial killings of suspects. The telco also allegedly provided inconsistent or falsified court submissions in some cases .
Responding to this, KHRC (Kenya Human Rights Commission) and MUHURI (Muslims for Human Rights) issued an open letter urging Safaricom to address numerous alarming practices, including misuse of data, evidence fabrication, denial of full CDRs, conflicts of interest (through handling by police officers in their Law Enforcement Liaison Office), and routine unauthorized access to sensitive customer data .
These reports underscore a growing concern that private data may be co-opted for state surveillance or human rights abuses, particularly impacting vulnerable groups.
Public Response and Sentiment
Online reaction has been vocal and visceral. A Kenya Talk thread captures public mistrust succinctly:
“As a result, anywhere someone’s data is shared… the consequences are dire.”
Elsewhere, individuals recount personal stories illustrating unauthorized tracking or law enforcement using telecom data to locate people—raising alarm about transparency and accountability .
These discussions reflect not only dissatisfaction with Safaricom but also a broader anxiety about digital privacy amid state oversight.
Legal and Ethical Implications
- Violation of Data Protection Act (2019):
Kenya’s privacy legislation mandates that personal data may only be accessed or shared when legally justified. Unauthorized disclosures breach the act and undermine privacy rights. - Conflict of Interest in Data Handling:
When police officers affiliated with Safaricom manage requests for evidence, questions arise regarding impartiality and potential tampering . - Potential for Rights Violations:
Surveillance without due process heightens risks of wrongful arrest, enforced disappearance, or extrajudicial measures—especially when accused parties cannot access redress. - Impact on Trust and Reputation:
Kenya’s most dominant telecom provider must uphold public trust. Continued allegations—whether proven or not—can damage its social license and invite greater regulatory scrutiny.
Safaricom’s Privacy Credentials
In response to concerns, Safaricom highlighted that it recently received ISO 27701 Privacy Information Management System (PIMS) certification from the British Standards Institute (BSI)—a globally recognized standard for privacy protection frameworks .
While this certification suggests strong internal policies, critics argue that policy cannot replace transparency and accountability in execution.
What Safaricom (and Regulators) Can Do Next
To rebuild trust and address concerns, Safaricom should consider:
Independent audits of data-sharing practices with full transparency and reporting to regulatory bodies.
Establishing clear, public protocols detailing how law enforcement requests are handled, including whether court orders are always verified.
Collaborating with civil society and data privacy watchdogs to oversee future data disclosures and ensure rights are respected.
Engaging with data subjects—especially students and vulnerable groups—to build awareness of their rights and how their data is protected.
Conclusion
The controversy surrounding alleged unauthorized data sharing by Safaricom underscores the urgent intersection between technology, state power, and civil liberties. While the telco insists it operates within the law, investigative reports and rights groups paint a more troubling picture—one that calls for greater scrutiny, accountability, and regulatory oversight.
Moving forward, safeguarding digital privacy should not only be a priority but a practice with enforceable standards. For Kenya to retain public trust in its institutions, both corporate and governmental actors must demonstrate transparency, uphold legal norms, and respect the fundamental rights of citizens—starting with the data that defines us.
