In January this year, the High Court allowed potentially millions of Safaricom subscribers to join a class action suit against the telco over a clause in the SIM card registration rules that allows the corporate to collect bank details of mobile phone users.
The suit sought to strike out Clause 3.2.1 in the data privacy statement, which subscribers filled as part of the re-registration process, which states that the telecoms operator can “collect and store information including credit or debit card information, information on bank account numbers, Swift codes or other banking information”.
Justice Chacha Mwita allowed lawyers Wilfred Nderitu and Charles Kanjama to invite other subscribers to the class action suit through the press, to push for Safaricom to delete the clause. The judge directed the lawyers to publish a notice in a daily newspaper, inviting Kenyans who may wish to join the suit to do so.
The offensive clause appears in a 58-page document that has the terms and conditions attached to the 2022 update of SIM card registrations.
Nderitu and Kanjama argued that Safaricom’s dominance of the Kenyan mobile market had forced subscribers to accept the clause, arguing that users had no leverage to decline that requirement.
Safaricom’s market share stood at 66 percent in September 2022, while that of rivals Airtel and Telkom Kenya stood at 26.3 percent and 4.9 percent respectively.
“The stringent mechanisms and crafty ways of collecting data without assurance of data security are precipitated by the thought that its clients have no option but to opt-in for them to continue enjoying the products and services that it offers,” the petitioners argued.
In December 2022, Access Now wrote to Safaricom to demand the erasure of all biometric data collected in the sim-card re-registration exercise ordered by the Communications Authority (CA) in February 2022. CA ordered the exercise in accordance with the Kenya Information and Communications (Registration of Sim-Cards) Regulations 2015, which directed Mobile Network Operators to ensure that registration details of all subscribers are fully updated by April of last year. The exercise was meant to ensure 100 percent compliance with the SIM Card Registration Regulations, which, among other things, require operators to retain a copy of identification documents of every subscriber.
Access Now — a non-profit with a mission to defend and extend the digital civil rights of people around the world — argued that Safaricom demanded excessive personal information, including private biometric data, for people to use its services, describing the demand as ‘nothing less than unconscionable’.
“As one of the nation’s leading internet providers, the company wields the power to control the communication of millions of people, and must put human rights above all. Safaricom should be setting the privacy gold standard, not dragging the industry through the mud,” said Jaimee Kokonya of Access Now.
Five months before CA ordered sim card re-registration, Safaricom had begun sending messages to people subscribed to mobile services requiring them to update their SIM card registration details by bringing their identification documents to its authorized outlets. Under the threat of disconnecting those who failed to comply, this directive included a demand for invasive facial biometrics. The company alleged this requirement was in line with new regulations from the Communications Authority of Kenya (CA); it was not, which made the subsequent collection of that data illegal.
“When we see private companies manipulate laws and regulations with unclear motives, governments must intervene,” said Bridget Andere, Africa Policy Analyst at Access Now. “Safaricom must be held responsible for its illegal acquisition of private information — information it now controls, and is ripe for exploitation and manipulation.”
It must be noted that the telco was not acting alone in this breach of rights. CA originally directed the collection of biometrics but rectified its wrongful interpretation of the law after public uproar. SIM card registration in Kenya has been regulated by law since 2015, and only requires operators to collect basic information such as names, dates of birth, addresses, and copies of identification documents. The requirement for biometric therefore had no standing within the existing legal frameworks.
It was on these broad bases that Nderitu and Kanjama initiated a class action suit that sought to compel Safaricom to uphold the right to privacy by deleting all biometric data collected in the re-registration exercise. Safaricom opposed the class action suit but the judge agreed to the invitation of other subscribers to challenge the giant telco.
This is the second class action suit brought against Safaricom and the CA, after a customer sued both body corporates over SIM Swap fraud that has seen scammers drain millions of shillings from the mobile phone subscriber’s bank accounts. The case, where businessman Abdi Zeila wants the CA to be found negligent of its regulatory duties by allegedly failing to ensure Safaricom is providing services that are secured from fraudsters, is pending before the high court.
In his ruling, Justice Mwita also directed Safaricom and the CA to file their defence within seven days in the class action suit related to the bank details, pending a March 14 mention date.
The petitioners hold that Clause 3.2.1, in allowing Safaricom to collect his personal financial information with his knowledge and consent whenever he carries out mobile banking services through the telecom’s operator, violated their rights to data privacy, and sought temporary orders stopping Safaricom from effecting the data privacy statement to prevent further violation of their rights.
“That as a giant telecommunications company, the first defendant is aware of its market dominance and widespread use across the country. Further, it is aware that it has the biggest customer base among the telecommunications companies in Kenya, further leading to high reliance by the citizenry,” avers Mr Nderitu in his affidavit filed in court.
Mr Nderitu says when he registered his line over two decades ago, he gave his identity card to an authorized dealer and was successfully registered. But on October 15, 2022 he received a message telling him to register his number and thought it was a mistake.
He registered the line but says the process unreasonably burdened him as a subscriber to ensure the SIM card is registered yet Safaricom has all the details required for the purpose.
“This does not rhyme with my legitimate expectation that once I have registered and been on-boarded onto the platform, the 1st defendant [Safaricom] has a duty to ensure that I enjoy unfettered access to the products and services for as long as I pay the predetermined rates,” he says. (