Judgement in data breach case against Safaricom set for May 13

The case comes after the close of both oral and written submissions by all parties, with a group of subscribers claiming the telecommunications giant failed in its duty as a data controller to safeguard sensitive personal information.

The petitioners argue that between 2018 and 2019, Safaricom’s systems were compromised through what they describe as a prolonged and coordinated scheme involving rogue employees. 

According to them, the employees unlawfully accessed and extracted subscriber data, which was then allegedly shared with third parties, including betting companies, for commercial gain.

"WhatsApp chat messages by the Respondent’s employees reveal more than just ordinary data harvesting and hawking. It shows that Respondent had granted unlimited access to its employees to violate personal data...," reads the court documents.

Through Mola Kimosop Advocates, the petitioners argue that the Respondent failed to put any safeguards in place for the subscribers’ data, allowed its employees to access, sell and equally benefit in the illegal scheme and therefore the company must take responsibility

Austin Taabu and 10 others contend that the breach was systemic rather than incidental, and that it violated their constitutional rights to privacy, dignity, and consumer protection.

"Respondent, as Kenya’s dominant telecommunications provider and data controller, systematically harvested, commercialised, and disseminated the most intimate personal, financial, betting, and geolocation data of 11.5 million subscribers over a sustained period, not just the isolated incident of May 2019, for commercial gain, while failing to implement even the most basic safeguards. This atrocious, profit-driven violation of Articles 28, 31(c) & (d), and 46 demands the strongest vindication under Article 23(3) of the Constitution," reads the submissions.

However, Safaricom has strongly opposed the petition, terming it a “textbook case of abuse of court process” and urging the court to dismiss it in its entirety.

In its submissions, the company argues that the matter has already been the subject of multiple ongoing proceedings, including a previously filed constitutional petition, civil suits, and a criminal case arising from the same alleged data breach.

 Safaricom maintains that filing parallel or successive suits on the same subject amounts to forum shopping and undermines the efficient administration of justice.

The company further points to Satya Bhama Gandhi v Director of Public Prosecutions & 3 Others to argue that litigants should not pursue multiple processes simultaneously in a bid to secure a favourable outcome.

Safaricom also challenges the evidentiary basis of the petition, arguing that the subscribers have failed to prove that their personal data was part of any alleged breach. It says the petitioners relied on general claims and M-Pesa transaction statements, which do not establish that their data was accessed or shared.

The telecommunications firm further disputes the existence of the alleged 11.5 million subscriber dataset, stating that no admissible evidence has been produced to prove that such a dataset was ever compiled or transmitted.

A key point of contention is the affidavit of Benedict Kabugi, which the petitioners rely on. Safaricom argues that the affidavit is inadmissible since it was introduced as an annexure rather than formally filed, and that Kabugi is neither a party to the case nor an independent witness.

The company also notes that Kabugi is facing criminal charges linked to the same alleged breach, arguing that his testimony is self-serving and should not be relied upon.

On liability, Safaricom maintains that it cannot be held constitutionally responsible for the criminal acts of former employees, arguing that the actions fell outside the scope of their employment and were carried out for personal gain.

The company argues that those employers are not vicariously liable for employee actions undertaken as part of personal criminal schemes unrelated to official duties.