Why Safaricom Cannot Sell Customer Data to Third Parties Without Consent

Why Safaricom Cannot Sell Customer Data to Third Parties

Kenya’s biggest telecoms firm Safaricom plans to monetise data from its over 35 million active customers database.

However, the Ministry of Information and Communications Technology says this will not be possible as it would be infringing on customers’ rights if they sold their location-based data to third parties without their consent.

This follows the telco’s announcement to pre-qualify suppliers of a location tracking and intelligence platform.

In its bid notice, the telco said: “Safaricom has enjoyed rapid growth since her inception largely driven by the innovation and delivery of new and sophisticated services riding on telephony and data services.”

“The growing ecosystem of electronic devices and machines communicating with each other from all corners of the world via mobile networks has prompted the development of the embedded SIM (eSIM or eUICC) technology, which represents the major evolution of the SIM card technology in the last 20 years.” 

Embedded Universal Integrated Circuit Card offers users the ability to change service provider over-the-air (OTA), without needing to physically change the embedded SIM card itself

“Consequently, the evolution of the mobile network and devices has enabled Safaricom to gather information from the connected devices. At the core of any reliably connected device is an accurate location intelligence system.”

ICT Cabinet Secretary Joe Mucheru, who spoke to GBR  said all location-based data is given to Safaricom and other platforms willingly when users sign for certain services, and that on that count alone, the companies collecting user data do not infringe on individual’s rights.

“If (the data collected) is a part of the service you have asked for, then Safaricom cannot be said to have infringed on your rights,  but if they are selling to third parties, then that is not allowed. They would be infringing,” said the CS.

Currently, Safaricom collects and stores personal data, but is not limited to: 

“Your identity and SIM-card registration information, including your name, photograph, address, location, phone number, identity document type and number, date of birth, email address, age, gender, and mobile number portability records,” as per Safaricom Data Privacy Statement and much more.

When it comes to disclosure of ones’ information, Safaricom does so in accordance with applicable law and regulations. 

However, Disclosure of Information subsection 4.2 (h), the telco says it can disclose ones’ information to, “Any other person that we deem legitimately necessary to share the data with.”

The Data Protection Act, 2019 creates a  legal framework for the use of personal data processed on or related to individuals and both public and private entities.

The law gives effect to Article 31(c) of the Constitution, which outlines the right of every person not to have “information relating to their family or private affairs unnecessarily required or revealed” and Article 31(d), the right not to have “the privacy of their communications infringed”.

READ:

The law establishes the office of a Data Protection Commissioner, which will oversee the implementation of and be responsible for the enforcement of the legislation.

The role of the office of the Data Protection Commissioner includes overseeing the implementation of the Act, establishing and maintaining a register of data controllers and data processors, exercising oversight on data processing operations, receiving and investigating any complaint by any person on infringement of the rights under the Act.