NAIROBI, Kenya Apr 21 – The High Court will on May 13 deliver its judgment in a high-stakes petition accusing Safaricom PLC of failing to protect subscriber data in a breach said to have affected more than 11.5 million users.
The case, now awaiting determination, follows the conclusion of oral and written submissions by all parties.
A group of subscribers has moved to court alleging that the telecommunications firm neglected its obligations as a data controller, exposing sensitive personal information to unauthorized access and misuse.
In their filings, the petitioners claim that between 2018 and 2019, Safaricom’s systems were infiltrated through what they describe as a sustained and coordinated operation involving rogue employees.
They allege that the employees accessed confidential subscriber data without authorization and shared it with third parties, including betting companies, for profit.
Court documents reference internal communications, including WhatsApp messages, which the petitioners argue point to deliberate and widespread data harvesting rather than isolated misconduct.
Represented by lawyer Mola Kimosop, the subscribers maintain that the company failed to implement adequate safeguards, allowed unrestricted internal access to sensitive data, and should therefore bear responsibility.
They further argue that the alleged breach was systemic, infringing on constitutional rights to privacy, dignity, and consumer protection.
Safaricom has dismissed the claims, describing the petition as an abuse of the court process and calling for its dismissal.
The company argues that similar issues are already being litigated in other proceedings, including civil, constitutional, and criminal cases stemming from the same alleged breach.
Relying on the precedent set in Satya Bhama Gandhi v Director of Public Prosecutions & 3 Others, Safaricom contends that pursuing multiple cases on the same matter amounts to forum shopping and undermines judicial efficiency.
The telecommunications firm has also challenged the strength of the evidence presented by the petitioners.
It argues that there is no proof linking the individual claimants to the alleged breach, noting that reliance on general assertions and M-Pesa transaction records does not establish that personal data was accessed or shared.
Safaricom further disputes the existence of the alleged dataset of 11.5 million subscribers, stating that no credible or admissible evidence has been produced to confirm its compilation or distribution.
A key affidavit by Benedict Kabugi has also been contested, with the company arguing it is procedurally flawed and unreliable. Safaricom notes that Kabugi is facing criminal charges related to the same matter, raising questions about the credibility of his testimony.
At the core of the case is whether Safaricom can be held accountable for the alleged actions of its former employees.
The company maintains that the individuals acted outside the scope of their employment and for personal gain, and therefore it cannot be held vicariously liable for their conduct.
The court’s decision is expected to clarify the extent of responsibility borne by corporations in safeguarding user data, particularly in cases involving insider breaches.