NAIROBI, Kenya May 14 – Safaricom PLC has been dealt a major legal blow after the High Court ordered the telecommunications company to compensate 11 subscribers for violating their constitutional rights in a landmark data privacy case linked to one of Kenya’s biggest alleged customer information breaches.
In the ruling delivered by Justice Bahati Mwamuye, the court awarded each petitioner Sh900,000 in general damages, translating to a total payout of Sh9.9 million, excluding interest and legal costs.
The judge also directed that the compensation amount will continue to accrue interest until the money is fully paid and ordered the company to bear the costs of the petition.
The case was filed by Austin Taabu alongside 10 other complainants, who accused Safaricom of failing to protect customer data during an alleged large-scale breach said to have compromised information belonging to more than 11.5 million subscribers between 2018 and 2019.
Court filings indicated that the petitioners alleged the breach was orchestrated through a coordinated operation involving rogue staff members who allegedly gained unauthorized access to subscriber records and shared the information with external parties, including betting companies, for profit.
The complainants argued that Safaricom neglected its obligations as a data controller by failing to establish adequate safeguards to protect customers’ private information from internal misuse.
According to documents presented before the court, WhatsApp conversations involving some employees allegedly demonstrated widespread and unchecked access to confidential subscriber information.
The petitioners, represented by Mola Kimosop Advocates, argued that the incident was not an isolated occurrence but reflected systemic failures within the company’s data protection framework.
They maintained that the breach violated constitutional protections relating to privacy, human dignity and consumer rights as provided under Articles 28, 31(c) and 46 of the Constitution.
The court heard that sensitive personal details, including financial records, betting activity and geolocation data, were allegedly accessed and exploited without subscribers’ consent or sufficient security measures.
Justice Mwamuye ultimately found that Safaricom had infringed on the constitutional rights of the petitioners and awarded damages in their favour.