Digital lenders are committing serious data privacy violations, mostly to recover defaulted loans, contrary to the Data Protection Act.
Investigations reveal that the lenders also employ agents on commission basis and instruct them to harass and even abuse the borrowers for them to pay the loans.
In one of the cases, Justice Joe Omido Mkutu on November 8, upheld an award of Sh900,000 issued by the Office of the Data Protection Commissioner (ODPC) against a Credit Watch Investment Limited (CWIL) for violating the right to privacy of three people listed by a defaulter as emergency contacts.
The ruling comes barely a fortnight Azura Credit, which operates as TruePesa, was yet again found culpable of data privacy violation just a month after it was fined Sh250,000 for a similar violation.
In the case of the CWIL, the court noted that the calls made by the Digital Lender went beyond making a follow up on the whereabouts of the borrower in the event that they could not reach him on phone. “The purpose of collecting the contacts and personal data of other people from the borrower is to follow up on the whereabouts of the borrowers in the event that they cannot be reached on phone,” states the ruling.
The Judge further ruled that the incessant calls laced with threats amounted to violation of Section 26(a) of Data Protection Act, as there was no information given by the lender to the 3 individuals that the same would be used to pursue the defaulters of the loan and ensure that they paid up.
In the case, Civil Appeal number E014 of 2024, the court was unequivocal that the obligation to inform a data user the use to which his personal data is to be put solely lies with the person or party that so intends to use the data subject’s personal data.
“To take the Appellant’s argument and submission that it used the Respondent’s personal data on the strength of the belief that the borrowers had obtained the Respondents’ consents for such use would be to abrogate the Appellant’s statutory obligations under Section 26(a) of the Act,” Justice Omido ruled.
CWIL had appealed the decision by the ODPC delivered on December 1, 2023 when it was found to have violated the right to privacy and awarded each of the respondents Sh300,000.
Section 26(a) of the Act provides that a data subject has a right to be informed of the use to which their personal data is to be put.
According to Justice Omido, the obligation to inform a data user the use to which his personal data is to be put solely lies with the person or party that so intends to use the data subject’s personal data.
Section 26 of the Act also allows the data subject to access their personal data in custody of data controller or data processor and also to object to the processing of all or part of their personal data.
In the case, it was also noted that the messages should be sent to seek to find out the whereabouts of the borrowers and not to ask them to ensure that the borrower paid up defaulted loans
Most innocent Kenyans who have been harassed by the lenders’ agents have reported their complaints to the ODPC.
Section 8(f) of the Act states that the ODPC shall receive and investigate any complaint by any person on infringements of the rights.
In the case of Azura Credit, data Protection Commissioner Immaculate Kassait issued a notice to the company, instructing it to stop harassing Musa Wesutsa and his senior managers regarding a loan taken out by one of his staff members at an unnamed company.
The complainant lodged a complaint with the ODPC stating that both he and senior officials in his organization experienced harassment from Azura Credit representatives attempting to recover the loan. Investigations by the ODPC revealed that the complainant was listed as a guarantor or referee by the borrower, yet Azura collected his email address and phone number without prior notification or explanation regarding the purpose of the collection.
The Act grants individuals the right to be informed whenever their personal data is collected and the right to request its deletion.
Actions by Azura Credit, which obtained its license from the Central Bank of Kenya (CBK) to operate in the digital credit sector in March this year, disregarded both of these rights.
This recent ruling follows an earlier determination made in July regarding complaints lodged against the company in June for comparable privacy violations.
The earlier ODPC determination also suggested prosecuting the company’s directors for obstructing the data commissioner’s inquiries, reflecting a troubling pattern of non-compliance with data protection regulations.
In one of the complaints reported to the commissioner and the Directorate of Criminal investigations (DCI) mobile lender Instar Cash has been accused of sending dozens of irritating messages to a person who was neither listed as a guarantor nor as a referee.
Preliminary investigations reveal that the managers, in some cases, feign ignorance and even call the clients asking whether they have been harassed by any of their agents.
Email your news TIPS to Editor@kahawatungu.com or WhatsApp +254707482874