In a significant judgment for privacy rights in Kenya, the High Court recently upheld a Ksh 900,000 fine against Credit Watch Investment Limited, a digital lender accused of privacy violations. This Judgment highlights the accountability of financial service providers in safeguarding customer data and respecting the legal framework under Kenya’s Data Protection Act of 2019. The case, Credit Watch Investment Limited v. Peter Mbugua & 2 others, underscores the importance of informed consent and the limitations on how lenders can collect, use, and manage personal data.
Background of the Case: Unsolicited Messages and Harassment
The case arose from complaints filed by three respondents—Peter Mbugua, Timothy Ngome, and Aggrey Timothy—who alleged that Credit Watch listed them as guarantors without their consent. According to the complainants, the digital lender sent multiple unsolicited messages and made repeated calls demanding that they ensure the payment of loans taken by a third party. This pressure included veiled threats, causing the respondents significant distress.
The Office of the Data Protection Commissioner (ODPC) found that Credit Watch’s actions breached the Data Protection Act by failing to obtain consent to use the complainants’ data as emergency contacts. Consequently, the ODPC fined the lender Ksh 300,000 for each complainant. Dissatisfied with this outcome, Credit Watch appealed to the High Court, arguing that the ODPC’s decision was erroneous.
Key Legal Issues and the Court’s Analysis
The High Court identified two main issues: whether Credit Watch had met its obligations under the Data Protection Act and whether the compensation awarded by the ODPC was excessive. The court upheld the ODPC’s decision, finding that the lender had not met its legal obligations.
- Violation of Data Protection Rights: Credit Watch argued that the onus to secure consent from emergency contacts fell on the loan applicants, not on the lender. However, the court emphasized that under Section 28 of the Data Protection Act, data controllers must collect personal data directly from the data subject or ensure they have consent when collecting it indirectly. Here, Credit Watch did neither, failing to notify or seek consent from the complainants.
- Use of Personal Data Beyond Authorized Purposes: The lender’s assertion that emergency contacts were solely for locating defaulters was undermined by evidence of repeated communications urging the respondents to settle the debts, with implied consequences for non-compliance. The court found this went beyond the acceptable use of data, underscoring the complainants’ right to be informed about the intended use of their data.
- Justification for the Fine: Regarding the fine, the court found no fault in the ODPC’s discretion, given that the distress caused by Credit Watch’s actions constituted grounds for financial and emotional compensation under Sections 65 and 26 of the Data Protection Act.
Final Determination and Orders
The court dismissed the appeal and upheld the ODPC’s fine of Ksh 300,000 per complainant, totaling Ksh 900,000, reiterating that Credit Watch’s conduct constituted a serious privacy breach.
Conclusion: A Call for Accountability in Data Handling
This case sets a precedent for digital lenders and other entities handling personal data in Kenya. The determination underscores the importance of data controllers’ duty to secure consent and transparency, holding them accountable for any distress or harm caused by violations. The court’s decision reinforces the protections under the Data Protection Act and sends a strong message to digital lenders about respecting data privacy laws.
For more insights into data protection compliance, sign up for our newsletter at Mbuchi & Associates Advocates. Our team provides comprehensive data protection advisory services to help your organization navigate and adhere to these critical legal obligations.