Safaricom PLC, Kenya’s biggest telecommunications company, is facing a major legal test as it heads to the High Court over allegations of sharing personal data of 11.5 million subscribers without consent.
The move comes after negotiations to reach an out-of-court settlement between the company and the complainants fell apart last week, setting the stage for what could become one of the most significant data privacy cases in Kenya’s history.
The case began after a 2023 incident in which two former Safaricom managers were accused of transferring sensitive customer information to businessman Benedict Kabugi Ndung’u. The data reportedly included personal details such as names, identification numbers, phone contacts, location information, and even gambling histories.
According to court documents, the businessman is alleged to have sold the data to a sports betting company for commercial use, raising serious questions about how personal information was handled inside one of the country’s most trusted brands.
Safaricom CEO Peter Ndegwa. Photo Courtesy/Safaricom
The plaintiffs, representing millions of affected subscribers, are demanding that all compromised data be completely destroyed and that the company be held accountable for violating privacy rights guaranteed under the Data Protection Act of 2019.
They argue that Safaricom failed in its basic duty to protect customer information and allowed loopholes that made it easy for internal misuse to occur.
Their lawyers say this case is not only about compensation but also about restoring public confidence in digital systems that hold massive amounts of private data.
Safaricom, on its part, denies systemic failure and maintains that it acted swiftly after discovering the breach. The company says it terminated the two implicated employees, reviewed its data management systems, and tightened its internal controls to prevent similar incidents.
In a public statement, Safaricom emphasized that the breach was an isolated case involving rogue employees acting independently, not a reflection of broader organizational negligence.
The firm insists it remains committed to protecting customer data and complying fully with Kenya’s data protection laws.
Still, many observers see the upcoming trial as a critical moment for Kenya’s digital privacy landscape. The case could determine how strongly companies are held responsible for data protection lapses in the future.
Consumer rights groups and digital privacy advocates have welcomed the court process, saying it could set an important precedent for both corporate accountability and user protection in the digital economy.
Hearings are scheduled to begin on October 23, 2025.
For millions of Safaricom customers, the outcome will be closely watched not only as a test of corporate responsibility but also as a signal of how seriously Kenya’s justice system treats the right to privacy in the digital age.
