Compliance with the Data Protection Act by Digital Credit Providers

Digital Credit Providers (DCPs) also known as digital lenders, are business entities that provide loan services through the internet, mobile services, applications or other digital systems as may be prescribed by a bank.

Over the past ten years, DCPs have increasingly become popular, their popularity being fueled by high demand for quick credit that can be accessed remotely.  The means used by DCPs for loan recovery have however raised data privacy concerns. These concerns have necessitated regulation by the CBK through the CBK (Digital Credit Providers Regulations 2022 (the DCP Regulations).

On 8^th November 2024 the High Court at Milimani (Hon J. Omido) in Credit Watch Investment Limited v Mbugua & 2 others (Civil Appeal E014 of 2024) [2024] made a determination that will see DCPs be held accountable for breach of their obligations under the Data Protection Act (“the act”). The case arose from an appeal from the Office of the Data Protection Commissioner (“ODPC”)

The Case at ODPC

The complaint before the ODPC commenced by way of complaints by three Claimants, lodged pursuant to section 56 of the Act and Regulation 4 of the Data Protection (Complaints Handling Procedure and Enforcement) Regulations. The complaints against the Respondent -a DCP, regarded the listing of the Claimants by the Respondent as guarantors/ emergency contacts for one -Pascal Mwanje, without their respective consents.

In support of their case, the Claimants produced copies of screenshot messages and phone calls sent to their cellphones by the Respondent demanding that the Claimants reach out to the said mobile loan defaulter as a matter of obligation and ensure that they pay up the defaulted loan amounts. Further, some messages had veiled threats that unspecified action would be taken against the Claimants in the event the loan defaulter did not pay up.

In response to the complaints, the Appellant averred that their customers were required to include emergency contacts during their application process for the loan and further that it was the responsibility of their customers to ensure that the emergency contacts that they provided were aware and had consented to being emergency contacts.

In its determination rendered on 1^st December 2023, the ODPC found in favour of the Claimants. The Respondent was found liable for violating the claimant’s right to privacy and failing to fulfil its obligations under the Act. Consequently, the Respondent was ordered to compensate the complainants to the tune of Ksh.300,000/- to each claimant.

At the High court

Aggrieved by the decision of the ODPC, the Appellant appealed the decision to the High court.

The High court set down the following issues for determination:

1. Whether the Appellant met its obligations under the Data Protection Act, 2019(“the Act”); and
2. Whether the amount assessed and awarded as compensation to the three Respondents was in error and/or inordinately high or excessive

The High court found that the Appellant was a data controller and a data processor within the meaning of Section 2 of the Act. As such, the appellant had an obligation to ensure that the Respondents’ data was protected and processed in accordance with the provisions of Data protection the Act.

The Appellant was found to be in violation of the provisions of the Act as follows:

• Section 28: Which requires a data controller or data processor to collect personal data directly from the data subject;
• Section 26: Which requires a data controller or data processor, before collecting personal data, to in so far as practicable, inform the data subject of the fact that personal data is being collected; and the purpose for which the personal data is being collected. The collected data must also be utilized specifically for the purpose for which it is intended.

The court had the following to say regarding interpretation of the above sections:

“…the obligation to inform a data user the use to which his personal data is to be put solely lies with the person or party that so intends to use the data subject’s personal data. To take the Appellant’s argument and submission that it used the Respondent’s personal data on the strength of the belief that the borrowers had obtained the Respondents’ consents for such use would be to abrogate the Appellant’s statutory obligations under Section 26(a) of the Act.”

Having made a finding that the Respondents’ rights were violated and that they suffered damage as a result of the violation, the court found that the award of compensation to each claimant in the sum of Kshs. 300,000/= to be appropriate. Further, the Appellant was found to be in breach of its obligations under the Act. Consequently, the High court upheld the decision of the ODPC in its entirety.

Conclusion

This decision comes at an opportune time when Kenya is witnessing a growing adoption and usage of technology-enabled innovations where data collection through digital means is rampant.  It serves as a deterrent to violations of the right to privacy by data controllers and data processors. It is imperative for organizations, companies and business entities to ensure compliance with the act so as to avoid any legal exposures that may arise due to violation of Data Protection Act.