Kenyans who are still receiving calls from Digital Credit Providers (DCP) after their kin or friends fail to pay their loans have been urged to report those providers to the Office of the Data Protection Commissioner.

Data Commissioner Immaculate Kassait said that Kenyans should report those providers because the practice of contacting people other than the borrower is an infringement of data privacy.

“People consent to taking a loan, but they don’t consent to sharing information of third parties. Some digital lenders think that they can use the data they collect to intimidate others. But this is not going to happen because the human right to data privacy must be protected,” she said.

Data Protection Act, 2019 requires data processors to inform data subjects about processing activities.

This includes informing them about their rights, data collection purposes, sharing with third parties, contact details of entities receiving the data, security measures, mandatory and voluntary data collection, and consequences of not providing certain data.

Borrower’s smartphone

Existing data law requires data to come directly from the individual, but digital lending apps also collect and process data from the borrower’s smartphone and other sources without consent. Consent, as defined by the law, must be clear and informed. Many consumers are unaware of this data collection method.

Kassait who was speaking in Nairobi during the digital credit providers meeting revealed that so far, there are some privacy concerns that have found their way to the Office of the Data Protection Commissioner (ODPC) through complaints lodged by data subjects.

The office has to date received 3,993 complaints on digital lenders, closed 2,325, determined and issued enforcement notices to 150, determined and closed 36, with ongoing investigations into 9, while the others are in the process of review. “From these cases, some lenders have been charged a penalty of up to five million shillings. Surprisingly, some of the penalised lenders have become notorious violators of the law, continuing to commit this crime even after paying the penalties.” For example, late last year the Office fined three entities a total of Sh9.3 million in a move set to further enforce sanity in the online lending space in the country.

Mulla Pride Ltd, which operates two online credit platforms, KeCredit and Faircash, received a Sh2.9 million ($20,000) million penalty. According to the ODPC, the company used personal contact information from third parties to shame borrowers into paying their loans.

Earlier on the office had issued two penalty notices of Sh5 million each against Whitepath and Regus Kenya Ltd for violating data protection regulations.

The two were penalised after the agency received close to 150 complaints against Whitepath, alleging that their applications accessed mobile phone contacts and sent unwarranted and unsolicited text messages to these contacts.

Regus Kenya, on the other hand, has been accused of failing to comply with data protection regulations by failing to secure the sensitive personal data of its clients. The company provides flexible workspace solutions to businesses and individuals in Kenya. “We want people to report these providers not because we want to penalise digital lenders, but because we want organisations that collect and process personal data to start paying close attention to privacy issues,” she added.She said though the office has embarked on an assessment of digital credit service providers, from the initial assessments undertaken, there is still much more that needs to be done by the DCPs to fully demonstrate compliance with the Data Protection Act.

Processing operations

Kassait outlined some key aspects, including the demonstration of a record of all the processing operations undertaken by the digital credit providers and the lawful basis for each of the processing operations.

Others are demonstration of compliance with the data protection principles outlined under section 25 of the Act, the notification requirements under section 29 of the Act, and the conditions for consent.

This is in addition to data protection policies in line with the requirement of regulation 23 of the General Regulations, and data retention policies in line with the requirements of Regulation 19 of the General Regulations.