Whitepath Company Limited that was previously flagged as a rogue lender and fined for data breach by data commission is now back to old dirty ways.
The firm is yet again being accused of harassing Kenyans, sending threatening messages to lenders and in-line violating the very laws that they were fined for.
“This month Whitepath sent a message to my contacts debt shaming me even after I gave them a repayment plan.” A complainant said.
“I do not even know how these people get access to contacts because I think Google banned them from requesting permissions for contacts.” He adds that he’s not the only victim as there are other cases that he’s aware of.
Evidence of harassment
Rogue lenders fined
Last year in April, mobile money lender WhitePath Company Limited and workspace provider Regus Kenya were both slapped with a Sh5 million penalty as per the Data Protection Act and Complaints Handling Procedure and Enforcement Regulations.
This followed a barrage of complaints received by the commission on WhitePath with close to 150 users claiming that their applications have been accessing their phone contacts without permission and bombarding them with unwanted text messages. To make matters worse, WhitePath’s staff was alleged to been harassing the complainants and their contacts. Same things they’re doing again.
As for Regus Kenya, they’ve were accused of spamming improper information to a complainant despite attempts to make them stop.
They suffered such an expensive penalty for refusing to cooperate with the Office of the Data Protection Commissioner (ODPC).
According to the ODPC, WhitePath failed to comply with an enforcement notice dated January 10, 2023, while Regus Kenya was non-cooperative and ignored multiple complaints, reminders and an enforcement notice.
The Data Commissioner, Immaculate Kassait, sternly emphasised that it’s the responsibility of every company to prioritise protecting personal data and challenged businesses to do so by design and by default.
Headache of unregulated digital lenders
In the latest positive development, the Data Protection Commissioner Immaculate Kassait has revealed the investigations following complaints over digital lenders who have breached the confidentiality of personal information.
The firms are accused of resorting to “debt shaming” tactics to recover loans.
This includes use of debt collection agents pursuing borrowers either by informing their friends and family using contact information scraped from their phones or by threatening to tell their employers.
The Data Protection Act bars sharing of data with third parties without consent and gives individuals the right to be told when their data is being shared and for what purposes.
“The Office received complaints from data subjects regarding digital money lending applications. Towards this end, my office has commenced investigations on a total of 67 such complaints in line with the office mandate,” Ms Kassait said without divulging additional information.
Scores of unregulated microlenders have invested in Kenya’s credit market in response to the growth in demand for quick loans, where borrowers can get loans in minutes via their mobile phones.
Borrowers share personal information, including their professions and monthly earnings, when registering with digital lenders.
But besides the pursuit of unpaid loans, digital lenders share personal information with data analysing firms and for marketing.
The Central Bank of Kenya (CBK) has previously raised concerns about the abuse of the personal data of borrowers and called on lawmakers to fast-track legislation to provide for the regulation of digital lenders.
Lobbies that had petitioned Parliament during the review of the Bill also said that loan applications are private affairs that should be treated as confidential information.
Digital lenders have saddled borrowers with high-interest rates, which rise up to 520 percent when annualised, leading to mounting defaults and an ever-ballooning number of defaulters.
The Data Protection Act further compels firms to disclose to individuals and customers the reasons for collecting their data and ensure that the confidential information is safe from infringement by unauthorised parties.
Offences under the Data Protection Act attract a fine of up to Sh5 million and or imprisonment for a term not exceeding to 10 years or both.
“Infringement of provisions of the Kenya Data Protection Act (DPA) will attract a penalty of not more than Sh5 million or, in the case of an undertaking, not more than 1 percent of its annual turnover of the preceding financial year, whichever is lower,” the Act says.
“Individuals will be liable to a fine not exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both.”
Scores of unregulated microlenders have invested in Kenya’s credit market in response to the growth in demand for quick loans, where borrowers can get loans in minutes via their mobile phones.
The firms are accused of resorting to “debt shaming” tactics to recover loans.
This includes use of debt collection agents pursuing borrowers either by informing their friends and family using contact information scraped from their phones or by threatening to tell their employers.
The Data Protection Act bars sharing of data with third parties without consent and gives individuals the right to be told when their data is being shared and for what purposes.
Kenya Insights allows guest blogging, if you want to be published on Kenya’s most authoritative and accurate blog, have an expose, news TIPS, story angles, human interest stories, drop us an email on [email protected] or via Telegram