How Safaricom Could Sell You Out To KRA

Every morning, thirty-six million Kenyans wake up and reach for their Safaricom lines. They send money to a relative in Kisumu, call a business associate in Mombasa, browse the internet on a boda boda, top up airtime at a kiosk.

In doing so, they hand Safaricom a continuous, real-time dossier of their lives.

Their movements. Their associations.

Their spending habits. Their approximate whereabouts at any given hour of the day. Most of them have no idea what Safaricom is legally permitted to do with that dossier. A careful reading of Safaricom’s own Data Privacy Statement makes the answer chilling.

The document, accessible on Safaricom’s website and last formally dated October 2019 though still in active force, is written in the language of corporate compliance. It is polite, hedged, and apparently unremarkable.

But buried inside its disclosures is a legal framework that grants Safaricom expansive latitude to share intimate personal data with a parade of third parties, including the Kenya Revenue Authority, law enforcement agencies, auctioneers, and debt collectors, without any obligation to notify the subscriber it has done so.

The consent requirement that Section 4.5 appears to offer turns out, on close reading, to apply exclusively to direct marketing. For everything else, the telco decides.

Safaricom knows where you sleep. It knows who you called at 2 a.m. It knows how much you sent through M-Pesa last Tuesday. The question is who else it is allowed to tell.

THE PRIVACY POLICY NOBODY READS

Section 3.2 of the Data Privacy Statement inventories what Safaricom collects, and the scope of it is staggering.

The company retains your national identity document number, date of birth, photograph, email address, and biometric data including voice fingerprints gathered through its interactive voice response systems. It logs every phone number you call or receive a call from, every text message header, and every data session on its network.

It records your M-Pesa transaction history in full. It uses CCTV in its physical premises to record visitors.

It maps your device against mobile network masts to determine your approximate geographic location. And per Section 3.2.5, it collects income bracket and education level data through surveys conducted by its agents.

The statement further acknowledges in Section 3.2.8 that while Safaricom does not record the content of calls and messages, it keeps the metadata: who you called, when, for how long, and roughly from where.

To anyone familiar with how governments use telecommunications intelligence, the content of a call is often less valuable than the pattern of calls.

Knowing that a journalist called a whistleblower three times in one week, or that a protest organizer spoke to nineteen different contacts in forty-eight hours before a demonstration, is intelligence. Safaricom collects all of it, all the time.

SECTION 4.2: THE DISCLOSURE MENU

The real danger in Safaricom’s privacy statement sits in Section 4.2, which lists the parties to whom the company may disclose customer information

The list is extensive and its implications are barely discussed in public discourse.

Law enforcement agencies, regulatory authorities, courts, and statutory bodies can receive your data in response to a demand carrying the appropriate lawful mandate.

That phrasing does not require a court order. The word used is mandate, a category broad enough to encompass administrative demands from agencies that have no judicial sanction backing them.

More alarming is Section 4.2(e), which lists debt-collection agencies and other debt-recovery organisations as legitimate recipients of customer data.

Read alongside Section 3.2.3, which confirms that Safaricom retains your full M-Pesa transaction history, the question of exactly what data flows to a debt collector becomes acute.

A subscriber who defaults on a mobile loan does not merely risk being reported to a credit reference bureau.

They potentially expose their entire transaction footprint to an auctioneer or debt recovery firm with no particular obligation to data security or minimization.

Section 4.2(c) names fraud prevention and anti-money laundering agencies, which again sounds uncontroversial until one considers that the definition of money laundering under Kenyan law is elastic enough to be applied to informal business activity, political fundraising, and ordinary cash transactions that do not match the tax profile the KRA has on file for you.

Section 4.2(d) authorizes disclosure to government databases for identity verification purposes, a pathway that connects Safaricom’s data to the entire apparatus of state information infrastructure with no per-disclosure notification to the subscriber.

Section 4.5 says Safaricom will seek your consent before sharing data with third parties for direct marketing. For law enforcement, auctioneers, KRA, and government databases, there is no such courtesy.

THE CONSENT CLAUSE THAT MEANS NOTHING WHERE IT MATTERS

Section 4.5 is the clause that sounds reassuring and is, in practice, irrelevant to the most sensitive disclosures.

It reads: Safaricom will get your express consent before sharing your personal data with any third party for direct marketing purposes.

This is the only section of the entire disclosure framework that requires subscriber consent before data is shared.

It applies exclusively to marketing. It has nothing whatsoever to do with the disclosures in Section 4.2, which govern law enforcement, regulatory agencies, auctioneers, debt collectors, and government databases.

Those disclosures require no consent. They require no notification.

They require nothing from you at all.

This architecture creates a deeply asymmetric privacy regime. Safaricom will ask your permission before an insurance company sends you a promotional SMS.

It will not ask your permission before handing your call records to a detective, your mobile money history to the KRA, or your account information to a firm pursuing a debt you may not even know you owe.

The subscriber is protected from inconvenient advertising while being exposed, without notice, to the coercive machinery of the state and of private debt enforcement.

KRA IS ALREADY AT THE DOOR

The theoretical threat posed by Safaricom’s disclosure framework is not theoretical at all.

The Kenyan government has been systematically building the legal and operational infrastructure to access telecommunications data for tax enforcement, and the integration is further advanced than public statements have acknowledged.

A government brief to the International Monetary Fund, reported by The Standard, confirmed that at least one leading Kenyan telecommunications company had already begun sharing real-time mobile money transaction data with the Kenya Revenue Authority to enhance tax compliance.

The brief stated that integration with telecommunications companies had commenced and was expected to be completed by June 2025.

The government explicitly told the IMF that it intended to use telecommunications data to identify discrepancies between reported income and actual spending patterns, effectively turning M-Pesa transaction history into a tax intelligence instrument deployed against subscribers.

Safaricom’s own Chief Finance Services Officer Esther Waititu publicly denied any integration between M-Pesa and KRA as recently as January 2024, telling journalists that sharing of data between separate business entities was not permissible under the Data Protection Act.

The government’s simultaneous submission to the IMF confirming active integration creates a contradiction that has never been resolved in public. Either Safaricom’s most senior financial officer did not know an integration had commenced, or the company’s public denials were prepared with creative ambiguity about what constitutes sharing.

The government told the IMF that telco integration for tax compliance ‘has commenced.’ Safaricom told Kenyans there was no integration. Both statements cannot be true.

THE FINANCE BILL: A BRAZEN POWER GRAB, TWICE

The government’s appetite for telecommunications data is not limited to quiet administrative arrangements.

In May 2024, the Finance Bill proposed an explicit amendment to the Data Protection Act that would have exempted the Kenya Revenue Authority from compliance with data protection principles entirely, whenever it determined that data access was necessary for tax assessment, enforcement, or collection.

The proposal, contained in Clause 63, would have removed KRA’s obligation to justify data collection, to limit it to what was strictly necessary, to inform subscribers that their data was being accessed, or to apply any of the other safeguards the Data Protection Act exists to provide.

Civil society organisations responded with alarm. Amnesty International Kenya and ARTICLE 19 Eastern Africa jointly condemned the amendment as unconstitutional, arguing that it would deny taxpayers their rights as data subjects to know who was accessing their data and for what purpose.

The Law Society of Kenya called it unconstitutional. The CIPIT legal research centre at Strathmore University concluded that the proposal violated Article 31 of the Constitution of Kenya, which guarantees the right to privacy.

The Finance Bill was eventually withdrawn entirely following the Gen Z protests of June 2024, during which parliament itself was stormed.

The Treasury did not abandon the project.

The Finance Bill 2025 revived the same ambition through a different mechanism, proposing to delete Section 59A(1B) of the Tax Procedures Act, a provision introduced in December 2024 that explicitly bars the KRA Commissioner from compelling businesses to share personal data or trade secrets collected from customers.

Removing that clause would grant the KRA the power to compel telecoms, banks, and other data processors to integrate their systems and surrender customer information on demand. The Law Society of Kenya, KPMG East Africa, and Ernst and Young all raised objections.

The proposal is still alive.

NEURAL TECHNOLOGIES AND THE SURVEILLANCE MACHINE

The question of what Safaricom’s data is capable of enabling, in the wrong hands, was answered with uncomfortable specificity by a Daily Nation investigation published in October 2024.

The report, based on months of research and access to insider accounts, alleged that a British software company called Neural Technologies had embedded within Safaricom’s internal systems a data management architecture that allowed Kenya’s security services to access call data records in something approaching real time, with capabilities extending to predictive movement profiling.

The investigation described a prototype tool called Find My Friends, developed by Neural Technologies for Kenyan law enforcement, which allowed officers to trace a target’s movements by triangulating mobile mast connections as the individual moved across the country.

Former Neural Technologies director Adrian Harris was quoted describing the tool’s function in terms that made its purpose explicit, noting that while it was framed as counter-terrorism capability, the underlying mechanism treated all users as potential subjects.

The investigation quoted Adrian Harris as characterising the tool as one designed to flag specific individuals for further investigation based on patterns of movement and association.

Safaricom denied that the Neural Technologies system provided real-time access to subscriber location or movement data, insisting that call data records were generated only after calls ended and were used strictly for billing purposes.

The company said its systems were not designed to track any subscriber’s live location. Neural Technologies did not respond to queries from the Daily Nation.

The gap between Safaricom’s formal assurances and the specific technical capabilities described by a former director of the company it partnered with has never been closed.

Amnesty International’s November 2025 report on tech-facilitated violence against Kenyan activists went further, documenting testimony from human rights defenders who believed that state surveillance supported by Safaricom had enabled clandestine police units to track protest organizers during the 2024 Finance Bill demonstrations.

The report linked this surveillance to subsequent enforced disappearances and killings. Amnesty estimated that across protests between June 2024 and July 2025, excessive use of force by security agencies resulted in at least 128 deaths, more than 3,000 arrests, and over 83 enforced disappearances.

Amnesty International documented 128 deaths, 3,000 arrests and 83 enforced disappearances across protests that its own investigators believe were enabled, in part, by telecommunications surveillance.

IMEI NUMBERS AND THE TAXMAN’S NEW EYE

The KRA’s ambitions extend beyond M-Pesa. In late 2024, new guidelines issued by the Communications Authority of Kenya required phone manufacturers, importers, retailers, and mobile network operators to upload the IMEI numbers of all locally assembled or imported devices into a KRA portal for tax compliance monitoring.

The International Mobile Equipment Identity number is a 15-digit code unique to each handset, used by network operators to identify devices on their infrastructure. Its use outside of security contexts, specifically for device-level tax surveillance, raises privacy questions that courts have already considered.

In 2017, a Kenyan court ruled against the Communications Authority’s earlier Device Management System, calling it a threat to subscriber privacy and directing the regulator to use less intrusive measures.

That ruling wound its way to the Supreme Court and was eventually reversed in 2023, permitting the DMS to proceed.

The new KRA IMEI portal framework may represent the next iteration of the same surveillance infrastructure, this time with a tax compliance rationale rather than a security one. Cybersecurity analyst Kamau, speaking to Citizen Digital, put the question plainly: IMEI numbers should only be shared with network service providers. Does this mean KRA will now be a network service provider?

THE ARCHITECTURE OF SILENCE

What makes Safaricom’s privacy framework most significant is not any single disclosure provision but the structural absence of subscriber notification rights across the most consequential categories of data sharing.

The company’s statement acknowledges in Section 10 that subscribers have a right to be informed that personal data is being collected. It does not create any right to notification when that data is subsequently shared with law enforcement, government agencies, or debt recovery firms.

A Safaricom subscriber whose call records are handed to a detective investigating a protest, whose M-Pesa history is cross-referenced by the KRA against their tax filing, or whose mobile account information is passed to an auctioneer pursuing a debt will not receive a text message, an email, or any other notice that this has happened.

They may never know.

The Data Protection Act’s general requirements that data be processed with transparency and for specified, explicit, and legitimate purposes create obligations on paper that are difficult to enforce in practice when the subject of the data sharing does not know it has occurred.

Section 4.4 of the privacy statement contains one guard clause: Safaricom shall not release any information to any individual or entity that is acting beyond its legal mandate.

The company is therefore the judge of whether a requesting entity is acting within its mandate.

There is no independent verification requirement, no subscriber right of challenge, and no mechanism by which a person targeted for data disclosure can intervene before it happens. The protection offered by 4.4 is entirely dependent on Safaricom’s own institutional willingness to exercise it.

WHAT THIS MEANS FOR YOU

If you are a Safaricom subscriber, the practical implications of the company’s data privacy architecture are these.

The KRA may have access to your M-Pesa transaction history, either through existing integration with at least one major telco, or through legal mechanisms that compel disclosure without your consent.

Law enforcement agencies can receive your call data records on the basis of a mandate that does not require a court order as a prerequisite. An auctioneer or debt recovery firm pursuing a claim against you can receive your account information without you being notified.

And the pattern of calls you make, the times you make them, the towers your phone connects to as you move through the city, can be used to map your movements and associations in ways that go far beyond what the company’s official positions acknowledge.

Safaricom holds the government’s 35 percent stake alongside Vodafone Group’s approximately 40 percent shareholding.

It is simultaneously a private commercial entity with ISO 27701 privacy certification and a company in which the Kenyan state is the single largest identifiable shareholder.

That structural reality creates inherent tensions between the company’s obligations to subscribers and its relationship with the agencies of state that its own disclosure framework empowers to demand subscriber data.

When the CEO says no data has been shared with government agencies and the government simultaneously tells the IMF that integration with telecommunications companies has commenced, the subscriber is left to decide who to believe, with no independent means of verification.

Safaricom is simultaneously a private company with a privacy certification and a firm in which the Kenyan state is the largest shareholder. Both identities cannot be served equally.

WHAT SHOULD CHANGE

At minimum, Safaricom subscribers deserve a notification right that mirrors what the company already offers for direct marketing.

If a law enforcement agency demands your call records, you should receive a message informing you of that demand, subject to exceptions for active terrorism investigations where notification would genuinely compromise safety.

That exception should be narrow, defined in law, and subject to judicial oversight, not left to the discretion of the requesting agency.

The legal mandate threshold in Section 4.2(a) requires tightening.

Any disclosure of call data records or M-Pesa transaction history to law enforcement should require a court order, not merely an administrative demand issued with what the company characterises as the appropriate lawful mandate.

The courts exist precisely to test whether a demand is lawful. Bypassing them removes the only independent check on the coercive use of telecommunications data against political opponents, journalists, activists, or ordinary citizens caught in the ambiguous reach of tax enforcement.

The Finance Bill 2025 proposal to delete Section 59A(1B) of the Tax Procedures Act should be rejected, as its predecessor was. The KRA already has the power to access financial data with a court warrant under Section 60 of the Tax Procedures Act.

The effort to remove the additional safeguard introduced in December 2024 is not about enabling tax collection.

It is about removing a constraint on how the KRA collects data from private entities, and it has no place in a state that claims constitutional protection for privacy as a fundamental right.

Safaricom should publish a transparency report. Every six months, it should disclose the number of data requests it received from law enforcement agencies, the number it fulfilled, the number it refused, and on what grounds.

Absent that disclosure, the company’s repeated insistence that it complies with data protection law cannot be evaluated by the thirty-six million people whose data it holds.