Human Rights Groups Accuse Safaricom of Illegal Data Sharing with Security Agencies

Telecom giant allegedly provided unfettered access to customer data without court orders, facilitating tracking and capture of suspects

Kenya’s largest telecommunications company, Safaricom PLC, faces serious allegations of systematically violating customer privacy rights by providing security agencies with unrestricted access to sensitive customer data without proper legal authorization.

In a scathing open letter addressed to CEO Peter Ndegwa, the Kenya Human Rights Commission (KHRC) and Muslims for Human Rights (MUHURI) have accused the telecom giant of engaging in “criminal and unconstitutional practices” that may have facilitated human rights violations by Kenyan security forces.

Explosive Investigation Reveals Years of Alleged Misconduct

The accusations stem from an investigation published on October 29, 2024, by journalists Namir Shabibi, Claire Lauterbach, and Kenya’s Daily Nation newspaper, which revealed what the rights groups describe as a pattern of illegal data sharing spanning several years.

According to the investigation, Safaricom allegedly allowed security agencies “routine access to consumer data (including but not limited to call data records and other location data) without a court order, assisting in the tracking and capturing suspects.”

This practice is particularly concerning given what the rights groups describe as Kenyan security forces’ “reputation for using unlawful tactics, including enforced disappearances, renditions, and extrajudicial killings of suspects.”

Seven Damning Allegations

The human rights organizations have outlined seven specific allegations against Safaricom:

Data Manipulation and Evidence Tampering: The company allegedly handed over responsibility for extracting and handling court-ordered call data records (CDRs) to police officers attached to its Law Enforcement Liaison Office. This created a serious conflict of interest, giving accused security forces the opportunity to “handle the data and conceal evidence of state crime.”

Falsified Records: Safaricom allegedly released CDRs it certified as authentic despite bearing “signs of manipulation and falsification” in cases involving suspected state-enforced disappearances.

Obstruction of Justice: The company is accused of habitually declining to provide complete CDRs despite court orders, potentially frustrating the course of justice in investigations of state crimes.

Unauthorized Surveillance: Security agencies allegedly received routine access to customer data without proper court authorization, enabling them to track and capture suspects.

Data Retention Deception: Safaricom allegedly retained customer data it claimed had been deleted, including information that could aid in investigating state crimes.

Surveillance Software Development: In partnership with Neural Technologies Limited, Safaricom allegedly developed software granting security agencies “virtually unfettered access to private consumer data.”

Predictive Profiling: Police attached to Safaricom allegedly used specialized software to “predictively and preemptively profile Kenyan citizens,” constituting what rights groups call “invasive breaches of customers’ private data rights.”

Constitutional and Legal Violations

The rights groups argue these alleged practices make Safaricom potentially liable for violating multiple sections of Kenya’s Constitution, including provisions protecting privacy, dignity, freedom from torture, and access to justice.

The company may also have violated the Data Protection Act of 2019, which establishes strict guidelines for handling personal data.

Inadequate Response

While Safaricom released a public statement on October 31, 2024, attempting to address the allegations, KHRC and MUHURI dismissed it as inadequate, saying the company “conveniently ignored to respond to key findings presented in the investigation.”

The rights groups characterized Safaricom’s response as a “selective response to grave human rights violations,” failing to address the core allegations about unauthorized data sharing and potential complicity in human rights abuses.

Demand for Accountability

In their letter, KHRC and MUHURI demanded that Safaricom “address the substance of the allegations with haste and clarify what steps Safaricom PLC will take to ensure that its data is not used unlawfully, whether by Safaricom staff, Kenyan security forces, or any other third party.”

The organizations gave Safaricom seven days to respond to their correspondence, setting a deadline that would put additional public pressure on Kenya’s telecommunications leader.

Implications

The allegations against Safaricom raise serious questions about corporate responsibility in protecting customer privacy and the role of private companies in potential human rights violations. If proven true, the claims suggest a systematic partnership between Kenya’s largest telecom provider and security agencies that may have facilitated serious human rights abuses.

The case also highlights growing concerns about digital surveillance and data privacy in Kenya, where telecommunications companies hold vast amounts of personal data that could be misused by authorities.

As Kenya continues to grapple with allegations of enforced disappearances and extrajudicial killings by security forces, the Safaricom case represents a critical test of corporate accountability and the protection of digital rights.

The telecommunications giant now faces mounting pressure to provide a comprehensive response to the allegations and implement stronger safeguards to protect customer data from unauthorized access.

Safaricom PLC has not yet responded to the specific allegations outlined in the human rights groups’ letter.