Safaricom Faces Avalanche of Lawsuits Over Data Privacy as Acquitted Student Demands Sh200mn Compensation in 48 Hours

Safaricom PLC, Kenya’s dominant telecommunications operator with more than 46 million subscribers, finds itself at the centre of an escalating legal storm that lawyers warn could unleash a torrent of constitutional petitions challenging how the company has handled customer data when cooperating with law enforcement agencies.

The crisis was triggered by a ruling handed down on February 19 by Principal Magistrate Carolyne Nyaguthii Mugo at the Milimani Chief Magistrate’s Court in Nairobi, which acquitted David Oaga Mokaya, a 24-year-old university student, of cybercrime charges.

Prosecutors had alleged that Mokaya published a manipulated social media image depicting a funeral procession with a casket draped in the Kenyan flag, captioned as showing President William Ruto’s body leaving Lee Funeral Home.

The magistrate threw out the charges under Section 215 of the Criminal Procedure Code, finding that the prosecution had failed to prove its case beyond reasonable doubt. Crucially, she excoriated investigators for seizing and forensically examining Mokaya’s electronic devices without first obtaining valid court orders — a procedural failure she said rendered the evidence obtained constitutionally inadmissible.

Within hours of the acquittal, Mokaya’s legal team — comprising advocates Danstan Omari, Shadrack Wambui, and Martina Swiga — issued a 48-hour demand notice to Safaricom PLC, seeking Sh200 million in damages for what they describe as the unlawful disclosure of their client’s location data and personal information to investigators in the absence of a court order.

The demand threatens constitutional proceedings at the High Court’s Constitutional and Human Rights Division should Safaricom decline to admit liability.

‘For the police to obtain your location or personal data from Safaricom, they must first obtain a court order. Without that order, any disclosure is unconstitutional.’ Danstan Omari, advocate for David Mokaya

The ‘Hard Place and the Rock’ Dilemma

Legal analysts and market observers are already describing Safaricom’s predicament as a no-win situation. If the company contests the claim and loses at trial, it faces the prospect of opening the floodgates to thousands of similar lawsuits from Kenyans who believe their data was shared with the Directorate of Criminal Investigations (DCI) or other security agencies without judicial authorisation.

Conversely, should the company settle out of court, the precedent set by even a confidential agreement could embolden further claimants.

The stakes are particularly high given what lawyers describe as systematic and longstanding data-sharing practices between Safaricom and law enforcement.

In November 2024, an investigation by journalists Namir Shabibi and Claire Lauterbach, published in partnership with Kenya’s Daily Nation, alleged that Safaricom had, for years, given security agencies virtually unfettered access to subscriber data — including call data records (CDRs) and real-time location information — without court orders, facilitating the tracking of suspects later linked to enforced disappearances and extrajudicial killings.

The Kenya Human Rights Commission (KHRC) and Muslims for Human Rights (MUHURI) issued a formal open letter to Safaricom in late 2024 demanding an accounting of the allegations and warning of legal consequences.

Safaricom, through its lawyers, denied the allegations as “not only false but also malicious.” The company has maintained publicly that it shares customer data only when “explicitly required via a court order.”

A Company Already Besieged

The Mokaya case is far from the only data-related litigation confronting the Nairobi Stock Exchange-listed company.

In 2025, Safaricom was named as a defendant in a KES 1.432 billion lawsuit filed in February, arising from an alleged breach of a central development server in its finance department that is claimed to have exposed approximately 43 million customer records.

That suit also names the Attorney General and the Director of Public Prosecutions, with the complainant alleging that the DCI and the Serious Crimes Unit conspired with Safaricom to suppress evidence and fabricate exhibits.

Separately, two former senior Safaricom managers stand accused in both civil and criminal proceedings of extracting and attempting to sell personal data belonging to 11.5 million subscribers — approximately 23 per cent of the company’s customer base — to a major sports betting firm.

That data cache included full names, national ID numbers, passport numbers, M-Pesa transaction histories, precise location data, and gambling records, representing what some have characterised as potentially the largest corporate privacy violation in African history. The civil case, in which settlement talks collapsed in October 2025, is now headed for a full hearing.

In February 2025, the Office of the Data Protection Commissioner (ODPC) ordered Safaricom and Becton Dickinson East Africa to pay damages of Sh250,000 each for unlawfully processing the personal data of a former employee, Catherine Kainyu Murithi, without her consent — a ruling that, while modest in quantum, established a precedent for regulatory accountability.

‘The David Mokaya case is a landmark decision that is going to bring sanity to the telecommunications sector.’ Danstan Omari, advocate

The Constitutional Framework

Kenya’s Data Protection Act, enacted in 2019, established comprehensive obligations on data controllers and processors, including telecommunications companies, prohibiting the sharing of personal data without the data subject’s consent or a lawful basis such as a court order.

The Act is enforced by the ODPC, which has gradually stepped up its regulatory posture in recent years.

The constitutional dimension of the Mokaya claim rests primarily on Article 31, which guarantees every person the right to privacy including in respect of their communications, home, and personal information, and Article 28, which protects human dignity.

The legal team argues that personal data — messages, contacts, location, and financial records — are extensions of a person’s dignity and are entitled to heightened protection.

The Milimani ruling reinforces a growing body of Kenyan jurisprudence holding that electronic devices attract “heightened constitutional protection” by virtue of the extensive personal data they contain, and that any search or extraction of that data must be preceded by proper judicial authorisation.

The magistrate’s explicit condemnation of the investigators’ failure to produce valid warrants during the Mokaya trial is already being cited by legal practitioners as a significant elaboration of digital rights standards.

Potential Floodgate of Claims

Human rights lawyers and civil society organisations warn that the Mokaya judgment, if the constitutional petition proceeds and succeeds, could open the way for a far larger wave of litigation.

Thousands of Kenyans who were arrested, prosecuted, or subjected to surveillance in cases that relied on subscriber data shared by Safaricom without a court order may now have a constitutional cause of action against the company.

The 2024 anti-Finance Bill protests, during which civil society groups accused Safaricom of facilitating the tracking of demonstrators in real time, generated particular public anger and are likely to produce their own tranche of potential claimants.

Advocate Omari described the forthcoming petition as “potentially precedent-setting,” arguing it would compel the courts to definitively resolve how telecommunications companies must balance cooperation with law enforcement against their constitutional and statutory obligations to subscribers.

Danstan Omari.

“This case could redefine how telecom companies cooperate with law enforcement agencies,” he said, adding that its implications for digital surveillance practices would be “far-reaching.”

In Kenya, courts have already allowed class action suits to proceed against Safaricom, with the High Court in an earlier case permitting senior counsel to publish notices inviting subscribers to join constitutional petitions.

The legal infrastructure for aggregated claims therefore already exists and is familiar to the judiciary.

Safaricom’s Position and Commercial Exposure

Safaricom, which reported revenues of Sh311.6 billion in its most recent financial year and holds a dominant position in Kenya’s mobile money ecosystem through its M-Pesa platform, has not publicly responded to the Mokaya demand notice as of the time of publication.

The company’s published privacy policy states that it does not share customer information unless required by law or a court order, and it holds multiple internationally recognised data security certifications, including ISO 27701 and ISO 27001.

It is regulated by the ODPC, the Communications Authority of Kenya, and the Central Bank of Kenya.

The company has historically maintained that interactions with its Law Enforcement Liaison Office operate within the bounds of the law.

However, critics argue that the very existence of a dedicated liaison structure facilitating data flows to security agencies — particularly given findings about CDR handling and alleged manipulation of records surfaced in investigative journalism — points to systemic practices that courts have yet to fully scrutinise.

Investors tracking Safaricom’s shares on the Nairobi Securities Exchange will note that a sustained legal campaign, particularly one that captures public attention and attracts additional petitioners, carries not only direct financial liability but reputational damage in a market where trust in data stewardship is increasingly valued by both consumers and institutional stakeholders.

What Happens Next

The 48-hour ultimatum issued to Safaricom expired on February 22, 2026. Should the company fail to respond or decline to admit liability, Omari has committed to filing a constitutional petition at the High Court the following Monday morning.

A successful petition seeking Sh200 million in damages would, legal practitioners note, not be the end but the beginning: it would crystallise a cause of action that tens of thousands of Kenyans could replicate.

The case also arrives at a moment of heightened scrutiny for the relationship between African telecommunications companies and state security apparatus more broadly.

From Nigeria to Ethiopia to South Africa, regulators and civil society groups have pushed for clearer legal frameworks governing when and how network operators may disclose subscriber data to authorities.

The outcome of the Mokaya constitutional petition, and any eventual class action that follows, is therefore likely to be watched beyond Kenya’s borders.

For Safaricom, caught between the demands of law enforcement agencies that depend on its cooperation and the constitutional rights of the 46 million subscribers whose data it holds, the Mokaya case has crystallised a tension that the company can no longer defer.

The question now is not whether it will face a wave of data privacy litigation, but how large and how organised that wave will be.