By Meshack Masibo and Victor Kapiyo
The move to safeguard user privacy was in response to the public outcry against data breaches that result from telephone contacts of users being scrapped by data brokers and used to send targeted spam messages. These abuses of personal data have been an issue of concern for M-Pesa users over the years, without an adequate response from Safaricom or regulators. Indeed, a 2021 survey by Ernst & Young showed that 41% of merchant firms shared their clients’ data with third-party service providers and 53% of these companies did not seek the approval of their customers before sharing this data.
Instructively, section 4.3 of Safaricom’s Data privacy Statement addresses the use of personal data linked to Lipa Na M-Pesa transactions. It states that:
Some of your information may be passed on to any person whom you receive mobile money from or send or intend to send mobile money to.
It also goes to to add that:
Your information may be available to any third party involved in the operation of the mobile money service including Lipa Na M-PESA Merchants, mobile money interoperability partners, ATM Switch providers and vendors of the M-PESA money transfer technology platform.
In addition, it states that:
Safaricom will not release any information to any individual or entity that is acting beyond its legal mandate and will procure a user’s express consent before it shares the personal data with any third party for direct marketing purposes.
Despite these express provisions, M-Pesa users have had their contact information misused by some merchants and other third parties. This is perhaps why Safaricom introduced this change.
The new policy from Safaricom is that full names of subscribers and their complete phone numbers will no longer be relayed to the merchants making transactions. Only the first name and part of the phone number of the subscriber making the transaction will be shared, with the rest of the details being masked (obfuscated). For example, if someone named John Doe with a phone number +25470123456789 makes a payment, the only data that will be shared with the merchant would for example be [John and, +2547XXXXXXX789].
Therefore, the shift by Safaricom is a step in the right direction to safeguard the privacy and data of its users’ by design and by default, in keeping with section 41 of the Data Protection Act. The provision requires data controllers and processors like Safaricom and merchants generally, to implement appropriate technical and organisational measures designed to identify and address reasonably foreseeable internal and external risks to personal data under its possession or control.
While Safaricom’s policy shift was long overdue as many banks have already implemented such moves, it perhaps might encourage other merchants and stakeholders within the financial services sector to adopt similar policies to better strengthen privacy protection of users of financial services by design and by default. The exposure of contact information to all merchants has been exploited by unscrupulous individuals to send spam messages and defraud users, and contributed to the rise of other cyber crimes. We hope that such abuses will reduce if merchants adopt stronger privacy protection and data security.
Likewise, we welcome the move by the Central Bank of Kenya to introduce more stringent measures for financial service institutions to safeguard user privacy and strengthen their cybersecurity governance. Also, it will be useful for the Office of the Data Protection Commissioner to investigate ongoing abuses by some financial service providers and put in place additional guidelines for privacy protection in the financial services sector, and moreover, engage with these institutions to promote greater public awareness of privacy rights and cyber security.