The High Court has ordered Safaricom PLC to pay more than KSh11 million in damages after it was found to have violated the constitutional rights of 11 petitioners in a landmark data privacy case involving a massive breach affecting millions of subscribers across the country.
In a judgment delivered by Justice Bahati Mwamuye, the court found that each of the 11 petitioners is entitled to KSh900,000 in general damages for breach of their constitutional rights. This brings the total compensation to KSh9.9 million, excluding interest and legal costs. The court further ruled that the award will continue to accrue interest until it is fully paid and also directed Safaricom to meet the costs of the case.
The petition was filed by Austin Taabu together with 10 other complainants, who accused the telecommunications company of presiding over a large-scale data breach that allegedly exposed the personal information of more than 11.5 million subscribers between 2018 and 2019. The case centered on claims that sensitive customer data was unlawfully accessed and circulated outside the company’s secure systems.
According to the petitioners, the breach was not accidental but resulted from a coordinated internal scheme involving rogue employees who allegedly exploited their access privileges to extract subscriber data. The stolen information was then allegedly shared with third parties, including betting companies, for financial gain. They argued that this pointed to systemic failure in Safaricom’s internal data protection controls.
The complainants further maintained that as a data controller, Safaricom had a constitutional and statutory obligation to protect customer information, but instead allowed unchecked access to highly sensitive personal data. They told the court that internal communications, including WhatsApp messages attributed to employees, revealed widespread data harvesting and trading practices within the organization.
They also argued that the breach violated key constitutional protections, including the right to privacy, dignity, and consumer protection under Articles 28, 31(c), and 46 of the Constitution. The court agreed, holding that the company failed in its duty to safeguard subscriber data and that the violations were serious enough to warrant constitutional damages.
In its final determination, the court emphasized the importance of protecting personal data in the digital age, particularly where telecommunications companies handle vast amounts of sensitive user information. It concluded that Safaricom’s failure to secure its systems amounted to a breach of fundamental rights, and therefore awarded compensation to the petitioners as a remedy.
