A High Court ruling in Nairobi has put every company that collects personal data on notice, and the lesson is not about fines. It is about who owns the problem when your systems fail.
The case, Constitutional Petition E095 of 2026, involved 11 Safaricom subscribers whose personal and financial data, including betting histories and transaction records, were pulled from Safaricom’s internal systems and handed to outside parties without their knowledge.
Each petitioner was awarded KES 900,000, bringing the total to KES 9.9 million. For a company the size of Safaricom, that number does not shake the balance sheet. What shakes things is how Justice Bahati Mwamuye got there.
Safaricom’s defense was simple: a rogue employee did it. The company argued that because the individual acted outside their authority, the institution itself should not bear constitutional responsibility. It is the kind of defense that has worked before. It did not work here.
The court found that the breach happened because of systemic failures inside Safaricom’s own infrastructure, poor data governance, weak internal oversight, and inadequate security controls. The rogue Safaricom employee could only do what they did because the system made it possible. That, the court said, is on the company.
The ruling leans heavily on Article 31 of the Constitution, Kenya’s right-to-privacy provision, but the court’s reading of it adds something most companies were probably not prepared for.
Article 31, the judgment found, imposes a positive and non-delegable duty on data controllers. “Non-delegable” means the obligation cannot be handed off. Not to the IT department. Not to a third-party vendor. Not to a compliance officer buried three levels down the org chart. It sits with the institution, and when things go wrong, the institution answers for it.
READ: Safaricom to Hide M-PESA Numbers in SMS from March 24
The court also found violations of Article 28, the right to dignity, and Article 46 on consumer protection. The dignity angle is a big deal because it expands what counts as harm. The exposed data included betting histories and financial records, the kind of information whose disclosure can cause reputational damage and psychological harm even when no money is stolen.
Under this ruling, a person whose data leaks does not need to show a financial loss to have a valid claim. The harm to their person and their reputation is enough.
The Article 46 finding goes further still. The court held that a service provider failing to build adequate safeguards for sensitive consumer data at scale is offering a deficient service, not just breaching a contract but falling short of a constitutional standard.
When you hand your financial history to a company in exchange for a service, the court is now saying you have a right to expect that company to protect it properly. If they do not, it is not a terms-of-service dispute. It is a rights violation.
READ: Employers Must Share Reference Letters, Kenyan Ruling Says
For corporate Kenya, especially banks, telcos, insurers, health providers, and government bodies sitting on large volumes of personal data, the practical implication is simple.
If a breach happens and you cannot show clear documentation of who had access to what, what monitoring was in place, and how quickly you would have caught unusual activity, you are exposed. The rogue employee story will not save you.
Kenya’s courts have now done at the constitutional level what data protection regulators in other countries have been pushing for years: holding organizations directly and personally accountable for the environments they build, not just the employees they hire.
This is the first major test of that principle at this level in Kenya. It will probably not be the last.
