MasiboLaw LLP

Book a Consultation

ODPC Slaps Digital Lender with Ksh 700,000 Fine Over Unlawful Debt Collection

Published by

masibolaw

on

The Office of the Data Protection Commissioner (ODPC) recently issued a landmark decision regarding the unlawful processing of personal data in the digital lending sector. The case, involving Ceres Tech Limited (trading as RocketPesa), highlights the severe financial and legal consequences for companies that fail to verify data accuracy or engage in aggressive debt collection practices.

Case Overview: Identity Fraud and Privacy Violations(ODPC Complaint 1655 of 2024)

The complaint was initiated by an individual (the “Complainant”) against Ceres Tech Limited (RocketPesa) concerning allegations of unlawful data processing during debt collection.

The Facts:

  • The Complainant was hounded with messages and calls regarding a loan he never borrowed.
  • Investigation revealed that the Complainant’s National Identification Number had been used fraudulently.
  • Despite being notified of the error, the Respondent persisted in threatening the Complainant, causing significant distress and violating his privacy rights.
  • In their defense, the Respondent initially denied having any records of the Complainant’s data—a claim that was later debunked during the ODPC’s review.

The ODPC found that RocketPesa had disclosed personal and financial data without a lawful basis, failing to uphold core data protection principles like confidentiality, fairness, and data minimization.

Key Legal Violations Identified by the ODPC

The Commissioner found the Respondent in breach of several critical sections of the Data Protection Act:

1. Violation of Data Subject Rights (Section 26)

The Respondent violated the Complainant’s right to be informed of how his data was being used and ignored his right to object to the processing of his personal data.

2. Breach of Data Protection Obligations (Section 25)

The ODPC determined the Respondent failed to ensure that personal data was:

  • Processed in accordance with the right to privacy.
  • Processed lawfully, fairly, and in a transparent manner.
  • Collected for explicit, specified, and legitimate purposes.

3. Failure of Data Verification (Section 28 & 29)

The lender failed to collect data directly from the subject or take “reasonable steps” to ensure the accuracy of the ID number attached to the loan. No notification was provided to the Complainant regarding the collection of his mobile number and ID, violating Section 29.

The Verdict: Compensation and Criminal Prosecution

The ODPC issued stringent remedies to address these breaches:

  • Financial Penalty: Pursuant to Section 65, the Complainant was awarded Ksh 700,000 in compensation for unlawful processing and the resulting distress.
  • Recommendation for Prosecution: Under Section 61, the ODPC recommended the prosecution of the Respondent’s Director for obstructing the Data Commissioner and providing false or misleading information during the investigation.

Critical Implications for Digital Credit Providers

This ruling serves as 700,000 reasons for the fintech and digital lending industry in Kenya to take compliance seriously. To avoid regulatory action, companies must prioritize:

  • Lawful Debt Collection: Strategies must not involve third-party disclosure or unauthorized messaging.
  • Strict Internal Controls: Lenders remain responsible for the actions of their call centers, field agents, and automated systems.
  • Identity Verification: Robust identity verification is mandatory to prevent fraudulent data from entering your systems.
  • Transparency with the Regulator: Misleading the ODPC can lead to personal criminal liability for company directors.

How MasiboLaw LLP Can Help

Navigating the complexities of the Data Protection Act is essential to protecting your business from heavy fines and reputational damage.

  • For Digital Credit Companies: We provide comprehensive compliance audits, privacy impact assessments, and help you structure debt collection frameworks that align with ODPC standards.
  • For Individuals: If you are a victim of a data breach, identity theft, or harassment by a digital lender, we offer expert legal representation to help you secure compensation and protect your rights.

Ensure your operations are legally sound.

Contact MasiboLaw LLP today for a consultation on data protection compliance or litigation support at [info@masibolaw.co.ke].

Leave a Reply

Previous Post
Next Post

Discover more from MasiboLaw LLP

Subscribe now to keep reading and get access to the full archive.

Continue reading