Safaricom, businesses risk hefty fines in Lipa na M-Pesa breaches

JavaScript is disabled!

Please enable JavaScript to read this content.

The Office of the Data Protection Commissioner has said it is engaged with various stakeholders on the data protection concerns relating to information that may be obtained when payment is made through the Lipa-Na- Mpesa platform. [Wilberforce Okwiri, Standard]

Safaricom is yet to finalise a plan to block customer contact details when making payments through Lipa na M-Pesa.

The planned move is aimed at curbing personal information from being traded to advertisers or leaking to fraudsters in line with data protection legal requirements.

The telco had earlier said that it would only display the first name of subscribers making payments through the platform and a few digits of their phone number, effectively hiding the contact of the customer.

Safaricom yesterday did not provide a new date for the rollout of the service but said it was racing to come up with a solution.

"We will continue to provide updates as our teams continue to work on the solution," said Safaricom in response to queries by The Standard. Banks already use this model when sending account numbers to avoid disclosing details of their clients.

Safaricom is eyeing this model in line with the data protection law, which was enacted in 2019 to protect privacy.

For example, if a person named John Doe with a phone number +254 (redacted) makes a payment the only data that will be passed along is [John, +2547XXXXX654]. At present, people paying for goods and services leave their numbers and names with thousands of merchants.

With access to consumers' phone numbers and buying habits, the merchants use personal information to send unsolicited advertising through text messages.

The Office of the Data Protection Commissioner said yesterday it is engaged with various stakeholders on the data protection concerns relating to information that may be obtained when payment is made through the Lipa-Na- Mpesa platform.

It added it has called for a "coordinated approach to compliance" with the Data Protection Act, 2019 and the re-engineering of processes by businesses. "This would ensure and taking up of responsibility by both Safaricom and the business receiving customer data through the payment platform," it said in response to queries by The Standard.

"The Office will continue to engage with both mobile-money service providers and businesses to ensure compliance with the Data Protection Act, 2019 in a manner that does not stifle growth and continuity of business." Data is seen as the new oil and businesses have been on the spot for mass-mining everyday data from Kenyans for profit.

"I have been a victim of this. Whenever I pay via mobile money services, the establishments especially supermarkets and bars keep sending me unsolicited messages advertising their services and asking me to return," said Ian Njoroge, a Nairobi resident, on the common data privacy breach.

"I think the plan by the mobile operators to hide the details will come in handy and protect us," he added. Safaricom risks punitive fines if it does not comply. "Pursuant to the Data Protection Act 2019 which came into law on November 25, 2019, Safaricom will be changing how they share data with Lipa Na M-Pesa Partners in general," said Safaricom in internal correspondence earlier.

"Safaricom and its partners are required to take action to minimise the use and transfer of sensitive data such as names and phone numbers during the processing of transactions."

Companies doing business in the country have been racing to review their data privacy policies to avoid paying a fine of up to one per cent of their annual turnover. The commencement date for the new rules under the Data Protection Act 2019 was July 14 last year.

Under the law, sharing or offering for sale personal information could land those responsible for their safe storage in jail for up to six months or fines of up to Sh5 million.

"In relation to an infringement of a provision of this Act, the maximum amount of the penalty that may be imposed by the Data Commissioner in a penalty notice is up to Sh5 million, or in the case of an undertaking, up to one per centum of its annual turnover of the preceding financial year, whichever is lower," says the new law.

Commercial banks, betting firms, technology firms such as Safaricom, Airtel, and Telkom Kenya, media groups, retailers, hospitals, and hotels are among those targeted due to the vast amounts of customer information they hold.

In the year to March 2022, payments worth Sh1.4 trillion were made through the Lipa na M-Pesa platform and a total of Sh9.78 trillion paid through M-Pesa, entrenching the popularity of the platform as a means of commerce as opposed to paying via cash.