Why withdrawing data consent could cost you M-Pesa services

Safaricom collects personally identifiable information. [File, Standard]

Safaricom users can now withdraw consent to restrict personal information about their M-Pesa accounts or their transactions from being shared with third parties.

However, exercising this right could see subscribers lose some or all functionality of their M-Pesa accounts.

This is according to newly updated M-Pesa customer terms and conditions released by Safaricom yesterday, which are set to come into effect from July 1.

“Provided that where you withdraw consent to Safaricom to disclose information to other users for the purposes of clause 4.4.2, Safaricom may impose a complementary condition to revoke (partially or otherwise) any access to any personal information of other users that would have been made available to you as a user,” says a new clause in the updated terms and conditions.

Safaricom collects personally identifiable information that is used to profile M-Pesa accounts, update its databases and provide user support.

Clause 4.4 of the terms and conditions further allows the telco to share some of its users’ personal information with other users they transact with.

The data is also made available to third parties such as M-Pesa agents and the firm’s technology providers, and Safaricom indicates that using the mobile money platform amounts to an automatic consent to the sharing of this data.   

Safaricom CEO Peter Ndegwa. [Wilberforce Okwiri, Standard]

A new clause now allows subscribers to withdraw this consent at any time, electronically or in writing.

This right, however, does not apply to law enforcement, investigative or regulatory authorities including the National Police Service, Kenya Revenue Authority (KRA) and the Ethics and Anti-Corruption Commission.

The latest review in the M-Pesa customer terms and conditions comes less than two months to the implementation of data protection regulations that place new responsibilities on Kenyan companies in how they collect and process users’ personal data.

According to the Data Protection (Registration of Data Controllers and Data Processors) Regulations gazetted in January this year, companies have up to August 14 to register with the Office of the Data Protection Commissioner (ODPC).

Registering with the ODPC as either data controllers or processors will further require companies to demonstrate they have complied with the Data Protection Act, 2019. 

The latest changes to Safaricom’s M-Pesa terms and conditions could also see subscribers who withhold certain personal information required under the law barred from using the telco’s services.

“We are required by law to collect certain personal information and are legally obligated to deny you the service if such information is not availed,” explains a new clause.

Data Protection Commissioner Immaculate Kassait says while increased digitisation has brought the importance of data protection to the fore, some concerns still remain. 

M-Pesa mobile interface. [Wilberforce Okwiri, Standard]

“There’s especially concern in relation to the information being collected; how it’s to be used, who this information is shared with and whether the subject of this information has consented,” Ms Kassait said yesterday during the opening of a data protection conference in Nairobi.   

ICT Cabinet Secretary Joe Mucheru said the industry is adapting to the enactment of data protection laws and the attendant regulations that could boost job creation in the sector. 

“Now we’ll begin to see jobs being created and as the rules and regulations kick in and as businesses begin to implement and organise the information in the way the Data Protection Commissioner wants it done, then we are going to see a booming and growing industry,” he said.

Safaricom is the first company in the country of its size to update its customer terms and conditions in accordance to the Data Protection Act, 2019. Other firms are expected to follow suit in the coming weeks.