Local firms stare at huge fines over personal data violations

The burden of compliance on telcos and fintechs is heightened by the number of clients' data they collect and process.
Jim, not his real name, visits Kenya twice or thrice annually from the UK where he runs a charity foundation.

The organisation has activities within East Africa.

Jim was recently convinced to buy a local SIM card to ease his communication while in Kenya. In one of his recent visits to Kenya however, Jim was surprised to get a flurry of text messages from betting sites and retail chains blowing up his phone immediately he activated his new SIM card at the airport.

“I was surprised because very few people have this number and I have never shared it out with any agency or registered it on any company’s database,” he explained. Jim is just one of many mobile users often left irritated and mildly concerned about the numerous marketing text messages they receive often without even opting into the promotion in the first place.

SEE ALSO :New Facebook bug may have exposed unposted photos

One major difference, however, is that Jim is a UK citizen and the General Data Protection Regulations (GDPR) enacted in the European Union (EU) earlier this year presents a new dimension to mobile service providers.

Experts now warn that the rising number of partnerships between local mobile network operators and international money transfer companies is exposing the latter to regulation under the GDPR.

Personal data laws

This means local firms are staring at billions of shillings in potential fines and suits should one of their services violate personal data laws of their now-international user base.

Leading mobile network operator Safaricom last month unveiled a partnership with global money transfer service provider Western Union that facilitates the scaling of M-Pesa to global markets. Under the partnership dubbed M-Pesa Global, Safaricom subscribers in Kenya will be able to send and receive money through an app or through USSD to virtually anyone across the globe.

SEE ALSO :Facebook faces lawsuit over privacy violations on data

“This new service brings the convenience, safety, and speed of M-Pesa to the rest of the world and will enable Kenyans to send and receive money across the world from the comfort of their mobile phones,” said Safaricom Chief Financial Services Officer Sitoyo Lopokoiyit during the launch of the partnership.

The deal also makes transfers through bank accounts to the United Arab Emirates, the UK, and Germany instantly available with more lenders in other countries expected to follow suit in the coming months.

Equity Bank has similarly signed a partnership with payment service providers. Following the official launch of its fintech subsidiary Finserve earlier this year, the bank unveiled a new deal with the American Express.

The deal gives Equity Bank exclusive merchant rights to process payments from American Express card members in the country. This includes citizens from European countries seeking to access their accounts while visiting Kenya. This presents a challenge to the service providers given the fact that the GDPR introduces new demands on service providers on how to handle data from EU users. Under GDPR, companies that handle EU citizens’ data are required to get the consent of their consumers to collect their personal data and provide consumers access to it.

Users also have the right to have the data erased, or to restrict it from being processed. In special circumstances, they can ask companies to delete their personal data if they believe the data is no longer serving it’s intended purpose.

SEE ALSO :Cyber agency defends role in data breach

Companies that fail to comply with GDPR face stiff penalties that could include fines of up to four per cent of their global turnover or €20million (Sh2.3 billion), whichever is greater. Companies can be fined even if the data has not been lost.

“Kenyan companies that handle the personal data of EU citizens are exposed to liability under GDPR because the law is not based on the location of the service provider,” explained Dr Bright Gameli, head of cybersecurity at Internet Solutions.

“Ideally the law requires the service provider, for example, Safaricom in the case of M-Pesa Global, to ensure the M-Pesa environment is compliant to GDPR regulations,” he explained.

This is not limited to just mobile network operators as firms in other industries such as airlines, banks, and e-commerce sites have had to inform users of the changing regulations and seek new consent in updated license agreements to stave off liability.

National carrier Kenya Airways (KQ) was one of the first local firms that send users emails updating them of impending changes to their privacy agreement immediately after GDPR came into effect.

SEE ALSO :German police arrest 20-year-old man after massive data breach

The airline then provided a link to the new privacy policy that, as stipulated under GDPR, entailed the data KQ collects on users and for what purpose written in easy-to-understand English.

Dr Gomeli says the burden of compliance on the part of local telcos and fintech firms is heightened by virtue of the number of clients’ data they collect and process. “If you are going to host users’ data, GDPR protects that consumer regardless the location of the servers and gives them precedence and local companies need to understand their liability exposure,” he said.

This means a user who interacts with the interconnected system ran by Western Union and M-Pesa and feels their personal data rights have been violated can include Safaricom in their case should they seek legal redress.

Network operators

This liability exposure is heightened by the fact that mobile network operators and fintechs are increasingly turning to data analytics to improve product differentiation and cut marketing costs. Safaricom says data analytics and forecasting has been crucial in developing unique user profiles of their subscribers and improving products translating to tangible benefits at the bottom line.

 “To tailor offerings to specific customer needs, we are employing analytical marketing, mining the Big Data already at our disposal to respond continually to the behaviour of individuals and market micro-segments,” said the firm in its 2017 annual report.

“These personalised offers drove the reduction of our effective pricing for data and SMS by 29 per cent and 12 per cent respectively, with voice prices remaining flat.”

However, the firm has disclosed little about in-house policies on data privacy and ensuring international products maintain compliance with the GDPR. “Subscribers constantly connect to our networks through voice, SMS, M-Pesa and other smartphone interactions, and hence we have access to huge quantities of data,” stated the firm. “Our vision is to manage it effectively.”

One safeguard for local telcos is to ensure the country enacts data protection laws that are aligned to regulatory expectations in Europe.

Data BreachData RegulationsPrivacyData Protection