The High Court has ordered Safaricom to pay Ksh 900,000 to 11 Kenyans in a constitutional case involving an alleged large-scale data breach affecting millions of subscribers linked to M-Pesa betting wallets.
Justice Bahati Mwamuye, in his ruling delivered on May 13, stated that Articles 22, 23, 28, 31, and 46 of the Constitution were violated, and that the petitioners were placed at risk of unlawful exposure, misuse, or dissemination of their personal data arising from that systemic compromise.
“Declarations are hereby issued that the Respondent violated the Petitioners’ constitutional rights under Articles 28, 31, and 46 of the Constitution,” read the ruling in part.
“An award of General Damages for breach of constitutional rights in the sum of Kenya Shillings Nine Hundred Thousand Ksh 900,000.00 is hereby granted to each of the Petitioners, to be borne by the Respondent. The said award shall attract interest at court rates from the date of this Judgment until payment in full.”
Safaricom to Pay 11 Kenyans Ksh 900,000 Each
The Judge emphasized that Article 31 of the Constitution guarantees the right to privacy, including the right not to have information relating to one’s private affairs unnecessarily acquired or revealed, and the protection of the privacy of communications.
At the same time, the judge cited Article 28, which guarantees the inherent dignity of every person and the right to have that dignity respected and protected.
Mwamuye ruled that when corporates like Safaricom collect sensitive data such as betting patterns and geolocation, they cannot hide behind “rogue employees” when that data is leaked.
According to Mwamuye, entities handling personal data must adopt adequate safeguards against misuse.
“When personal data of millions is exposed, privacy ceases to be an abstract constitutional promise and becomes a lived vulnerability,” Mwamuye ruled.
He further ruled that the Constitution does not permit vulnerability to be normalized through technological convenience or institutional denial.
Mwamuye ruled that requiring each petitioner to prove explicit extraction of their data after a systemic breach would impose an impossible evidential burden and shield large data controllers from constitutional accountability.
Petitioners Argument
The petitioners, in their rejoinder submissions, argued that Safaricom collected, stored, and exercised exclusive control over users’ personal, financial, and transactional data, which was allegedly unlawfully accessed and disseminated by employees acting in the course of employment between 2018 and 2019.
According to the petitioners, Safaricom’s systems were infiltrated through what they described as a prolonged and coordinated scheme involving rogue employees who unlawfully accessed and extracted subscriber data, then allegedly shared it with third parties, including betting firms, for commercial gain.
The petitioners argued that Safaricom, as a data controller, failed in its constitutional duty to safeguard sensitive customer information and allowed employees unrestricted access to personal subscriber data.
“WhatsApp chat messages by the Respondent’s employees reveal more than just ordinary data harvesting and hawking. It shows that the Respondent had granted unlimited access to its employees to violate personal data,” court documents filed in the case stated.
Also Read: 184 Kenyans to Be Compensated as ODPC Cracks Down on Data Breaches
Safaricom’s Response
Safaricom, however, disputed the claims, arguing that the allegations lacked expert or economic evidence and that the cited comparative jurisprudence on data protection primarily applies to state-driven surveillance systems rather than to private actors.
The Company anchored its defence on the doctrine of vicarious liability under the principle of respondeat superior, contending that it cannot be held liable for the independent criminal acts of former employees allegedly undertaken in pursuit of personal gain and wholly outside the scope of their employment.
Reliance was placed on WM Morrison Supermarkets PLC v Various Claimants [2020] UKSC 12, where the United Kingdom’s Supreme Court held that an employer was not vicariously liable for an employee’s deliberate disclosure of payroll data, the act having been motivated by personal vengeance and found to be insufficiently connected to the employer’s business operations.
Also Read: Huge Pay Day for Shareholders as Safaricom Raises Dividend to Ksh 80 Billion
However, the court observed that the constitutional architecture under Article 31 imposes obligations that are not simply derivative of employment relationships, but affirmative, structural, and non-delegable in character on any entity that collects, controls, and processes personal data at scale.
In Nubian Rights Forum & 2 Others v Attorney General & 6 Others [2020] eKLR, the court held that entities handling personal data are constitutionally obliged to adopt adequate technical and organizational safeguards against unauthorized access and misuse.
Likewise, in Okiya Omtatah Okoiti v Communications Authority of Kenya & 8 Others [2018] eKLR, the court affirmed that the right to privacy under Article 31 is capable of horizontal application and binds both state and private actors who engage in the surveillance of personal data.





![Sha-Accredited Public And Private Health Facilities In Embu County [List] Embu County Has Private And Public Facilities Licensed By The Kenya Medical Practitioners And Dentists Council (Kmpdc)And Approved By Sha.](https://cdn.thekenyatimes.com/2026/07/county-Medical-Hospital-2026-07-02.jpg)