Some digital lenders have resumed harassing borrowers on their platform, even in cases where laws protect them against personal data abuse. The Office of the Data Protection Commissioner (ODPC) has stepped in.

The Office of the Data Protection Commissioner (ODPC) has fined three entities a total of KES 9.3 million ($63,500) in a move set to further enforce sanity in the online lending space in the country. Mulla Pride Ltd, which operates two online credit platforms, KeCredit and Faircash, has received a KES 2.9 million ($20,000) million penalty. According to the ODPC, the company used personal contact information from third parties to shame borrowers into paying their loans.

“The Digital Credit Provider (DCP) was found culpable of using names and contact information of the complainants which were obtained from third parties, and subsequently used to send threatening messages and phone calls. This penalty will ensure that Digital lenders and financial institutions notify data subjects when collecting and processing their data, and the intention of processing the said data,” the ODPC said in a statement.

The penalty is interesting because Mulla Pride Ltd. has not received a licence to operate as a digital credit provider. The two lenders – KeCredit and Faircash – do not appear in the approved list by the Central Bank of Kenya (CBK). Kenya has a list of registered 32 digital lenders, including Branch, Tala, and Zenka.

Existing data law requires data to come directly from the individual, but digital lending apps also collect and process data from the borrower’s smartphone and other sources without consent. Consent, as defined by the law, must be clear and informed. Many consumers are unaware of this data collection method.

The Data Protection Act, 2019 requires data processors to inform data subjects about processing activities. This includes informing them about their rights, data collection purposes, sharing with third parties, contact details of entities receiving the data, security measures, mandatory and voluntary data collection, and consequences of not providing certain data. However, it is apparent that Mulla Pride Ltd. did not adhere to this law, thus the fine.

A few months ago, the ODPC was uncertain how to fine digital lenders that misuse personal data. By law, these companies can be fined up to KES 5 million ($33,800), which isn’t big enough a punishment for highly profitable lenders. However, data commissioner Immaculate Kassait hinted at possible future changes.

Kenya’s unregulated online lending industry allowed loan apps to harass people for years. The absence of regulations may have prompted the Data Protection Act, 2019. Before the bill, online lenders could offer loans to locals at high-interest rates, targeting anyone with a mobile money account (M-PESA) and a smartphone. These lenders, however, started abusing the personal data they collected, resorting to shaming and predatory tactics against defaulting borrowers.

Get the best African tech newsletters in your inbox