Safaricom, Kenya’s largest mobile operator, has denied allegations of sharing information with government agencies after a publication alleged the telco granted Kenyan security agencies real-time access to customer data.
“There have been some reports on this matter that, in my view, are not accurate, and we have made our position clear to those who have misreported it,” Safaricom CEO Peter Ndegwa said during Thursday’s H1 results presentation.
“We serve 36 million customers on the consumer side and 33 million on M-PESA. If we were sharing customer data, it would lead to a crisis and chaos in our business. The 6000 people who work in our business have a code of conduct in the way they operate and the way they are supposed to handle information. There is some information that cannot be shared across functions.”
That publication claimed authorities could access key customer personal data, including sensitive call data records (CDRs) and location data.
On October 31, Safaricom denied the claims, saying CDRs do not include location data.
“CDR does not show any live location and movements of customers but are generated after a call is terminated and for text messages once they are sent or received and this is for purposes of billing only,” the company said.
The publication also alleged that Safaricom partnered with Neural Technologies, a British company, to develop software granting Kenyan security services real-time access to CDRs.
The system, which includes predictive profiling tools, allegedly allows security agencies to trace individuals and their associates by tracking movement patterns. The publication’s multiple mentions of the tool sparked concerns among Kenyans over privacy violations.
Safaricom claimed it hired the company to implement a fraud detection tool for its business.
“In July 2012, Safaricom onboarded Neural Technologies to implement a Fraud Management System (FMS) on all our business lines, including our mobile money system,” it said on October 31.
According to Kenyan data protection laws, data controllers and processors must obtain consent from data subjects before sharing personal data with third parties.
Companies must comply with the same laws, including registering with the Office of the Data Protection Commissioner (ODPC) and following guidelines for the lawful processing and sharing of personal data.
“We do not share any customer data unless explicitly required of us via a court order.”