A Kenyan court just changed the rules for every organization that collects personal information. Think about every organization that has your data right now: your mobile network, bank, health insurer, the security system that scanned your ID at the door, the betting app that knows your transaction history, and the government agency that issued your documents. Every one of them holds information about your location, finances, identity, and behaviour in a database you have never seen and cannot access. Until mid-May 2026, many of these organizations operated under a comfortable assumption: as long they did not intend for something to go wrong, they would not be responsible if it did.
On 13 May 2026, the High Court of Kenya dismantled that assumption. Eleven Safaricom subscribers went to court. They complained that between 2018 and 2019, their personal data including M-Pesa transactions, betting patterns, location data, and identity details was taken from Safaricom’s internal systems and sold to betting companies. The court argued that Safaricom, the company entrusted with that data, should be held accountable. Safaricom’s defence was simple: “We did not do it. Former employees did. They went rogue. We were victims too.”
The Court found Safaricom liable anyway. The “rogue employee” argument is one of the oldest shields in institutional crisis management. Something goes wrong internally, individuals are identified and blamed, and the organization presents itself as the victim instead of the responsible party. It may sound logical, but after this judgment, it is no longer enough, at least in Kenya and especially when personal data is involved.
The Court’s reasoning was direct. The employees who extracted and sold subscriber data used systems that Safaricom built, maintained, and controlled. They had access because Safaricom gave it to them. The data moved through Safaricom’s infrastructure for months without being detected or stopped. This was not simply a story about bad individuals. It was a story about an institution that failed to take the risk seriously enough.
Under Article 31 of Kenya’s Constitution, every organization that collects and stores personal data has a duty to protect it. This is a constitutional obligation, and that duty does not disappear because an employee abuses access.
This is the part that matters beyond Safaricom, beyond this case, and beyond the eleven petitioners. If you are a hospital, school, bank, government ministry, tech startup, telecom provider, insurance company, CSO, or CBO and you collect personal data from Kenyans, this ruling is speaking directly to you. The question is no longer whether you intended for a breach to happen. The question is whether you did enough to prevent one. Did you control who had access to sensitive data? Did you have systems to detect unusual extraction or transmission of information? Did you encrypt sensitive data? Did you design your systems with the understanding that the data belongs to real people?
If the answer to these questions is “no”, or “we are not sure,” the Court has now made it clear that constitutional liability can follow, not just bad publicity or regulatory fines. Organizations now face constitutional accountability, including damages awarded to people whose rights were violated. Before this ruling, the burden in a data breach case fell almost entirely on the person whose data had been taken. For an individual subscriber with no access to a company’s internal systems, that burden was almost impossible to meet.
The Court rejected that logic. Once a systemic breach is established, and once it becomes clear that an organization’s data systems were compromised at scale, the organization must show that a person’s data was not affected. The imbalance of information cannot work against the individual who had no control over the system in the first place. That shift matters because scale is no longer a shield. The bigger your database, the greater your responsibility to secure it.
The eleven petitioners will receive damages, and that is right and just. However, approximately 11.5 million subscribers were affected by the same breach, and most of them will receive nothing from this ruling. Many of them never knew their data had been exposed and probably still do not.
This judgment gives a name to what happened to them. It establishes, as part of Kenya’s constitutional record, that this kind of harm is real, recognized, and compensable. The architecture for accountability now exists. Amnesty Kenya, in partnership with the Data Privacy and Governance Society of Kenya, has developed the CSO Data Protection Guidelines. Whether you run an NGO, a community organization, a health clinic, or a small business, these guidelines provide practical steps on access controls, data minimization, staff protocols, and breach response.
The ruling has raised the standard of accountability, and these guidelines can help organizations meet it. Access them here: https://www.amnestykenya.org/wp-content/uploads/2025/10/CSO-Data-Protection-Guidelines-Final.pdf