In Constitutional Petition E095 of 2026, the High Court ordered corporate giant Safaricom PLC to pay Ksh. 900,000 in general damages to each of 11 petitioners (totaling Ksh. 9.9 million) for a systemic data breach that occurred between June 2018 and May 2019.
For a company that generates billions in annual revenue, a Ksh. 9.9 million payout is minor. However, the true weight of this ruling lies not in the figures, but in the legal architecture dismantled by the court. By establishing new precedents around corporate accountability, data stewardship, and human dignity, the High Court has rewritten the rules for any entity collecting personal data in Kenya.
For years, major corporations operating in Kenya have insulated themselves from liability during data leaks by pointing fingers inward. When customer data leaked, the standard corporate defense was simple: a rogue employee acted outside their authorized mandate, making the employee a criminal and the company a fellow victim.
The case, brought forward by Austin Taabu and ten other subscribers, presented forensic evidence and internal communications, including WhatsApp chats and Google Drive links, showing that Safaricom staff were actively extracting and selling sensitive subscriber data to external third parties, including betting firms.
The court ruled that because these employees operated within an ecosystem built, maintained, and owned by Safaricom, the systemic flaws that allowed the exploitation are the ultimate responsibility of the institution. Under Article 31 of the Constitution (the Right to Privacy), the court held that a data controller bears a positive, non-delegable duty. A company cannot outsource its data security obligations to internal compliance divisions or blame a lone wolf; the buck stops entirely at the corporate level.
Traditionally, plaintiffs in data breach litigations have struggled to secure damages unless they could prove direct financial loss, such as funds being fraudulently skimmed from a bank account. Safaricom leaned on this argument, contending that the petitioners had not demonstrated individualized financial harm.
The High Court rejected this narrow interpretation by explicitly linking data privacy to Article 28 (the Right to Dignity). The leaked information included M-Pesa transaction records, device identifiers, geolocation data, and betting histories. The court recognized that exposing a person’s private life, habits, and financial records causes deep psychological distress and reputational injury.
Under this new precedent, a victim of a data breach no longer needs to prove financial loss to seek constitutional compensation. The violation of their privacy and the assault on their personal dignity are enough to warrant damages. Furthermore, the court tied data security directly to Article 46 (Consumer Protection), ruling that a failure to protect customer data at scale constitutes a deficient service. Data security is no longer just a checkbox in a terms-of-service agreement; it is a constitutional standard of consumer safety.
In a major procedural victory for citizens, the ruling fundamentally alters how data litigation will be fought in Kenyan courts. Historically, the legal asymmetry heavily favoured corporations, as ordinary citizens lacked the technical infrastructure to prove exactly how their data was leaked from a closed corporate database.
The court ruled that once a petitioner establishes a prima facie case showing a systemic compromise within an infrastructure, the evidential burden shifts to the corporation. It is now up to the data controller to prove the integrity of its systems and demonstrate that the specific claimants were excluded from the compromised data.
Companies must immediately adopt Zero Trust architectures, implementing strict end-to-end data encryption, rigorous identity access management, and unalterable audit logs. If an organization cannot definitively track who accessed a customer’s data and why, it is legally exposed.
While Safaricom was ordered to pay 11 petitioners, the underlying breach is estimated to have exposed the records of over 11.5 million subscribers. Now that the High Court has ruled a systemic breach occurred and set a baseline of Ksh. 900,000 per person, the floodgates are open for mass class-action lawsuits that could financially cripple even the largest market leaders. Consequently, corporate expenditures on data protection compliance and cyber liability insurance premiums are expected to soar.
Crucially, the ruling serves as an unambiguous warning shot to the Kenyan government. The state is currently undergoing an aggressive digital transformation, aggregating massive volumes of sensitive citizen data onto platforms like eCitizen, the National Transport and Safety Authority (NTSA), and the Social Health Insurance Fund (SHIF).
By establishing that data privacy is a non-delegable constitutional right, the High Court has put state agencies on notice: if a public database suffers a systemic leak, the government will be held to the exact same stringent standard of financial and constitutional accountability.