Dear listers,

See this case in twitter. A lady was carjacked, her phone stolen and mpesa transferred to other numbers by thieves. Safaricom does not want to reveal the beneficiary numbers for the criminal transactions to the registered line owner. This is despite them going to Safaricom with an OB number.

Question:

1. Is Safaricom justified to use data protection for its reason to decline request for information? What’s the real intention of the DPA?

2. Where are consumer and data protection rights on the side of the line owner? Esp where data protection policy is in conflict with consumer interests?

3. The line infrastructure belongs to Safaricom, but who does the transaction data belong to? And how do they share the responsibilities to protect the data?

4. Are there laws to solve this situation in the interest of the customer? Do we need to amend some?