Kenyan Court Kills 'Rogue Employee' Defence In Landmark Data Breach Ruling
· WeeTrackerKenyan Court Kills ‘Rogue Employee’ Defence In Landmark Data Breach Ruling
By
Staff Reporter
| May 19, 2026
A Kenyan High Court ruling that ordered Safaricom to pay KES 9.9 M (USD 76 K) for a massive data breach has effectively killed the “rogue employee” defence, placing corporate Africa on notice that constitutional privacy obligations cannot be outsourced or delegated.
In a judgment delivered on May 13, Justice Bahati Mwamuye of the Constitutional and Human Rights Division found that the telecoms giant violated the rights of 11 subscribers whose personal and financial data, including betting histories, M-Pesa transaction records and geolocation information, was extracted by employees and sold to betting companies including Odibets between 2018 and 2019.
The breach compromised information belonging to more than 11.5 million subscribers, making it one of the largest known violations of subscriber privacy on the African continent.
Safaricom’s defence rested on what had previously been a reliable corporate shield, claiming rogue employees acted outside their authority. The company argued that because the individuals—including a manager of networks and M-Pesa systems who designed a bespoke algorithm to mine subscriber data—acted without authorisation, the institution itself should not bear constitutional responsibility.
The court rejected that argument entirely.
also read See All
Free Reads
Money Troubles Drive Surge In Finance App Adoption Across Africa
Free Reads
Vice President Osinbajo Launches Tech Hub in Lagos
Free Reads
Kenyans Willing To Migrate To The US To Pay KSh 50 Mn Under This Latest Program
Free Reads
African Agritech’s New Look Is Wooing Investors Over
Free Reads
Ghana’s Healthtech mPharma Wins Skoll Award, Receives USD 1.5 Mn
Free Reads
African Web3/Crypto Startup Nestcoin Lost Capital To The FTX Collapse—Laying Off Staff
Free Reads
Tanzania Is The Latest African Country To Receive Commercial 5G
Free Reads
Proparco Forks Out USD 10 Mn For SA-Based Metier’s New USD 113 Mn Investment Fund
“The breach happened because of systemic failures inside Safaricom’s own infrastructure, poor data governance, weak internal oversight, and inadequate security controls,” the judgment found. “The rogue Safaricom employee could only do what they did because the system made it possible. That is on the company.”
Justice Mwamuye went further, ruling that Article 31 of Kenya’s Constitution, the right to privacy, imposes a “positive and non-delegable duty” on data controllers.
The court also found violations of Article 28, the right to dignity, and Article 46 on consumer protection, significantly expanding the definition of harm in data breach cases.
Under the ruling, a person whose data leaks does not need to demonstrate financial loss to have a valid claim. Reputational damage and psychological harm are sufficient.
Each of the 11 petitioners was awarded KES 900 K in general damages, with interest accruing from the date of judgment until payment in full. Safaricom was also ordered to bear the full costs of the petition.
But the real significance lies in what comes next. The court’s reasoning applies to every bank, telco, insurer, health provider and government body sitting on large volumes of personal data across the continent.
“If a breach happens and you cannot show clear documentation of who had access to what, what monitoring was in place, and how quickly you would have caught unusual activity, you are exposed,” the judgment warned. “The rogue employee story will not save you.”
Observers say the ruling establishes a binding precedent that will shape data protection litigation across Kenya and beyond.
Safaricom, which has not yet indicated whether it will appeal, is now staring down the barrel of cascading litigation. The court’s findings, that employees extracted and trafficked subscriber data to named betting firms over a sustained period, have opened the door for millions more affected subscribers to seek redress.