The Kenya Office of the Data Protection Commissioner (ODPC) has fined digital lender Whitepath KES 250,000 ($2,000) for violating data privacy laws.
Court records show that Whitepath, which operates the Instarcash and Zuricash loan apps, listed an individual as a guarantor without their consent and subjected them to debt collection calls after the borrower defaulted.
This is not the first time the company has been fined by the court. This case also highlights the growing regulatory pressure on digital lenders in Kenya. Companies are under strict scrutiny for aggressive debt collection tactics and mishandling customer data.
Despite Whitepath’s failure to respond to regulatory inquiries, Kenya’s Data Protection Act ensured enforcement.
The ODPC ruled that Whitepath had no legal basis for processing the complainant’s data, as listing someone as a guarantor requires explicit consent, which was never obtained.
The company also violated data protection laws by failing to notify the individual that their data was being used.
Along with the fine, the court instructed Whitepath to delete the complainant’s data and provide proof of compliance.
Previously, in April 2023, the ODPC had fined Whitepath KES 5 million for nearly 150 complaints alleging unauthorized access to borrowers’ contact lists and sending unsolicited messages.
Although regulatory penalties have increased recently, the adequacy of the current fines remains a topic of debate. A penalty of KES 250,000 ($2,000) may not cause significant problems for the company.
To reduce such cases, stronger deterrent measures, including higher fines, may be needed to prevent repeat offenses.