The huge responsibility around Safaricom Data Stewardship cannot be understated. If connectivity is the rail and M‑PESA the toll gate, then data is the cargo moving across Safaricom’s network — vast, valuable, and increasingly contested. With over 43 million subscribers, Safaricom holds the most extensive consumer dataset in Kenya’s corporate history. The question is no longer whether it can monetise this data, but whether it can do so without eroding trust, triggering regulatory pushback, or constraining competition.
Safaricom Data Stewardship: Privacy, Power, and Public Trust
Safaricom’s Data Troves — Strategic Asset or Emerging Liability?
The scale of collection is massive, almost immeasurable. Every call, text, M‑PESA transaction, data session, and tower hand‑off generates metadata:
- Transactional: amounts, counterparties, timestamps.
- Transactional: amounts, counterparties, timestamps.
- Location: cell‑site triangulation, GPS from apps.
- Behavioural: browsing patterns, app usage, recharge frequency.
Billions of such data points flow through Safaricom’s systems daily. Commercially, they power targeted marketing, churn prediction, credit scoring for products like Fuliza, and network optimisation. In FY25, “other revenue” — which includes enterprise analytics — grew 14% year‑on‑year, underscoring the monetisation potential.
The risk vector These same troves are a liability if mishandled. Breaches, insider leaks, or misuse could trigger penalties under Kenya’s Data Protection Act (2019), reputational damage, and litigation. Globally, telecommunications companies (telcos) have faced fines in the billions for privacy violations. Kenya’s Office of the Data Protection Commissioner (ODPC) has already issued compliance notices to multiple firms, signalling a more assertive enforcement era.
As one Nairobi privacy lawyer noted: “In the digital economy, data is both the fuel and the fuse. Mishandle it, and the explosion is reputational before it is financial.”
National Security vs. User Trust — Walking the Tightrope
Lawful interception realities
Kenyan law permits lawful interception for national security and crime prevention, subject to warrants. As the dominant operator, Safaricom is the primary conduit for such requests. While volumes are undisclosed, industry insiders confirm compliance is routine.
Perception risk
In 2023, civil society groups raised concerns over alleged SIM‑registration data misuse and potential location tracking without adequate oversight. Even unproven, such narratives can erode public trust — especially when the same operator is custodian of both communications and financial transaction data.
Transparency as a differentiator
Global peers increasingly publish transparency reports detailing government data requests, rejection rates, and legal bases. Safaricom has yet to adopt this practice, unlike MTN Group, which began limited disclosures in 2022.
The inclusion paradox
Fuliza and M‑Shwari use behavioural scoring to decide who gets credit. But how are those scores built? Can users challenge them? Are they shared with third parties? Without clear answers, whatappears to be financial inclusion beginss to feel like surveillance in disguise.
Global Benchmarks — Where Safaricom Stands
The regulatory baseline
Kenya’s Data Protection Act mirrors many GDPR principles:
- Lawful, fair, transparent processing.
- Purpose limitation and data minimisation.
- User rights to access, rectify, and erase data.
Enforcement capacity, however, is still developing. The ODPC has fewer resources than European regulators, and cross‑border data flow rules remain under‑developed — a gap as Safaricom expands into Ethiopia and beyond.
Comparative positioning
- GDPR (EU): Explicit consent, heavy fines (up to 4% of global turnover).
- CCPA (California): Opt‑out rights for data sales, mandatory disclosure of categories collected.
- POPIA (South Africa): Strong consent and breach‑notification rules.
Safaricom’s privacy policy aligns with Kenyan law but could be strengthened with GDPR‑level consent granularity, opt‑outs for non‑essential processing, and independent audits.
Opportunity for leadership
Going beyond compliance could position Safaricom as Africa’s privacy benchmark:
- Publish annual transparency reports.
- Offer user-friendly data dashboards with granular consent controls.
- Certify all new products as “privacy‑by‑design.”
Strategic Imperatives for the Data Era
- Make privacy a brand pillar: Treat it as a competitive asset, not a compliance checkbox.
- Collect less, anonymise more: Operationalise data minimisation.
- Educate at scale: National campaigns on data rights and safe digital practices.
- Shape regional rules: Lead in harmonising EAC and AfCFTA data governance.
- Invite independent oversight: Third‑party audits to validate privacy claims.
The Stakes | Safaricom Data Stewardship
In the connectivity era, the danger was under-used infrastructure. Today, in the data economy, the real threat is overreach — exploiting ubiquity to harvest more than users knowingly consent to. One stalls progress; the other can collapse it in an instant.
Safaricom won’t be judged solely by regulators — it will be held accountable by millions of Kenyans whose digital lives it touches every day. Handle it well, and data becomes the flywheel for innovation, inclusion, and regional leadership. Mishandle it, and it becomes the fuse that ignites distrust — a force no marketing budget can extinguish.
Check our Safaricom Deep Dive Guide, and read all our published articles.
Previous (Part 5) |Next (Part 7) on Leadership & Vision — Boardroom to Borderlands: Can Safaricom’s Leaders Scale a Continental Vision? Leadership capacity, ecosystem building, and the diplomacy of expansion.
