Kenya's High Court has handed down a privacy judgment that does more than punish one company — it establishes that data-breach victims can win damages in constitutional court entirely outside the statutory regime that the country built for exactly this purpose. In Constitutional Petition E095 of 2026, decided in May 2026, Justice Bahati Mwamuye ordered Safaricom to pay Ksh 900,000 to each of 11 petitioners — Ksh 9.9 million in total — over an insider breach that, between June 2018 and May 2019, exposed the M-Pesa records, geolocation history and betting profiles of more than 11.5 million subscribers (Techweez).
What the court actually held
The ruling rests on three constitutional provisions: Article 31 (privacy), Article 28 (dignity) and Article 46 (consumer protection). Two holdings matter most. First, the court rejected Safaricom's "rogue employee" defence, finding that because the staff who extracted and sold the data operated inside an ecosystem the company built, owned and was obliged to secure, the systemic failure was the institution's responsibility — a non-delegable duty (HapaKenya). Second, and more consequentially, the court treated the breach of Articles 31 and 28 as compensable through reputational and psychological harm, without requiring petitioners to prove any financial loss.
Both holdings are defensible. The case for them is strong and deserves to be stated plainly: a telecom that monetises trust cannot escape liability by pointing at its own employees, and forcing breach victims to itemise shillings lost would make most privacy harms — which are dignitary, not pecuniary — practically unenforceable. On the merits of accountability, the judgment is sound and overdue.
The problem is the architecture, not the outcome
Kenya already has a purpose-built privacy enforcement system. The Data Protection Act, 2019 — enacted specifically to give effect to Article 31 — created the Office of the Data Protection Commissioner (ODPC) and two distinct remedies: administrative penalties and a statutory compensation right. Section 65 of the Act lets any person who suffers damage from a contravention claim compensation directly from the controller or processor. The ODPC, meanwhile, runs an active determination regime, publishing complaint decisions and suo motu investigations across banking, fintech, education and telecoms (ODPC 2025 Determinations).
That regime is deliberately proportionate. The maximum administrative fine the Data Commissioner can impose is Ksh 5 million, or 1% of annual turnover, whichever is lower (Securiti DPA Guide). In practice the office has used it sparingly: one batch of three penalty notices in 2024 totalled Ksh 9,375,000 across all three controllers combined (ODPC penalty notices).
Now compare the numbers. The regulator's statutory ceiling for an entire company is Ksh 5 million. The constitutional court just awarded nearly double that — Ksh 9.9 million — to eleven individuals, with the breach class numbering in the millions. The court route carries no cap, no turnover tether, and no requirement to show loss. The legislature's careful calibration of proportionate penalties has, in effect, been routed around.
Why this should worry pro-innovation policymakers
None of this means Safaricom should have escaped consequences — it should not have. The concern is systemic predictability. A functioning digital economy needs enforcement that is certain, proportionate and forum-coordinated, so that firms can price compliance risk and invest accordingly. Kenya now has at least three overlapping privacy tracks: ODPC administrative penalties, Section 65 statutory damages, and uncapped constitutional petitions. They are not sequenced, and they apply different liability standards to the same conduct.
The immediate worry is open-ended exposure. The same analysts welcoming the ruling note it establishes a per-victim baseline that could anchor mass class actions large enough to "financially cripple even the largest market leaders." Apply Ksh 900,000 to even a fraction of 11.5 million subscribers and the figure becomes untethered from any sense of proportion to the wrong. Uncapped, uncoordinated liability of that magnitude does not deter sloppy data governance more efficiently than a credible regulator does — it converts privacy enforcement into a lottery whose payouts depend on which forum a claimant picks.
The better design is not weaker enforcement but coherent enforcement. The ODPC should be resourced and empowered to be the primary, expert venue — its Ksh 5 million cap is plausibly too low for a breach of this scale and is worth revisiting upward, precisely so that proportionate administrative penalties remain the main deterrent rather than a rounding error litigants bypass. Constitutional petitions should remain available for genuine rights failures, but courts and the regulator need doctrine on deference and double-recovery so that a single breach does not generate three uncoordinated liabilities.
The takeaway
Kenya's judiciary has affirmed something important: privacy is a constitutional right with real teeth, and corporate Africa cannot delegate it away. That is a genuine advance for digital trust. But teeth without calibration bite unpredictably. The challenge for Kenyan policymakers in 2026 is to harmonise the courtroom and the regulator into one proportionate system — before legal uncertainty, not weak privacy law, becomes the binding constraint on the digital economy that M-Pesa helped build.