Safaricom Accused of Disclosing Moi University Student’s Data to Police Without Court Order

KNlegalassociates > Blog > Uncategorized > Safaricom Accused of Disclosing Moi University Student’s Data to Police Without Court Order

A Safaricom officer has admitted in court that the telecom firm shared a student’s call details, location, and other personal data with police without a judicial warrant, triggering concern over privacy rights and legal compliance. Kenya Insights+2lawguide.co.ke+2


In September 2025, at Nairobi’s Milimani Law Courts, a Safaricom security investigator confirmed that the company furnished the Directorate of Criminal Investigations (DCI) with sensitive personal data including call records, location data and subscriber information of David Oaga Mokaya, a Moi University student charged over a viral social media post about President Ruto’s death, without first obtaining a court order. Kenya Insights+1

Timeline of Events

  • November 13, 2024: The DCI alleged incident David Oaga Mokaya is said to have posted a fabricated death announcement about President William Ruto. Kenya Insights+1
  • November 14, 2024: Safaricom security received a request from DCI for call data records (CDRs) and subscriber information for four mobile numbers as part of the Mokaya investigation. Kenya Insights
  • November 28, 2024: Safaricom reportedly submitted a report covering communications between October 15 and November 13, 2024, to DCI. This report allegedly included SMS and call records, location data. Kenya Insights
  • At some point between November 2024 and early 2025: Mokaya was arrested and charged. (Exact date of arrest in public/media sources is November 2024. Kenya Insights+1)
  • September 2025: In court (Milimani Law Courts), a Safaricom security officer named Daniel Khamisi testified that Safaricom released Mokaya’s data to DCI without a court order. Kenya Insights+1

Background on the Allegation

The controversy centers on David Oaga Mokaya, a student at Moi University, who was charged with publishing a false social media post claiming President William Ruto had died. As part of the investigation, the DCI made a request to Safaricom for information, which included call detail records, subscriber identity, and location data for several mobile numbers over a period of time. According to court testimony, Safaricom complied with the request in late November 2024, furnishing data without first obtaining a judicial warrant or court order. Kenya Insights+2lawguide.co.ke+2

The key point of contention is procedural: whether Safaricom lawfully released personal, sensitive data to law enforcement without judicial oversight, which may breach Kenya’s legal frameworks for privacy and data protection. Kenya Insights+1

Safaricom’s Public Response

So far, Safaricom has publicly maintained a policy position that it does not release customer data unless explicitly required via a court order. This is drawn from its “Position Statement on Data Privacy,” made public in October 2024. Safaricom

There is no public statement (in the sources reviewed) in which Safaricom confirms or denies this particular incident in full detail, though the testimony in court (via its security officer) implies that in this case, they did not seek or obtain a court mandate before sharing with DCI. Kenya Insights

Police / DCI Position (What Is Known)

  • A Safaricom security officer (Daniel Khamisi) testified that DCI requested subscriber and call data records, which Safaricom provided. Kenya Insights
  • The lead DCI officer, Chief Inspector Bosco Kisau, admitted in court under cross-examination that a warrant for Mokaya’s electronic devices was only obtained after the student’s arrest, indicating procedural anomalies or delays in judicial oversight. Kenya Insights
  • It is not clear from existing reports whether the DCI claims that an emergency or exception justified bypassing a court order, or whether they believe the data was needed urgently for investigation. No public statement specifying that justification has been located in the sources reviewed. (If such exists, not yet made public or reported.)

University / Student Perspective

  • Mokaya’s case remains controversial. Supporters argue that his rights to privacy and due process have been violated by the un-warranted disclosure of his private information.
  • There is public concern, expressed in media and social media, that sensitive personal data (location, device identifiers, call records) were exposed – some saying this could intimidate students or chill free speech. Nation Africa+2lawguide.co.ke+2
  • The university itself (Moi University) has not, in the sources reviewed, made a detailed public statement (at least as of this writing) about the data-disclosure component of the case or whether institutional protections for student data have been breached.
  • It is unclear whether Mokaya has filed any privacy-based legal claim separate from the criminal charge, or whether he is contesting admission of the data in court on the basis of breach of procedure. The court testimony itself is the primary source raising the allegation. Kenya Insights+1

Legal and Regulatory Context in Kenya

  • Constitution of Kenya 2010 protects privacy, including the privacy of communications. DLA Piper Data Protection+1
  • Data Protection Act No. 24 of 2019 (in force since November 25, 2019) is the main statute governing processing of personal data, rights of data subjects, obligations of controllers/processors. DLA Piper Data Protection
  • The Act provides for lawful processing, requiring that personal data be processed fairly, transparently, for specified purposes; sensitive personal data has additional protections. Disclosures to law enforcement must meet certain legal grounds. DLA Piper Data Protection
  • Also relevant: Kenya Information and Communications Act, SIM registration regulations, etc., which govern how telecoms must handle subscriber data, registration data, and access by law enforcement. Previous cases (e.g. Ng’etich v Safaricom) have shaped how subscriber data requests must be handled. Kenya Law
  • Under Kenyan law, generally, law enforcement requests for subscriber data or call/data records require a production order or court process; emergency exceptions may exist but must be justified. (In earlier statements, Safaricom’s privacy policy says they share data only when “explicitly required of us via a court order.”) Safaricom+2lawguide.co.ke+2

Expert Commentary on Privacy / Data Protection

  • Privacy and civil liberties advocates have raised alarms over what this case could mean for broader citizen rights: if telecom companies provide law enforcement with detailed user data without judicial oversight, there is risk of misuse, overreach, and chilling effects—particularly for speech, academic freedom, political dissent.
  • Experts say that disclosure of IMEI/device identifiers, location data, SMS/call time logs constitute sensitive personal data, and any breach of procedural protections (court orders, warrants) risks violating both statutory data protection law and constitutional guarantees.
  • Regulatory authorities (e.g., the Office of Data Protection Commissioner) could investigate such a disclosure. They might assess whether Safaricom violated its obligations as a data controller under the law. Penalties exist under the Data Protection Act for non-compliance. DLA Piper Data Protection+1
  • Legal scholars also warn about precedents: past cases where telecoms cooperated with law enforcement have sometimes pushed at edges of lawfulness; clearer guidelines, stronger oversight, transparency, and audits are recommended.

Likely Consequences

  • For Safaricom: potential legal exposure if the court or Data Protection Commissioner finds that the company violated law, it may face sanctions, enforcement notices, fines, or having to change internal policies and procedures. Also reputational damage among customers concerned about privacy.
  • For the Student / Defendant (Mokaya): possible ability to challenge the admissibility of the evidence given procedural irregularities; if disclosure was unlawful, parts of the data may be excluded from the case. Also, psychological impact and risk to personal safety depending on how widely data was disclosed.
  • For Law Enforcement / DCI: scrutiny over investigation practices; potential requirement to ensure requests go through proper judicial process. Risk that evidence collected without lawful authorization could be voided or weaken prosecutorial case.
  • Broader Privacy Climate: Increased public concern; possibly more demands for transparency from telecoms, stronger oversight from regulators; potential chilling effect on free expression if individuals fear speech could lead to surveillance without checks.

What Comes Next

  • The court process will likely explore whether the evidence was lawfully obtained. Mokaya’s defense may file motions to suppress the data or argue constitutional violations.
  • The Office of the Data Protection Commissioner (ODPC) may open an investigation into the incident, possibly imposing administrative sanctions under the Data Protection Act if non-compliance is found.
  • Safaricom might review and clarify its internal protocols for handling law enforcement requests, possibly tighten policy to ensure no disclosure without court order (if that standard is upheld).
  • Policymakers or legislators may push for clearer guidance or amendment to existing law/regulation to prevent ambiguity over exceptions (e.g. emergencies, warrantless searches).
  • Civil society, student unions, and privacy advocates may take up advocacy, raise litigation or public campaigns to ensure rights are respected and legal clarity improved.

Conclusion

This case highlights the tension between law enforcement imperatives and individual privacy rights in Kenya. If true, the alleged disclosure of a student’s private communications and location data without a court order could represent a serious breach of both statute and constitutional protections. Stakeholders including Safaricom, regulatory authorities, police, universities, and civil society should move to clarify standards, ensure procedural compliance, and protect vulnerable individuals. Transparency, accountability, and robust legal oversight are essential to prevent erosion of privacy and free expression.

Checklist: What You Can Do to Protect Your Data Privacy

If you’re concerned about your own privacy in Kenya, here are steps to take:

  • Use strong, unique passwords and two-factor authentication for social media and email accounts.
  • Be careful what you post online; avoid spreading or reposting potentially controversial content unless you trust its source.
  • Use encrypted messaging services wherever possible, and limit sharing of location or sensitive personal data.
  • Know your rights under the Data Protection Act 2019: request what personal data is kept, how it’s used, and challenge unlawful disclosures.
  • When telecoms or other service providers ask for your data, ask if there is a court order or lawful mandate authorizing the disclosure.
  • Engage with student unions or privacy rights organizations if you believe rights are breached: they can provide legal or advocacy support.
  • Monitor public policy and regulatory developments; write or petition your representatives to demand clearer protections around unauthorized data disclosures.

Leave a Reply

Your email address will not be published. Required fields are marked *