Millions of Kenyans who own phones are knowingly or unknowingly surrendering their privacy as well as the contacts list of those they communicate with in exchange for exorbitant mobile loans.

Other conditions set by online lenders that are oblivious to mobile loan users include giving up a pound of flesh for instant cash include a lifetime of SMS notifications, full surrender of their personal data to third parties and a waiver of their right to dignity.

This is according to the analysis by the Financial Standard on the terms and conditions attached to several mobile loan products in the country, including those provided by Branch, Tala, Okash and Fuliza, which was launched a fortnight ago.

A large majority of consumers who take mobile loans do not read the lengthy and densely-worded set of conditions and terms they are committing to and are later shocked when the contracts are enforced.

In recent months, for example, consumers of mobile app Okash who delayed or defaulted on their loan repayments have had the unpleasant experience of having the service provider contact people in their contact list in a bid to recover the funds.

“Hello, kindly inform XX to pay the Okash loan of Sh2560 TODAY before we proceed and take legal action to retrieve the debt,” says the text message the service provider sends to people in one’s contact list.

“We have tried calling in vain. This is the last reminder. Many thanks, Okash team.”

Interest rates

Users have taken to social media and in review pages of the mobile app to vent their frustration as well as raise concerns about privacy and the interest rates charged on the application.

“Has anyone filed a suit regarding @opera #Okash data privacy infringement in Kenya?” asks Twitter user James Mutua last month.

“Or the industry is not regulated. Why spam people. I don’t need to know if my contact has your facility.”

Another user, Peter Musyoka, vents: “I also don’t have money to clear their loan at the moment until month end. I’ve no problem accruing their interest till then however they must keep threatening. No peace. No longer interested in your loans.” (sic)

Majority of the users are surprised when informed that they consented to have Okash reach out to anyone in their contact list in the event they failed to pay.

“We may contact you and or your emergency contact,” reads the terms and conditions from Okash posted on the company’s website.

“You also expressly authorise us to contact your emergency contact to verify your information or when we are unable to contact you or when we have not received repayment from you.”

At the same time, many users do not know that by agreeing to the conditions, they are also giving the consent of people on their contact lists without their knowledge.

“You confirm that your emergency contact has consented to the sharing of his or her information with us and to us contacting them with respect to your use of the Service,” reads one of the clauses.

“In the event, we cannot get in contact with you or your emergency contact, you also expressly authorise us to contact any and all persons in your contact list.”

Trick users

A lawyer who specialises in Internet Law and Policy at Mutemi Sumbi Law, Mercy Mutemi, says the service providers are using such provisions to trick users into giving up as much data as possible.

“Consent should be expressly sought by a data processor and expressly given by the data subject,” she explains. “You cannot give consent on behalf of someone else. Okash’s clients cannot, therefore, give consent on behalf of their emergency contacts or the persons in their contact list.”

Ms Mutemi says this tacit admission from Okash that they have access to the contents of the phone including the contact list raises questions of privacy and how this data can work to the user’s disadvantage.

Other conditions require users to consent to receive endless communication from the service provider.

“You may stop receiving promotional messages by following the opt-out instructions in the message,” reads part of the clause in the terms and conditions for Okash.

“Even if you choose to opt out of receiving promotional messages, you may not opt out of receiving service-related messages.”

Ms Mutemi says although consumers enter the contracts wilfully and agree to abide by the terms and conditions, some of the legal demands made by service providers are in violation of the Constitution.  

“In theory, no matter how ridiculous the terms proposed, it is assumed that a mobile phone user has freely accepted these terms and should be bound by them,” she says.

“Enter constitutional rights specifically the right to dignity and the right to privacy. You cannot consent to have your right to life be taken away and similarly, you cannot sign your dignity away.”

By sending messages to their peers informing them that they have defaulted on payment Okash is bringing indignity to users. This constitutes a violation of the constitutional right to be held in considerable esteem by one’s peers.

Last year, some M-Pesa users were surprised to find their accounts were deducted to settle other users’ Okoa Jahazi debts when they purchased airtime for them.

Subscribers venting their frustration on social media were informed they had consented to the deduction when agreeing to purchase the airtime.

“When purchasing data for a number with Okoa Jahazi you will be given a breakdown of the bundle cost and the due Okoa Jahazi then the total deduction,” Safaricom explained through it’s Twitter handle.

“If the recipient has an outstanding Okoa Jahazi, it will notify you and prompt you to either accept or decline if you do not intend to pay,” the firm further explained.

Gayatri Murthy and David Medine, financial analysts at the Consultative Group to Assist the Poor (CGAP) say terms and conditions set by service providers are often skewed against consumers.

“In an ideal world, consent requests would be designed to help consumers carefully consider their privacy options and consent only to the parts with which they agree,” state the analysts in a recent article.

“But today, privacy notices are often long, complex documents written by legal teams to ensure that companies limit liability and protect against regulatory scrutiny by granting themselves close to free reign over customers’ personal data.”

Data is the bedrock of the digital economy and for fintechs, analysis of transaction data continues to reap benefits in terms of eye-watering revenues.

Safaricom recently launched Fuliza, an overdraft facility on M-Pesa that allows consumers to make Lipa na M-Pesa payments and pay bills even when they are short of funds.

Just like determining amounts on the other mobile loan products, the service relies on users’ transactional data to establish an overdraft limit within which users can borrow several times.

A report by financial consultants Citibank last week upgraded the rating on Safaricom’s stock from ‘neutral’ to ‘buy’ whilst projecting the counter to hit Sh27 from the current Sh24 – largely boosted by the launch of Fuliza.

“Based on the popularity of Okoa products (emergency credit for airtime and data, fees which generates 2 per cent of service revenue for Safaricom), we think the demand for an overdraft is likely to be strong,” said Citibank in the report.

Safaricom Chief Executive Bob Collymore confirmed this last week saying Fuliza is already exceeding growth projections, lending out more than Sh1 billion just one week after going live.

“We got a million customers by day eight and we had lent Sh1 billion. Now we are probably at Sh1.5 billion,” he said in an interview with Reuters.

“If you don’t have enough cash, you simply draw down from the overdraft and you keep drawing down until you have got to your overdraft limit, which is predetermined by an algorithm.”

However, a vast majority of the hundreds of thousands of users who have already used the facility are unaware of or indifferent to some of the conditions they have agreed to in the terms and conditions running more than 7,000 words.

“On your death or bankruptcy, your obligations shall remain in full force and effect until such a time as they shall be duly satisfied,” reads one of the clauses in Fuliza terms and conditions.

This comes even as some users pointed out that the fees charged on the product is steep. Users are charged a facility fee of 1.083 per cent of the loan as well as a daily administrative fee that can go to a maximum of Sh30 each day the loan remains unsettled.

Registration data

Agreeing to the terms and conditions on Fuliza also grants Safaricom access to users’ population and registration data held by the Government.

All M-Pesa users have already granted Safaricom the right to hold their data for up to seven years.

“You hereby agree and authorise us to obtain and procure your Personal Information contained in the integrated population registration system (IPRS) from the Government of Kenya and you further agree and consent to the disclosure and provision of such Personal Information by the Government of Kenya to us,” reads one of the clauses in Fuliza’s terms and conditions in part.

Ms Mutemi says this raises concerns about the administration of such sensitive data and the implications to consumers in the event the data falls into the wrong hands.

“This is of particular concern given the sensitive nature of the IPRS,” she says. “There is no legal framework governing the IPRS or dictating how individuals can access the IPRS. The Government is also not transparent on who has access to the system.”

Reports that State agencies have in the past been the cause of privacy violations Kenyans have experienced also undermine users’ confidence.

A report by Strathmore University’s Centre for Intellectual Property and Information Technology Law on the use of biometric voter technology in the 2017 General Election revealed that public officials mishandled voters’ private data and evens shared the same with political aspirants.

“A vast majority of campaign messages sent to voters during the 2017 election period were unsolicited,” states the report in part.

“Furthermore, a majority of voters did not provide politicians with their phone numbers as part of a political message subscription service or for any other related purpose.”

The messages sent to the respondents were further said to contain information that identified the name, or voting location of the respondent, indicating political aspirants were able to obtain structured data of voters they sought to target directly.

Meanwhile, Kenyan regulators are struggling to catch up with the rapidly evolving fintech sector giving service providers a blank cheque in how they structure the products.

In 2016, the Communication Authority (CA) said it was working with the Central Bank of Kenya (CBK) and was in advanced stages of drafting a policy on the regulation of fintech providers.

Nothing has been heard of the policy again and similar rhetoric from the CBK and Treasury to rein in “predatory lenders” over the past two years have remained just that.

This has re-ignited calls to fast track the Kenya Data Protection Act, 2017 that has been in the works for more than five years.

With increased uptake of digital payment methods and mobile loans, the law is considered one of the safeguards to the massive datasets currently generated by users of the various facilities.