Hustlers Fund raises queries over borrowers' data protection

"We walked all over the country and Kenyans told us they were burdened by Fuliza and shylocks but that they need funding to run their business," said President Ruto during the launch in Nairobi.

"That's why we decided the government will create a special fund to allow all Kenyans to get affordable credit despite their lack of physical address, a title deed, log books or similar guarantees."

Target groups

The fund, pegged at Sh50 billion, targets individuals, small enterprises, chamas and table banking groups, Sacco societies and start-ups, among other groups.

It is not the first development fund the government has launched and contains elements of previous interventions such as the Credit Guarantee Scheme launched by President Uhuru Kenyatta in 2020 at the peak of the Covid-19 pandemic.

However, a key difference and one that has data privacy advocates concerned is the fact that the Hustlers Fund is primarily disbursed by mobile phones and appears to have little mechanisms in place to ensure the information collected from Kenyan borrowers will be protected from abuse.

The terms and conditions of the fund should ideally contain details on how the facility will manage the private data of millions of Kenyan borrowers is a meagre 95 words long.

Instead, users are directed to the privacy policies of partner organisations including KCB Group, Safaricom, Telkom and Airtel which will be acting as intermediaries for the fund.

This has raised queries over which party holds the biggest liability in the event of a data breach that results in a legal challenge or financial damages.

ICT experts in online forums have raised questions over the data protection safeguards of the fund and taxpayers' liability to the State-backed initiative.

"ICT is playing a key role in disbursement, which brings to the fore whether the technology being used guarantees inclusion of all citizens," said one expert in the online discussions who did not want to be named.

"Do we have infrastructure coverage that will ensure no one is left behind?"

Other questions that have been raised include which financial companies will hold custody of the funds, and the agency that will act as the central repository of the transactional data that will be generated.

User's consent

The Data Protection Act 2019 makes it illegal for companies to collect, process or store personal data from Kenyans without obtaining users' informed consent.

The law also makes it illegal for companies to use personal data for direct marketing without informing the subjects.

This includes online ads targeted to consumers by their browsing history as well as promotional material sent directly to consumers through SMS. The Act also allows users who have suffered damage by having their personal data misused to seek compensation for damages including financial loss and distress.

"Indeed government (and any other registered data controllers or processors for that matter) would have legitimate needs or reasons to collect citizen or customer personal data," said another expert on the forum.

"But the right to collect is not exactly the same as having the right to abuse or violate your privacy rights thereafter

"You as a citizen (or customer) now have a say on every step of the long personal data life cycle that includes collecting, processing, sharing, retention or retiring, accessing, securing amongst others."

According to its founding regulations, the Hustlers Fund is an antidote to previous attempts by the government in disbursing development funds that have proved fragmented and ineffective.

"The fund shall leverage on existing commercial infrastructure, including mobile payments platforms and financial institutions, including agency, co-financing and on-lending partnerships," says the PFM (Financial Inclusion Fund) Regulations, 2022 that set up the Hustlers Fund.

"The fund rollout will leverage on the existing digital capacity in the economy and well-structured commercial infrastructure, including mobile payments platforms and financial institutions, for enhanced effectiveness and efficiency towards the achievement of its objectives."

According to its terms and conditions, users give the Hustlers Fund express consent and authorisation for the fund to disclose, receive, record or utilise their personal information or data relating to their accounts and details relating to their services to third parties.

These include the bank's service providers, dealers, agents or business partners, credit reference bureaus, the banks' lawyers and auditors for "reasonable commercial purposes connected to their use of the services".

Digital lenders

"You authorise the bank to disclose any information relating to your Hustlers Fund savings and loan product account to any Kenyan, foreign or international law enforcement or governmental agencies so as to assist in the prevention, detection, investigation or prosecution of criminal activities or fraud or to any other institution or a third party as required by the laws of Kenya or any other country and or as the bank may deem necessary," the terms and conditions say.

In October this year, the Office of the Data Protection Commissioner (ODPC) started an audit of 40 digital lenders following complaints from the public over the entities' use of their personal data.

"As of September 30, 2022, ODPC had received 1,030 complaints. The office admitted 555 of these cases including 299 which were on digital lenders, representing 54 per cent of all cases admitted," said the ODPC in a statement.

Some of the digital lenders set for audit were Tala, Branch, Coopesa, Fairkash, Flexi Cash, Hela Credit, Skypesa, Mokash and Zash Loan.

The audit by the ODPC comes in the wake of a crackdown on unlicensed digital lenders by the Central Bank of Kenya (CBK) that sought to weed out rogue players.

Predatory practices

Earlier this year, CBK gave digital lenders until September 17 to obtain operating licenses or cease operations.

"The licensing and oversight of digital credit providers was precipitated by concerns raised by the public about the predatory practices of the unregulated players and in particular their high cost, unethical debt collection practices and the abuse of personal information," said CBK Governor Patrick Njoroge during a press briefing.

A recent report by Strathmore University's Centre for Intellectual Property and Information Technology Law and Citizen Labs found that several digital lending apps in Kenya are linked to tracking and advertising software, with some linking to third-party platforms such as Facebook.

The Apps, which run at start-up and even prevent the phone from sleeping, were found to read contacts, and location data and obtain access to network connectivity data, all of which is used to profile borrowers.

Branch, for example, requires users to give it permission to record audio while Tala has the authority to create accounts on its users' devices, set passwords and use these accounts.

All of the apps can prevent the phone from sleeping and some can retrieve running apps.

The extent of the data collection conducted by the digital apps is indicated in the user agreements but most users remain oblivious and have no recourse because they have to agree to the conditions while installing the apps.