Mohammed Shameel Aziz Joosub
Chief Executive Officer
Vodacom Group
CC: Stephen Chege, Chief External Affairs Officer, Vodacom Group; Dr. Peter Ndegwa, Group Chief Executive Officer, Safaricom PLC; Fred Waithaka, Head of Regulatory and Public Policy, Safaricom PLC
Re: Vodacom Group must commission an independent investigation into the potential enabling of human rights violations by Safaricom
Dear Mr. Joosub,
We, the undersigned, are writing to you to raise the alarm over allegations of Safaricom’s enabling of human rights abuses, and to request transparency on the company’s law enforcement assistance practices.
Background
Since June 2024, thousands of people in Kenya have mobilized online and offline to protest against austerity measures, unmitigated corruption, and human rights abuses. Rather than protecting people’s right to speak up, authorities cracked down on protests, resulting in the death of 60 people. While the digital space has become a space for civic organising, information sharing, and an avenue for freedom of expression, security agencies have periodically been able to track down political dissidents on social media, who they have abducted, arbitrarily detained, and in some cases disappeared.
Most recently, a teacher Albert Ojwang, along with one other person, was abducted following allegedly defamatory online statements they made towards a senior police official. In the hours following his arrest, Albert was tortured and killed while in police custody.
During times of heightened repression, people’s ability to call out human rights violations, mobilize essential support, and advocate for their rights must be fiercely protected, especially by companies that they entrust with their personal data.
Safaricom’s policies and practices
As a telecommunications provider, Safaricom is also considered to be a data processor under Kenya’s Data Protection Act. The company collects data from its customers, including biometric data through their SIM registration processes, call detail records, and mobile money activity. Call detail records (CDRs) contain sensitive information whose arbitrary disclosure could potentially put the company’s subscribers at risk of serious human rights violations, including enforced disappearances and extrajudicial killings. Information in CDRs, such as base transceiver data, can be used to track a person’s live location.
Safaricom’s Data Privacy Statement states that it may disclose information to law enforcement authorities “in response to a demand issued with the appropriate lawful mandate and where the form and scope of the demand is compliant with the law.”If the police require Safaricom to provide subscriber data in order to investigate a crime, the proper authorities must submit a request to the company’s Law Enforcement Liaison Office via a production order. However, a report by Privacy International revealed that the requests often do not detail justifications for the requests, and instead merely state the category of crime under investigation. Additionally, in cases that are deemed to be urgent or matters of national security — an already overused justification for undermining people’s constitutional rights — these protocols are often bypassed by security agencies to access this data from Safaricom.
The risks do not stop there. In October 2024, investigations by Nation Africa revealed that Safaricom’s partner Neural Technologies created software that automated security agencies’ access to the company’s CDRs. Some of the tools provided include a browser portal that can allow security agency officers in the field to track people in real time through their CDRs. This also includes a visualization function that they have colloquially referred to as “Find My Friends,” which enables the police to predictively profile people based on their patterns of movement and association. It is worth noting that Safaricom has, both in the case of Albert Ojwang and in the wake of investigative reporting on their data practices around the 2024 protests, denied sharing subscribers’ personal data with authorities outside of legally checked requests, claiming only to share customer data when “explicitly required of us via a court order.”
Gaps in transparency
In Safaricom’s Environmental Social Governance policy, which includes a business ethics clause, the company commits to assessing the impacts of its business activities and ensuring that negative impacts are mitigated. It also pledges to comply with UN principles and conventions on ESG matters and to respect human rights. Safaricom utilizes the KPMG True Value Methodology to measure the positive and negative impacts of its operations on the environment and society. However, it is unclear how potential adverse human rights impacts are assessed and mitigated. For example, you can access information on the company’s calculation of emissions and water consumption, while similar reporting on data protection or human rights compliance is not available. The company’s transparency reporting mainly focuses on measuring social impact with regards to issues such as corruption, digital inclusion, job creation, and accessibility of its products to Small and Medium Enterprises (SMEs).
In practice, Safaricom often evades accountability and obstructs transparency. For example, Safaricom recently filed a strategic litigation against public participation (SLAPP) suit against a journalist, to block the disclosure of information regarding their data sharing practices with the police, between June to October 2024, at the height of the protest-related abductions and enforced disappearances.
Recommendations and requests
Vodacom’s Code of Conduct states that it has a responsibility to ensure that it does not infringe on human rights in its operations. Its human rights statement further states that the company conducts human rights risk and impact assessments as part of its due diligence process. As Safaricom’s second- largest shareholder, Vodacom has the responsibility to ensure that the rights of Safaricom’s 45 million customers are protected. To this end, we are requesting Vodacom support to commission an independent human rights impact assessment examining:
- The scope of Safaricom’s partnership with Neural Technologies including:
- a description of the tools and software provided to Safaricom;
- the functionalities of the tools with regards to automation and location tracking;
- the policies outlining the procedure of access to these tools and their data outputs by law enforcement authorities;
- An investigation into Safaricom’s sharing of subscriber data to law enforcement authorities between June 2024 to June 2025, examining particularly:
- instances in which law enforcement authorities have been provided with access to these tools without judicial oversight;
- the justifications for emergency access requests and the overriding of protocol in these instances, and;
- cases involving disclosure of data to law enforcement authorities regarding persons later subject to abduction, torture, detention or enforced disappearances.
- An urgent review and ongoing reforms of relevant Safaricom policies and practices impacting customer privacy, law enforcement assistance, and transparency and accountability on human rights.
We welcome a public response to the serious issues raised in this letter, as a way to show your stakeholders that you take their rights seriously. We would greatly appreciate a formal response from Vodacom for publication by 4th July, 2025. We will make this letter public on 9th July, 2025.
Signatories
- Access Now
- ARTICLE 19 Eastern Africa
- Data Privacy and Governance Society of Kenya
- Kenya Human Rights Commission (KHRC)
- Paradigm Initiative
- The Institute for Social Accountability