A data protection lawyer has sued Swedish company Truecaller for violating the Data Protection Act by collecting contact details of Kenyans and sharing them without their consent.
Mr James Mbugua also accused Truecaller of discrimination, failing to register as a data controller and the failure to comply with sections of the Act that allows for collection of personal data, indirectly.
The app according to Truecaller’s website easily allows a mobile phone user to identify incoming calls from unknown numbers.
“Despite operating in Kenya, Truecaller is not registered with the Office of the Data Protection Commissioner (ODPC) as required by Section 18(1) of the Act. They do not appear in this list of registered data handlers on the ODPC website,” Mr Mbugua said in the complaint lodged at ODPC.
The legal consultant said the lack of registration raises concerns about accountability and compliance with data protection regulations as a data controller and processor.
He is seeking a declaration that Truecaller’s data protection practices violate the Act and Regulations and the company should be compelled to register as a data controller or processor with the ODPC.
Mr Mbugua further accused the company of unauthorised transfer of personal data to India with no assurance of effective data protection law.
“A cease and desist order directing Truecaller to cease transferring Kenyan user data to India or outside the country until they demonstrate full compliance with Kenyan data protection laws or localise their data storage within Kenya,” Mr Mbugua said adding that this should include demonstrating adequate safeguards are established or consent is obtained.
Mr Mbugua said in the complaint that if a platform as widely used as Truecaller can operate without adequate safeguards, it poses a significant threat to the privacy rights of Kenyan citizens.
“The upshot of this is that not only does its caller ID feature display identifier information for data subjects from around the world to its Kenyan users, but it also displays the personal details of Kenyans (name and number – landline, mobile, or prepaid) to third parties across the world thereby de-identifying them to strangers and violating their right to privacy as spelt out in Part IV of the Act,” the lawyer submitted.
He said Truecaller’s data protection practices violate the Act and Regulations in several aspects, particularly regarding the lack of registration as a data controller or processor, the failure to fulfil its obligations personal data protection under the Act and the transfer of personal data to India without adequate safeguards or consent.
“Not only does Truecaller determine the commercial purposes to which it processes and puts the data to, it also uses automated means of processing the data,” he said.
The lawyer said Truecaller has a particular algorithm to find the best name from a wide selection of names which have been harvested.
Mr Mbugua said the algorithm is a secret and it is developed by Truecaller as none of the Kenyan data subjects who upload the data know its details.
“Contrary to Section 25 (b) and 28(1), Truecaller does not process personal data collected in a transparent manner, nor does it collect data directly from the data subject. Instead, it collects contact details of third parties stored in a user’s device without their consent,” he said.
On discrimination and unequal application of privacy standards between Europeans and Kenyans, Mr Mbugua argued Truecaller employs a different data protection standard for regions with data protection regimes or where it has been sued for privacy breaches and bundles all other jurisdictions including Kenya in a generic privacy policy.
Source link : https://nation.africa/kenya/news/truecaller-sued-in-kenya-over-privacy-violations-4784224
Author :
Publish date : 2024-10-02 17:41:47
Copyright for syndicated content belongs to the linked Source.