A legal dispute has been launched in Kenya against the Swedish company Truecaller, alleging that it has violated the Data Protection Act by collecting and sharing the contact details of Kenyans without their consent.
James Mbugua, a data protection lawyer, filed the suit, accusing Truecaller of failing to register as a data controller and not complying with key sections of the Act that regulate the collection of personal data indirectly.
Truecaller is a widely used mobile app that enables users to identify unknown incoming calls. According to its website, the app provides this service easily, but Mbugua’s lawsuit highlights a crucial issue: Truecaller is not registered with the Office of the Data Protection Commissioner (ODPC) in Kenya.
As per the requirements of Section 18(1) of the Data Protection Act, Truecaller should be registered as a data handler, but it does not appear in the ODPC’s list of registered entities, according to Mbugua.
“Despite operating in Kenya, Truecaller is not registered with the Office of the Data Protection Commissioner (ODPC) as required by Section 18(1) of the act. They do not appear in the list of registered data handlers on the ODPC website,” Mbugua said in a complaint to ODPC, as reported by Daily Nation.
Mbugua argues that this lack of registration raises serious concerns about Truecaller’s accountability and compliance with Kenya’s data protection laws.
He is seeking a declaration that Truecaller’s data protection practices violate the Act and is requesting that the company be compelled to register as a data controller or processor with the ODPC.
Data Transfer to India Raises Privacy Concerns
Another key aspect of the lawsuit is the alleged unauthorized transfer of personal data from Kenyan users to India, a country without stringent data protection laws.
Mbugua is demanding that Truecaller cease transferring Kenyan user data to India or outside Kenya until the company can demonstrate full compliance with Kenyan data protection laws.
Also Read: Safaricom officially launches M-Pesa Ratiba, a new feature that lets you set up a standing pay order
He further insists that Truecaller should either localize its data storage in Kenya or establish adequate safeguards to protect users’ data.
In his complaint, Mbugua warned that a widely-used platform like Truecaller, operating without adequate safeguards, poses a significant risk to the privacy rights of Kenyan citizens.
He highlighted how Truecaller’s caller ID feature exposes the personal details of users—both Kenyan and international—without their consent, violating privacy rights as outlined in Part IV of the Data Protection Act.
Algorithm Secrecy and Lack of Transparency
The complaint also points to Truecaller’s use of an algorithm to select the “best name” from a large collection of names stored in its system.
Mbugua emphasized that the algorithm is secret, and those whose data is harvested have no knowledge of how the algorithm operates.
The lawyer added that Truecaller does not collect data directly from individuals, nor does it process personal data transparently, as required by Sections 25(b) and 28(1) of the Act.
Instead, Truecaller collects the contact details of third parties stored on a user’s device without the knowledge or consent of the individuals whose information is collected.
Mbugua also accuses Truecaller of discrimination and applying unequal privacy standards between European and Kenyan users, with more stringent protection offered in regions with established data protection regimes.
Truecaller’s History of Legal Challenges in Africa
This is not the first time Truecaller has faced legal action in Africa over privacy concerns. In 2019, a class-action suit was filed against the company in Nigeria by Olumide Babalola LP and Olasunkanmi Bello on behalf of a group of concerned non-users of the app.
The lawsuit accused Truecaller of infringing on privacy rights by collecting, storing, and processing personal data without consent, in violation of the Nigerian Data Protection Regulation (NDPR) of 2019.
The plaintiffs sought a declaration of rights infringement and a perpetual injunction against Truecaller’s data processing activities without explicit consent. They also pushed for a punitive fine.
However, in April 2023, Nigeria’s Federal High Court ruled in favor of Truecaller, dismissing the claims of unauthorized data harvesting.
In its defense, Truecaller argued that its app operates on the basis of user consent and that its services enhance safety by identifying unknown callers.
The company asserted that registered users voluntarily allow their contacts to be uploaded to the app and, therefore, those users should bear the privacy responsibilities, not Truecaller itself.
As this new legal battle unfolds in Kenya, the outcome could have significant implications for data protection practices, not just for Truecaller but for other tech companies operating in the region.
