The ruling against Platinum Credit is more than a simple award of Ksh 400,000 to a frustrated Kenyan. It is a powerful declaration that the era of reckless data misuse is over and the Office of the Data Protection Commissioner (ODPC) is no longer a silent spectator. The judgement reads like a turning point—one that finally places power back in the hands of ordinary citizens whose personal information has for years been harvested, traded, and weaponised without their knowledge or permission.
At the heart of the case is Samuel Kamau, a Kenyan who did what millions complain about daily—he took a company to task for bombarding him with unsolicited loan promotions, messages, and calls. Platinum Credit reached into his private space using data he never shared with them. For far too long, such violations have been dismissed as “harmless marketing,” but this ruling makes it clear: personal data is property, and accessing it without consent is theft.
The investigation revealed something even more troubling than the unsolicited communication itself—Platinum Credit lied. When the ODPC began its inquiry, the company attempted to distance itself from the caller, claiming she was not their agent. But the Data Commissioner’s investigators followed the trail and confirmed that she was indeed acting on behalf of the company. This deliberate falsehood triggered an even more serious legal implication: providing misleading or false information to a regulator is a criminal offence under Section 57(3) of the Data Protection Act.
Once the lie collapsed, what remained was undeniable evidence of unlawful data processing. The law is clear—no one should collect, store, or use your personal data unless you have consented. In this case, Platinum Credit harvested and used Samuel Kamau’s number purely for marketing, violating every principle of consent, transparency, and fairness required under the Data Protection Act.
The Data Commissioner’s final determination is a masterclass in accountability. First, the company is formally found liable. This is not a mere slap on the wrist; it is an official declaration that Platinum Credit broke the law. Second, they are ordered to pay Ksh 400,000 to Samuel Kamau as compensation. The amount may seem modest in a world of corporate millions, but it represents something far greater—the first time many Kenyans will see that their data has monetary value and misuse of it comes with a financial consequence.
Then came the enforcement notice. This means Platinum Credit must put in place corrective measures to stop the unlawful behaviour, clean up their data processes, and prove to the ODPC that they have complied. It is not optional. It is legally binding.
But perhaps the most explosive part of the ruling is the recommendation for prosecution of the company’s directors. The Commissioner concluded that they furnished false information knowingly. Under Kenyan law, this is a criminal act that could lead to fines or imprisonment. For years, corporate executives have hidden behind the “company” as an entity—this ruling pierces that shield and holds real human beings responsible.
The judgement also gives Platinum Credit and all parties a 30-day window to appeal. This is a standard legal requirement, but the message behind it is unmistakable: the system is fair, transparent, and rooted in the rule of law. If they believe the ruling is unjust, they may challenge it in the High Court, but the burden will be heavy because the evidence is clear and the findings are meticulously explained.
This ruling should send shockwaves through Kenya’s financial sector, where aggressive digital marketing has been normalised. For years, lenders have purchased leaked phone numbers, scraped data from apps, used contact lists from borrowers, and harassed Kenyans with endless promotions. The Platinum Credit case signals the beginning of the end for such practices. The ODPC is setting a precedent—your data is not a free buffet.
For consumers, this case is empowering. It proves that you do not need political connections, money, or influence to demand justice. If someone misuses your data, you can file a complaint and the law will protect you. The ODPC has shown it is willing to investigate thoroughly, challenge corporate dishonesty, and take decisive action—including recommending prosecution.
For companies, this judgement is a warning. Today it is Platinum Credit. Tomorrow it could be any business that casually handles customer data as if it were worthless. The age of impunity is ending. Compliance is no longer a “nice-to-have.” It is a survival requirement.
In the end, the message from Immaculate Kassait, the Data Commissioner, is powerful and unambiguous: Kenyans’ personal data is sacred. Any business that dares misuse it, sell it, exploit it, or lie about it will face consequences—financial, legal, and reputational.
This ruling is not just a victory for Samuel Kamau. It is a victory for every Kenyan with a phone number, an email address, a national ID, or any piece of data that can be misused. It is a reminder that the power belongs to the people, and the law stands firmly behind them.
Read Also: Until Africa Manufactures Its Own Helium: Why the Continent Must Think, Build, and Behave Like China