๐’๐ก๐จ๐ฎ๐ฅ๐ ๐ฒ๐จ๐ฎ ๐ฌ๐ก๐จ๐ฐ ๐ฒ๐จ๐ฎ๐ซ ๐Œ-๐๐ž๐ฌ๐š ๐ฆ๐ž๐ฌ๐ฌ๐š๐ ๐ž ๐Ÿ๐จ๐ซ ๐ฉ๐š๐ฒ๐ฆ๐ž๐ง๐ญ ๐ฏ๐ž๐ซ๐ข๐Ÿ๐ข๐œ๐š๐ญ๐ข๐จ๐ง?
Many Kenyans routinely show sellers their M-Pesa confirmation message after paying, and in crowded places such as matatus some even hand over the whole phone. Lawyers at Muri Mwaniki Thige Kageni LLP Advocates and Kageni LLP say this habit raises privacy and data protection concerns under the Constitution and that no Kenyan law compels a customer to display a private device or an M-Pesa message to a cashier, merchant, tout, or any other third party as proof of payment. Fridah Muriithi, an associate advocate at the firm, says payment verification is a commercial practice rather than a statutory requirement and that the Data Protection Act 2019 leans toward protecting customer privacy rather than giving merchants a right to inspect personal devices.

In this view, proof of payment sits with the merchant, not the customer. Muriithi says the merchantโ€™s own confirmation, such as a receipt or a notification on the M-Pesa Till or Paybill system, is the primary evidence because every Lipa na M-Pesa transaction triggers a concurrent message to the merchantโ€™s device or system. Once funds have reached the merchantโ€™s Till or Paybill, the transaction is complete even if the customer does not display the SMS, and widespread social acceptance of showing messages does not create a legal obligation or remove a merchantโ€™s duty to protect personal data.

The lawyers argue the confirmation SMS is not a neutral receipt because it contains personal data protected by law. Muriithi says it can include identifiers such as a customerโ€™s name and phone number, financial details such as account balance, which she describes as sensitive personal data, and transaction information that can reveal spending habits. She adds that the transaction code is the only detail a merchant strictly needs and it already appears on the merchantโ€™s own confirmation message, while Safaricom has taken steps to reduce exposure by masking customer names in line with the data minimisation principle. Under the Data Protection Act, she says asking to see the message generally amounts to processing personal data because processing can include consulting, using, or recording that information.

What are your thoughts? Do you agree with them?