As more African countries adopt data protection laws, policy makers need to be aware of the ways in which data protection can create or enhance dominance. One way is through data-intensive industries such as telecommunications providers legitimately collecting useful personal data and hoarding it in the name of data protection. The accumulation of data enables mobile network operators (MNOs) to create new business lines based on platformization of the data (Qingjun, n.d.). With this in mind, policy makers need to have a more integrated approach to the regulation of MNOs, viewing them not only with respect to traditional areas but also as platforms.
Telecommunications companies worldwide are progressively turning into platforms that bring together groups such as consumers and producers. Take the case of Safaricom, the dominant MNO in Kenya. Safaricom currently commands a lead1 in voice, short message service (SMS) and mobile internet services in Kenya. The company has, over the years, turned large profits — referred to as “superprofits,” a reflection of the volume of services it provides across the country. In its latest company report, Safaricom underlines its innovation culture as key to many of its new service offerings, from the Internet of Things to video-on-demand through Safaricom TV. However, its most well-known product remains M-Pesa,2 the mobile money service.
Started in 2007, M-Pesa was initially a money transfer service that enabled people to send and receive virtual money, then cash it at an M-Pesa agent. Since then, it has evolved to provide various other services such as bill payments, bank transfers, payment for e-government services, and even savings and loans. M-Pesa was among the first lines of defence when the first case of COVID-19 was declared in Kenya in March 2020. The government directed the removal of transaction fees for person-to-person transactions of up to KSh 1,000 (about US$10). From March to December 2020, the volume and value of person-to-person transactions rose by more than 24 percent and 7.2 percent, respectively (Communications Authority of Kenya 2020).
Despite this progressive linkage of mobile telecommunications services to other services, MNOs have been regulated using the traditional tools for fair trade practices. In the case of Safaricom, this oversight has included tariff regulation, infrastructure sharing and recommendations to split the business into different units, separating mobile money from voice and SMS. As policy makers grapple with the challenges of regulating competition among MNOs, there are new issues to consider, such as data.
Data Protection Enforcement
Although Kenya is only in the nascent stages of implementing the Data Protection Act of 2019, Safaricom and other MNOs in the region are among the players that have appointed data protection officers (DPOs).3 Under the Kenyan law, appointment of a DPO is not mandatory, leaving it up to companies to decide if they need one. The appointment of DPOs in MNOs signals the readiness of the companies to implement the data protection law. More broadly, such readiness demonstrates the potential of the data protection law to create or deny access to data markets.
For example, Safaricom recently announced that it would start hiding the identity of “lipa na M-Pesa” users, a move that was lauded by privacy activists as a solution to data gathering that occurs when people pay for goods and services using Safaricom’s mobile money service. Lipa na M-Pesa is a service that enables customers to pay for goods and services using M-Pesa. A customer typically performs the transaction on their phone using the M-Pesa menu. Mandatory SIM card registration laws in Kenya mean that everyone using lipa na M-Pesa is already registered using their national ID. A customer sends money to a merchant’s till number, the medium through which the merchant virtually collects the payment. In a typical transaction, such as paying for goods at a supermarket, the supermarket receives from Safaricom a receipt of payment with the name and phone number of the paying customer, together with a unique transaction code. It is these names and phone numbers that Safaricom intends to hide or redact.
Should all that data be held by one entity?
While this move is laudable from a privacy and data-protection perspective, it should also be analyzed from a competition lens. First, Safaricom holds a lot of data from the transactions of its customers. While the data is of a personal nature and should therefore be protected, the fact that it is personal provides granular insights that are of interest to business, making it valuable intelligence for anyone seeking to access Kenyan consumers. The data is also valuable for other functions, such as public planning. Should all that data be held by one entity?
Second, the decision by Safaricom to hide the identity of customers also demonstrates the company’s policy-making power. Safaricom stated that Kenyans had complained of receiving unsolicited messages. The company therefore announced that it would hide part of the customer’s identity to protect their data from being shared with third parties. This is not the first time that Safaricom has made rules regarding its services. Prior to the 2013 general elections in Kenya, it began vetting political messages (Gathura 2013) before they were sent through bulk SMS. In both these examples, Safaricom was responding to regulatory gaps, ostensibly brought about by how deeply the company is embedded in Kenyan life. Despite Safaricom’s good intentions, the rules were made without public participation, denying those who may have had different views an opportunity to present them. Analogies can be drawn from policy making by platforms such as Facebook and Google, which have appropriated the power to regulate content, with problematic results.
From a competition perspective, Safaricom’s policy on hiding the identity of customers may result in denying merchants access to data or making it more difficult for merchants to access that data, while at the same time increasing Safaricom’s competitive advantage as custodian of such data. This analysis is not in any way to belittle data protection, or to deny the harm suffered by consumers when data collected during a lipa na M-Pesa transaction is repurposed and used for marketing campaigns by merchants and third parties. To the contrary, data protection laws should be enforced to make merchants protect and promote the privacy of their customers. However, the move to apply data protection laws should invite critique on the effect of such a move on competition in the digital economy.
One approach, which also demonstrates the MNO’s role as a platform connecting consumers and producers, is the broader role of Safaricom in advertising. Most of the unsolicited messages sent to customers whose details are harvested, say, after making a payment through M-Pesa, are sent through bulk SMS. Safaricom hosts the highest number of bulk SMS service providers (ibid.). In 2020, the company reported revenue of more than KSh 5 billion from bulk SMS (ibid.), which includes revenue collected for unsolicited messages, raising questions as to why, when identifying whom to regulate, Safaricom excluded bulk SMS providers, as they have an important role to play in ensuring the protection of customers’ privacy.
M-Pesa is often presented as a classic case of disruption of financial services. However, it has been regulated as a financial service, with little attention being paid to the company’s data practices. As the service evolves, there is need for scrutiny on how platformization of the services creates market power. This approach may be useful in mitigating the dominance of M-Pesa.