Digital taxi firm Bolt has been ordered to pay a driver Sh500,000 as compensation for damages emerging from a violation of his data privacy rights.
Investigations by the Office of the Data Protection Commissioner (ODPC) revealed that the online ride-hailing firm failed to adequately fulfil its obligations as a registered data handler, causing the violations.
The driver, Kennedy Wainaina, complained that Bolt had shared his personal information with third parties who used them for fraudulent purposes by gaining access to his driver account and locking him out of it.
Mr Wainaina complained that Bolt did not help his attempts to regain access to his driver account and that his lamentation of the fraudulent use of his log-in details landed on deaf ears.
By the time he got it back, it had made 17 trips valued at Sh26,250, all of which were made by one customer, a corporate client, but how he came to lose his account remained a mystery, prompting him to suspect it was an inside job at Bolt.
Bolt, however, insisted that none of its employees fraudulently accessed Mr Wainaina’s driver account nor did it share his personal details with anyone outside the company, and that it investigated the claims once the driver lodged the complaint.
Data Protection Commissioner Immaculate Kassait, however, after investigating the incident, found Bolt failed to properly protect Mr Wainaina’s data as required by the Data Protection Act of 2019.
“Despite the alleged perpetrators gaining from the Complainant’s account, the Respondent (Bolt) asserts that they found no evidence of having suffered a personal data breach of its systems or that any of its personnel were responsible for the unauthorised access,” Ms Kassait said in a ruling on the complaint.
“This allegation offends Section 41 of the Act which enjoins the Respondent, as a Data Controller, to put in place the appropriate organisational and technical safeguards to effectively implement the data protection principles.”
As such, Bolt was found to have violated Mr Wainaina’s right of access to his personal data and his right to correction of false or misleading data by denying him the ability to swiftly regain control of his account.
Besides the fine, Bolt was issued with an enforcement notice, which means that it will need to strengthen its safeguards to prevent a similar incident from reoccurring.
