A popular mobile app used to identify unknown callers is facing legal action in Kenya, where a data protection lawyer has accused the company of violating the country’s privacy laws.
James Mbugua, the lawyer behind the lawsuit, claims that Truecaller, a Swedish company, has been collecting and sharing the personal contact details of Kenyans without their consent, a breach of the Data Protection Act.
At the core of Mbugua’s case is the allegation that Truecaller discriminates against Kenyans by failing to register as a data controller, as required by law.
According to Section 18(1) of the Act, companies that collect or process personal data within Kenya must register with the Office of the Data Protection Commissioner (ODPC). Mbugua’s petition argues that Truecaller’s failure to register not only undermines its legal obligations but also creates a significant gap in accountability.
“They do not appear in the list of registered data handlers on the ODPC website,” Mbugua noted in his filing, underscoring concerns about the lack of oversight for a service used by millions of Kenyans. “The upshot of this is that not only does its caller ID feature display identifier information for data subjects from around the world to its Kenyan users, but it also displays the personal details of Kenyans (name and number—landline, mobile, or prepaid) to third parties across the world, thereby de-identifying them to strangers and violating their right to privacy as spelled out in Part IV of the Act.”
Truecaller, which operates globally, allows users to identify unknown callers and block unwanted communications. However, Mbugua contends that despite its widespread use in Kenya, the company has not complied with local data protection laws.
Mbugua’s lawsuit seeks a court declaration that Truecaller’s data practices violate the country’s privacy regulations. He is also pushing for a cease-and-desist order to prevent Truecaller from transferring Kenyan user data to India, where the company is accused of sending the information without sufficient safeguards in place.
“A cease and desist order directing Truecaller to cease transferring Kenyan user data to India or outside the country until they demonstrate full compliance with Kenyan data protection laws or localise their data storage within Kenya is necessary,” he said.
While Truecaller isn’t listed in India but in the Nasdaq Stockholm Exchange, the company earns over 70% of its revenues from India.
Mbugua insists that data transfers should only be allowed once Truecaller complies with Kenyan law or relocates its data storage operations to Kenya.
“If a widely used platform like Truecaller operates without proper safeguards, it poses a significant threat to the privacy rights of Kenyan citizens,” Mbugua stated, stressing the potential risks posed by the app’s practices. “Not only does Truecaller determine the commercial purposes to which it processes and puts the data, it also uses automated means of processing the data.”
The lawsuit raises broader concerns about transparency in the way Truecaller processes personal data. Mbugua points to the app’s use of an undisclosed algorithm that selects names from a vast pool of contacts harvested from users’ devices.
This process, he argues, lacks the necessary transparency required by law and poses a threat to user privacy. Kenyan law mandates that data be collected directly from the individuals concerned and that users give their explicit consent, a standard Mbugua says Truecaller has not met.
“Contrary to Section 25 (b) and 28(1), Truecaller does not process personal data collected in a transparent manner, nor does it collect data directly from the data subject. Instead, it collects contact details of third parties stored in a user’s device without their consent,” he says.
Mbugua’s case also touches on what he claims is unequal treatment of Kenyan users compared to those in other regions with more established privacy protections.
He alleges that Truecaller applies stricter data protection standards in areas like Europe, where legal frameworks are more robust or where the company has faced legal action, while taking a more relaxed approach in places like Kenya. “Truecaller uses a generic privacy policy for jurisdictions like Kenya,” he argued, highlighting what he sees as an unacceptable disparity.
When Europe introduced the General Data Protection Regulation (GDPR), Truecaller decided to find a way around it. It moved all its data centres to India and in some ways, it became an “Indian” company to bypass GDPR. India doesn’t have a data privacy and protection bill yet, giving Truecaller a loophole to to argue that the GDPR isn’t applicable to Indian users. For taxation purposes, Truecaller becomes a Swedish company since India has a higher corporate tax rate.
One investigation looking into Truecaller’s business practices pointed out that a feature called ‘Enhanced Search’ was auto-checked whenever a mobile phone came pre-installed with Truecaller. In the company’s own words, “By enabling Enhanced Search, your contacts are securely shared with Truecaller.” That means users automatically share everything with Truecaller — names, numbers, email addresses and SMS content.
In 2019, Truecaller suffered a data breach that exposed the personal information of 300 million users. This information was released to the dark web where it was sold the next year. A Truecaller spokesperson said the app’s database was not attacked. “Data stored on our servers is highly secure, and we confirm that no security incident took place.” However, in 2016, the BBC reported that that Trucaller searches could be conducted on the app provider’s official website without even installing the software.
Now, the outcome of the Kenyan lawsuit could have wide-ranging implications for digital privacy in Kenya. As more companies expand their operations into the country, the question of how personal data is handled—particularly by global tech firms—has become increasingly urgent.
Mbugua’s case has the potential to set a legal precedent for data protection enforcement in the country, where concerns about privacy, security, and the accountability of digital platforms are growing.
At its core, this case reflects a broader challenge facing many countries as they seek to regulate the activities of global tech companies operating within their borders.
As Kenya moves deeper into the digital age, the need for strong legal frameworks that protect citizens’ personal data from misuse has never been more pressing. Whether Truecaller will be held accountable for its alleged violations remains to be seen, but the lawsuit has already cast a spotlight on the privacy concerns surrounding mobile apps in Kenya.