Privacy and Data Protection Practices of Digital Lending Apps in Kenya

The Centre for Intellectual Property and Information Technology Law (CIPIT) has been studying the impact of digital identities on society. This has included policy research on the legal and technical aspects of the national digital ID system Huduma Namba under which the Government is integrating all its identification documents. This research shows that the national digital identity system also integrates with privately issued digital identities such as mobile phone numbers and social media accounts. We anticipate that as national digital ID uses increase, so will the linkage with private systems. This is already evident from e-government services, where payments for Government services, such as

The Centre for Intellectual Property and Information Technology Law (CIPIT) has been studying the impact of digital identities on society. 1 This has included policy research on the legal and technical aspects of the national digital ID system Huduma Namba under which the Government is integrating all its identification documents. Our research shows that the national digital identity system also integrates with privately issued digital identities such as mobile phone numbers and social media accounts (Caribou Digital, 2019). We anticipate that as national digital ID uses increase, so will the linkage with private systems. This is already evident from e-government services, where payments for Government services, such as passport applications, drivers' licences, national health insurance and hospital bills in public hospitals are made using mobile money platforms. We also appreciate that private digital ID is more developed and has more uses than national digital ID. For example, a 2019 survey, undertaken by the Central Bank of Kenya (CBK), estimates that access to financial products had risen from 26.7% in 2006 to 89% of the population in 2019. This is attributed partly to the availability of digital products such as "mobile banking, agency banking, digital finance and mobile apps" (Central Bank of Kenya, 2019, p. 8). These products make use of personal data, which broadly falls under digital identities. This study seeks to understand the privacy implications of digital ID by looking at digital lending apps.
Digital lending is a relatively new phenomenon in Kenya. It builds upon existing systems such as microfinance as well as mobile money. Microfinance may be defined as financial mechanisms targeting low-income individuals who lack access to traditional banking services (Microfinance Act 2006, s. 2 & 3). Unlike conventional banking that requires collateral in the form of property, microfinance uses non-property guarantees for loans such as social reputation, financing to women's groups as opposed 1 The Centre for Intellectual Property and Information Technology Law (CIPIT) would like to acknowledge Privacy International for their generous support towards this research project. The official website is CIPIT, 'Digital ID'. https://cipit.strathmore.edu/digital-id/.
to individuals, and other innovative guarantees. Building on this, digital lending leverages on behavioural data collected as one uses a mobile phone. Examples of such data include type of phone, location, contacts, apps and mobile money transactions.
The FinAccess (2019) household survey estimates that about 14% of Kenyan adults have taken a digital loan, either through mobile banking or an app (Central Bank of Kenya, 2019, p. 5). Literature traces the history of mobile lending in Kenya to the growth of mobile money services such as Mpesa (Breckenridge, 2019, p. 91). From 2012, Safaricom, which operates Mpesa, began offering mobile loans known as Mshwari. Banks also joined in and began offering digital loans through products such as KCB-Mpesa by KCB Bank and Eazzy Loan by Equity Bank. They have been joined by financial technology (fintech) apps like Branch, Tala and Okash more recently. These apps, which require one to have a smartphone, rely on behavioural data to determine creditworthiness. This study is concerned with the privacy practices of digital lending apps. It begins with a brief literature review on digital lending apps, finding that previous studies, particularly local ones, have focussed on non-data aspects of the apps. Global policy-making bodies have mooted personal data or digital ID as a means to financial inclusion; thus, this study analyses how the primary law on personal data in Kenya, the Data Protection Act 2019 (DPA), applies to digital lending apps. It goes further to test how privacy and data protection are applied by considering the permissions that several of the popular apps require, as well as the servers that the apps connect to.

LITERATURE REVIEW
A preponderant amount of the literature reviewed approaches digital lending from development perspectives, focusing on its potential for poverty reduction and financial inclusion. There is also literature considering the data aspects of financial inclusion, thereby linking digital ID and fintech.
Issues from a development perspective include the impact of mobile loans on overall income and wealth (Suri et al., 2018), household access to digital loans (Central Bank of Kenya, 2019), loan pricing (Mastercard Foundation, 2019, and financial literacy (Wamalwa et al., 2019). Research around financial inclusion has also included studies (Mastercard Foundation, 2019) and experiments (Habyarimana et al., 2018) with financial products targeting low-income earners. There is also critique on the financial inclusion rationale in digital lending, with some studies highlighting the inequality created between borrowers and the app owners (MicroSave Consulting, 2019). For example, the borrowers -who are often poor -are indebted, sometimes perpetually, as they borrow small sums to meet basic needs while keeping their credit profile positive.
The role of digital technologies such as fintech in alleviating the effect of the COVID-19 pandemic cannot be gainsaid (Taylor et al., 2020). Locally, the CBK suspended transaction charges on person-to-person mobile money transfers of up to 1000 Kenya Shillings, so as to encourage cashless transactions (Central Bank of Kenya, 2020a). A similar directive was given for bank account to mobile money transfers. The directives were extended until the end of 2020. In April 2020, CBK also locked out digital lenders from credit information sharing services by barring them from submitting or accessing credit reference bureaus. This was meant to ensure digital borrowers, who are poor predominantly, are not precluded from accessing affordable loans due to poor credit histories.
Literature has now established that application of digital technologies to social problems is not a panacea to equity. It could either contribute to equity or exacerbate existing inequality (Taylor L, 2017). For example, in response to the CBK directive suspending digital lending apps from the credit information-sharing system, digital lending apps immediately suspended customer credit limits (Wambu, 2020). For return customers, the credit apps typically expand or reduce their loan limits depending on how well they have honoured the terms of their loans. Some customers had progressively expanded their credit limits as a result of timely repayments. They were therefore surprised to find that they either could not borrow or could only borrow a small amount. This action by the apps demonstrates some of the problems with digital lending. As their business model depends on information, they argued that they could not continue dispensing loans without the assurance from credit information-sharing services (Digital Lenders Association of Kenya, 2020). However, since most of their customers are unaware of the factors that the apps consider when issuing them with loans, they felt unfairly treated when their loan limits were arbitrarily suspended or terminated. In this scenario, there was no direct authority to whom the customers could complain to (Wambu, 2020). This calls for analysis of how privacy and data protection are incorporated into fintech.
From a data perspective, fintech has been linked to rollout of digital ID by states. Actors such as the World Bank and the World Economic Forum (WEF) view digital ID as a catalyst for financial inclusion (World Economic Forum, 2016). Closer home, Breckenridge (2019), relates the evolution of digital ID in Kenya to the need for a credit-sharing mechanism to support digital lending (p. 78). Research by Privacy International (2017) shows the how data intensive the financial sector is. It explores financial identity, a concept that supports practices such as electronic Know Your Customer (eKYC) and unique personal identifiers (UPIs). Through digital ID, financial lenders can share data on people's financial habits, making it easier to issue loans backed by historical data.
National digital ID projects have been the subject of litigation for, among other things, excluding vulnerable populations from vital services as well as limiting the right to privacy (Caribou Digital, 2019). In a case such as Nubian Rights Forum & 2 others v Attorney-General & 6 others (2019) challenging Huduma Namba, the petitioners argued that it locks out those who have historically been denied documents such as birth certificates and national identity cards. They narrated the difficulties faced by these groups in what are considered normal processes for the average Kenyan (for example acquiring a phone number), and prayed for a digital ID system that prioritises the marginalised. Another argument was that Kenya did not have adequate privacy and data protection laws to assure the security and integrity of data collected from the project. The DPA was passed in the course of the petition, giving the Huduma Namba project a lifeline.
There are several studies demonstrating how fintech impacts privacy and data protection (Privacy International, 2017). This can be traced to mandatory SIM card registration which increased the identifiability of data on mobile money transactions, leading to the growth of an economy created from personal data (Breckenridge, 2019). Privacy in welfare programs has also been studied widely in India, which has the world's largest digital ID system, Aadhar. In Africa, Carmona (2018) discussed a cash transfer programme involving social welfare grants in South Africa where social welfare recipients data was repurposed for marketing by a third party company linked to the private company involved in disbursement of the funds. The study brings to light less obvious hazards to privacy in public funded but privately executed welfare programmes.
This study contributes to the strand on digital identities and fintech from a data protection perspective. It advances research by CIPIT partners, Privacy International on data privacy practices by financial institutions, particularly digital lending apps. It explores questions around the nature of data collected by fintech apps and privacy practices in response to the DPA.

Data Protection Principles
Digital lending apps are subject to the DPA since they involve processing of personal data. As shall be illustrated in the section on permissions, the apps access various types of data such as phone identity, messages on the phone, network connections, phone storage as well as location.
The DPA sets out principles that persons processing data must adhere to. These include protecting the privacy of data subjects, processing data in a lawful, fair and transparent manner as well as providing a valid explanation to the data subject for data processed. There are also several limitations on data practices including on purpose, adequacy and retention. Further data controllers and processors must keep accurate data and provide means through which data subjects can request for correction or deletion of inaccurate data. In addition, data can only be transferred outside Kenya to countries with adequate data protection frameworks. The following table summarises the data protection principles and their application to digital lending apps. Everyone has a right to be protected from unnecessary disclosure of their private and family affairs. Taking up of loans is a private affair that should not be disclosed.
Lawful, fair and transparent processing-Section 25(b) Digital lending apps should disclose what information is gathered from the apps and how it is processed. Information gathered should also be pursuant to either a law or legitimate purpose, which in the case of digital lending could be credit scoring and keeping business records.

Purpose limitation-Section 25(c)
Borrowers should be provided with information on the purposes for which their information is collected. Digital lending apps should not repurpose the information they have without informing and obtaining the borrower's consent.

Adequacy limitation -Section 25(d)
Digital lenders should only process data that is relevant and sufficient for their purpose(s). They have access to data that is volunteered by the borrower at the registration stage, data that is gathered by the app through access to the borrower's smartphone, as well as data that is inferred from analysing the first two types of data.
Valid explanation -Section 25(e) Digital lenders determine creditworthiness by analysing phone data, access personal data on the borrower's family and private affairs. They should therefore give a valid explanation as to why the family and private information is required.

Accuracy -Section 25(f)
Digital lenders should keep accurate information on borrowers. This includes promptly updating their repayment histories on credit-sharing information system.

Retention limitation -Section 25(g))
Digital lenders should not keep data perpetually. Digital lending apps should inform their customers how long their data, including inferred data, is kept and for what purposes.

Transfer outside Kenya -Section 25(h)
The DPA requires protection for personal data being transferred outside the country.

Other Relevant Provisions of the DPA
Other relevant provisions of the DPA relate to; the rights of data subjects, direct collection of data from the data subject, notification requirements, data protection impact assessment (DPIA), automated decision-making; data portability, and data protection by design and default.

Rights of the Data Subject
Borrowers on digital apps are data subjects with the right to be informed about the way in which their data will be used (DPA 2019, s. 26). They also have a right to access their personal data held by the lender and, in some instances, can object to processing of part of their data.

Collection of Data from the Data Subject
Section 27 envisages that data shall be collected from the data subject directly. However, digital lending apps also gather and infer data from the borrower's smartphone and other sources. Any other collection is subject to consent of the data subject. The DPA defines consent as the 'manifestation of express, unequivocal, free, specific and informed' agreement by the data subject (s. 2). Digital lending apps collect data through inference, which is not clear to many consumers.

Notification and Information
The DPA envisages various situations where the data processor or controller is required to notify the data subject about processing activities (s. 29). Under this scheme, data subjects should be informed about their rights, the purposes for data collection, third parties with whom the data is will be shared, contacts of any entity that may receive the data, description of organisational and security measures taken to ensure integrity of the data, data collection that is mandatory and that which is voluntary, and the consequences where the data subject does not provide some of the data.

DPIA
The DPA subjects data processing activities that are likely to have a high risk on the rights of data subjects to an assessment of such risks and their mitigation o (s. 31). DPIAs on digital lending apps also relate to consumer rights such as reasonable quality of services, consumer information and protection of health, safety and economic interests as they demand of the data processor a systematic analysis of all the principles of data protection in relation to their processing activity.

Protection from Automated Decision-Making
The DPA protects data subjects from decisions based solely on automated processing (s. 35). Automated processing in digital lending includes profiling of the data subject during credit-scoring (Privacy International, 2017) and possibly listing of defaulters with credit reference bureaus. Digital lenders determine credit worthiness through analysis of the borrower's phone data using technologies such as algorithms to set loan limits, and in some cases, interest rates, repayment periods and penalties (Privacy International, 2017). 2

Data Portability
This is the right of a data subject to receive data about them in a meaningful format to enable its further use (DPA 2019, s. 38). Ideally, digital lenders should be able to provide their borrowers reports and analyses with which they can move to other lenders. A person who has been borrowing from one lender should be able to move to another lender without having to start a fresh profile.

Data Protection by Design and Default
The data protection framework requires data controllers to design products that incorporate data protection principles. In the event that the products were designed prior to the law, they should be reconsidered, and protection safeguards added to ensure that the products protect and promote privacy (DPA 2019, s. 41).

THE STUDY
The study seeks to understand the privacy practices of digital lending apps by analysing their privacy and data protection practices generally. It more specifically delves into a particular aspect -their sharing of data with third parties. Each of these steps, together with the challenges faced in the study, is briefly explained below.

Methodology
Once we had established the legal framework applicable to digital lending apps, we selected a few apps for the study. We analysed the privacy policies these apps and noted their data sharing policies. We also used a proxy tool to determine data collected by the apps at start-up.

Apps Selection
Data collection began by identifying a sample of the leading digital lending apps in operation in Kenya (SimilarWeb, 2021) on Google Play Store, where majority of smartphone users source their apps. The study narrowed down to seven apps guided by the following criteria, whether: The app formed part of the top ten digital lending apps in operation at the commencement of the study; a) The app was operational within Kenya; and b) The app was downloadable from the Google Play Store, thus operational on android phones, which are widely available in Kenya. Eventually, we studied seven apps, as summarised in Table 2. We established their registered ownership and also noted whether the app was deposit taking, therefore regulated by CBK or nondeposit taking.  (Kazeem, 2019).
The study sought to understand what data is accessed as well as other issues around the data, for example, how often it is accessed, and who accesses it. To analyse data handling, we listed the permissions that each app requires at installation. We also analysed the privacy policies of all the apps and listed the datasharing policies.

Trackers
To study whether the apps shared user data collected by the trackers with third-party services, we set up the Fiddler proxy server tool with a physical device (Google Pixel) to collect the data by intercepting the web traffic. We were able to collect some data regarding the application programming interface (API) endpoints the applications were sharing data with, on application start. 3 We compared the data collected with existing privacy studies such as Exodus Privacy (n.d.).

Challenges and limitations
The main challenges faced were i) selection of a trafficmonitoring methodology that is acceptable legally, and ii) unavailability of appropriate phones for the study locally.

Legality of Traffic Monitoring
Analysis of the actual data that digital lending apps access and share with third parties, if any, requires interception of the traffic being sent from the app to the third party server. Interception is outlawed under the Kenya Information and Communications Act 2011 (s. 31) as well as s. 17 of the Computer Misuse and Cybercrimes Act 2018. While the DPA envisages research as a basis for processing data (s. 52 & 53), such data processing has to be done by a data owner or on authorisation by the owner. Digital lending apps consider the apps their property. Some explicitly prohibit interception of traffic. We were therefore limited to monitoring the servers that the apps connect to at start-up and could not probe further what data the third party servers access.

Unavailability of Appropriate Phones for the Study Locally
Another challenge faced was in obtaining a phone that could carry out technical analysis. The most popular and widely used phones in the country are from the company Transsion Holdings. These include the brands Tecno, Itel and Infinix. Other popular brands are Oppo, Huawei and Xioami. These phones, it turned out, could not be rooted and therefore could not be studied using the man-in-the-middle (MITM) software (Privacy International, 2019). The technical team therefore decided to use Google Pixel, which is friendlier to developers. However, this phone had to be sourced abroad, which delayed the study.
An issue noted with the popular phones was that they had preinstalled apps which a user cannot uninstall. These are popularly known as bloatware, due to the space and resources they occupy in the smartphone. It was not clear from the study whether there is any relationship between the bloatware and digital lending apps, and this was marked as an issue for further study.

App Permissions
The study gathered data on permissions that digital lending apps require on installation for seven apps as shown in Table 3 below. Discussion. All the apps read contacts, location data and have access to network connectivity data. This could be for purposes of geo-locating the loans to Kenya. However, the apps have continuous access to location data, meaning that they track borrowers' movements. Notably, Okash requires an extra location permission -access extra location provider commands'. Coupled with the fact that the apps run at start-up and prevent the phone from sleeping, this raises issues from a data protection perspective, for example, transparency and data minimisation. Does a loan app need to study borrowers' movements constantly? To what other use is such location data put?
Other permissions that raise data protection concerns include Branch's requirement to access the borrower's phone microphone in order to record audio as well as Okash's access to the calendar, which includes the permission to add or modify calendar events and email guests without the borrower's knowledge.
Most of the apps read phone status and identity and text messages on the phone. As with other permissions, this was not a one-off permission required during installation, but constantly required.
Three apps, Branch, Okash and Lioncash, use referrer APIs. An install referrer is described as "an identifier unique to Android devices which enables marketers to attribute ad activity to media sources for Google Play Store apps" (Neto, 2017). This means that data on borrowers who install the lending apps from other pages or apps is also recorded.

Digital Lending Apps And Third-Party Data-Sharing
In pursuing the question of what other uses the data collected by digital lending apps was put to, the study attempted to find out whether digital lending apps share borrowers' data with third parties and if so, which ones.
In their privacy policies, all the lending apps disclosed that they share certain data with third parties, for example, for purposes of verifying identity, and in the normal course of business. Table 4 summarises how the privacy policies of the various apps address data-sharing with third parties. Discussion. All the apps inform borrowers that the verification of their identity or phone numbers is carried out. For Okash, the verification includes the emergency contact declared by the borrower. It appears that the verification happens outside the apps, although apps such as Tala disclose that they store the data in their system. The verification involves back-linking with Government and private digital ID databases. For example, the apps use the Integrated Population Registration Services (IPRS) system to verify the borrower's national ID number. Some, such as Okash, also explain that they verify the phone number using the mobile network operator systems. This illustrates the inter-linkage between public and private identity systems.
All the apps also state that they share data with credit reference bureaus. Notably, at the onset of the COVID-19 pandemic, the CBK withdrew approvals given to "digital (mobilebased) and credit-only lenders as third-party credit information providers to CRBs" (CBK, 2020d). This means that non deposit taking apps such as Tala, Branch, Okash and Lioncash can no longer share information with credit reference bureaus. The effect of the withdrawal from the system was that digital lending apps immediately suspended loan limits for their borrowers. For example, borrowers who had built positive credit profiles by repaying their loans on time and therefore being eligible for higher loans were suddenly unable to get their loans within their limits or any loans at all (Milcah, 2020). Digital lenders argued that since their loans are backed, not by deposits but investments, investors had to be consulted over the new changes. However, the decision was made without consultations with customers, raising questions of transparency in data processing.
Notably, while some of apps disclosed that they study borrower behaviour for purposes of marketing, none of them explained that they share data with third-parties that engage in data analysis. In the next section, this study attempts to establish whether the apps connect with data analytic companies that are also known to sell ads.

Checking Data on Trackers
The third point of data collection was to check for trackers. A tracker may be defined as "a piece of software meant to collect data about you or your usages" (Exodus, n.d.). There are various types of trackers such as crash reporters, which inform the app company about performance outages, analytics that collect data about how the customer uses the app, profiling that collects data about the app user's behaviour, ads that serve targeted ads to the customer as well as location trackers that determine the geographical location of the phone where the app is installed.
To learn the trackers used by the seven apps, the study collected data on API endpoints the applications were sending data to, on application start. Table 4 is a summary of the data collected.  Discussion. The data above shows the information exchanged between the apps and the host at start-up. The data is evidence of the apps connecting to different types of trackers such as the app companies' servers, crash reporters, analytics and location data. For example, Tala, KCB and Equity all connect to location data through the Google user location API. Generally, non-deposit taking apps, gather more data compared to apps that offer other banking services.
The apps connect to those tracking services every time the app is launched. For example, http://userlocation.googleapis.com:443 ensures that the app will always have the user's location data, which could be used for unsolicited advertising. api.amplitude.com:443 HTTP/1.1 tracks deleted accounts, indicating that borrowers' data is tracked even for services they may have opted out of.
Evidence indicates linkages to third-party APIs include the Facebook graph API, which is the primary means of getting data in and out of Facebook. Four of the apps, API (Facebook Developers, n.d.), Branch, Equity, Timiza and Lioncash connected to the API at start-up.
The data also indicates connection to Bespoke data analytics companies which study user behaviour and sell targeted ads. The Adjust (n.d.) API found on Tala is a retargeting software, which studies user behaviour. According to their website, they help to target ads in real time through retargeting and exclusion targeting. Braze, also found on Tala, is a targeted ad company. It describes itself as a mobile engagement platform that helps brands connect to consumers through data (Braze, n.d.). Another data analytics API is Amplitude (n.d.), which appeared on both Tala and Branch. Branch also connected to the analytics firm Appsflyer (n.d.).
Relating this data back to Tables 2 and 3 that list permissions required by the apps and disclosures about how data is shared with third parties respectively, the evidence of trackers leads us to several conclusions: (a) digital lending apps are not only about giving loans to borrowers. The relationship extends to studying borrowers' behaviour. This is inferred from the evidence of trackers that constantly track borrower behaviour such as the Facebook API and user location.
(b) digital lending apps share data obtained from studying borrowers with third parties such as data analytic companies who later use the data for marketing and ads. This is deduced from the evidence of apps connecting to data analytic companies such as Adjust, Amplitude and Braze. (c) The data aspect of digital lending apps is ubiquitous to the borrower as well as policy-makers and regulators. Hence, previous regulatory efforts have focused on financial fairness, for example regulating interest rates and protecting borrowers from effects of negative listing on credit information-sharing systems. Regulating profiling of borrower data with third party data analytics and marketing companies has not been considered.

Summary of Findings
This study sought to understand the privacy and data protection practices of digital lending apps. From the analysis of the sampled digital lending apps, the study found that the apps do not comply with the provisions of the DPA. Table 7 below summarises the gaps between the practices of the apps and the DPA. The right to privacy extends to privacy of communications, yet the model of non-deposit taking loan apps depends on analysing personal data on the phone and making inferences such as a borrower's creditworthiness. This infringes on privacy.
Lawful, fair and transparent processing -Section 25(b) Digital lending apps give financial information such as cost of loans in the app, even before it is downloaded. However, information on data aspects was not as explicit. For example, even where an app explains that it uses data on the borrower's phone to determine credit limits, the parameters used in determining creditworthiness are not known to borrowers. This was particularly evident after the COVID-19 pandemic when some of the apps abruptly suspended the system of loan limits.
Purpose limitation -Section 25(c) As noted from Tables 5 and 6, some digital lending apps connect to well-known data analytic systems. While the study could not establish if the data is sold, it raises concerns that the data is used for purposes other than determining creditworthiness. Some banks send prospecting messages to would be customers, stating loan amounts they qualify for without disclosing how the loan limits were arrived at. This means that the banks use information collected or analysed from other sources. Such information is DPA provision Practices by digital lending apps collected for other purposes, and may not be related to the purpose of prospecting for new customers.
Adequacy limitation -Section 25(d) As shown in Table 4 on permissions required by the digital lending apps, the amount of data collected is vast. The granularity of data collected is also deep, raising questions as to how much behavioral information is required to determine creditworthiness. Coupled with the fairness principle, there are also questions on whether data needs to be collected continuously, or whether a good credit history could suffice. Notably, there is a credit information-sharing system from which stakeholders can access borrower's data.

Valid explanation -Section 25(e)
It was noted that the privacy policies as well as terms are all in the English language. None of the apps studied provided notices in local languages or in forms other than written terms posted on their websites.

Accuracy -Section 25(f)
Keeping accurate information on borrowers is of utmost importance in the digital loan contract. This is because credit information is shared with other stakeholders. Credit information sharing has a legal effect as it determines the borrower's credit profile not only within the particular lending app but also with other stakeholders such as banks. Therefore, wrong credit information could deny a borrower better terms in future.
Retention limitation -Section 25(g) Digital lenders do not inform their customers how long their data, including inferred data, is kept, and for what purposes.
Transfer outside  The Google Play Store does not always identify the app owner sufficiently. While it may be easier for customers to recognise bank-owned apps, non-bankowned apps are not always recognisable. Even where an app is owned by a Kenyan entity, this does not automatically mean that it stores data in Kenya or another country with adequate data protection laws.

Rights of the data subject
The right to correction or deletion of false or misleading data is very relevant in addressing the complaints about borrowers' repayments not being

DPA provision Practices by digital lending apps
-Sections 26 and 27 updated, or defaulters not being de-listed from credit reference bureaus once discharged. 8 Collection of data from the data subject directly -Section 28 It can be inferred from Table 4 on permissions that communication from persons who do not have any relationship with digital lending apps is collected. This is possible when the apps read messages or other media in the borrowers' phone.

Notification -Section 29
The notification requirements are legal tools through which consumer information rights are respected. While there are digital lenders who provide these notifications through terms and conditions, it was noted that the privacy policies and terms are all in the English language. None of the apps studied provide notices in local languages or in forms other than written terms posted on their websites. In addition, not all the notifications are a one-time requirement. For example, sharing consumer data with third parties may occur when authorities or business partners seek business statistics. Borrowers should be notified when such third-party data-sharing occurs. In the event of a change of business ownership on the part of the lender, the borrowers should not only be informed, but also afforded an opportunity to object or restrict the processing of their data.

DPIA
None of the apps reviewed had a published DPIA. This may be because the DPA is novel, having come into force only a year ago. Digital lending apps should carry out comprehensive DPIAs since they process sensitive personal data.
Protection from automated decision-making -Section 35 The apps explain that they analyse data to determine creditworthiness -this is automated decision-making. However, they do not explicitly provide mechanisms for redress for borrowers aggrieved by automated decision-making.
Data portability -Section 38 The apps do not provide information on how one can port their data to another service provider. This calls for digital lenders to incorporate interoperability as part of their system design. The regulator should also intervene to ensure that borrowers are not locked to DPA provision Practices by digital lending apps one lender. Data portability is one tool through which this may be achieved.
Data protection by design and default -Section 41 The digital lending apps do not protect and promote data protection by design. For example, they do not incorporate meaningful consent. 9 They also lack sufficient information on the types of data being collected. In addition, it is not disclosed to consumers how long their data is kept and who it is shared with. Further, there isn't enough communication or notification to consumers on processing that affects their interests.

A Note on COVID-19 and Digital Lending Apps
In response to the COVID-19 pandemic, the government gave directives aimed at enhancing cashless transactions and cushioning the poor from the effects of reduced economic activities (Kenya Law, 2020). Among these was the removal of non-deposit taking digital lending apps as credit information providers (Central Bank of Kenya, 2020b). This effectively locked out non deposit taking apps from reporting defaulting borrowers in the credit reference information sharing system.
In response, non-deposit taking digital lending apps suspended loan for borrowers. They also suspended credit limits for customers who had built positive credit histories by borrowing and paying consistently on time (Wambu, 2020). Some of the user complaints noted from the Google App Store, as well as social media handles of digital lenders, point to a change of policies by the lenders as a result of COVID-19 and a lack of information on the policies. Borrowers and the public were not notified of these changes.
Eventually, digital lenders through their association, Digital Lenders Association of Kenya (DLAK), announced that they would support the Government policy on restructuring loans (Central Bank of Kenya, 2020c) to assist borrowers that were facing difficulties as a result of the pandemic (Wako, 2020).

CONCLUSION
The study found that the sample of seven digital lending apps in the study have all published privacy policies that attempt to align them with the DPA. However, as summarised in Table 7, the policies, combined with practices such as sharing data with third parties, do not comply with the DPA. On the particular issue of third-party data-sharing, the study found evidence of some of the apps having embedded trackers that profile user behaviour. This demonstrates the challenges of privacy and data protection as a means of regulating a business whose model depends on analysing personal data. It is compounded when data is shared with third parties that may process it for other purposes such as marketing and advertising. To remedy these problems, regulators need to expand their focus from financial aspects of digital lending apps to data aspects, including the principles under the DPA, and the issue of third-party data-sharing.