EABL’s Decade of Disgrace: From Boardroom Racism to Data Leaks in the Cloud
When the hashtag #EABLdataLeak began trending on Kenyan social media on May 6, 2026, fingers quickly pointed squarely at the company’s Group Legal Director, Nadida Rowlands.
The posts, by account @Fuckinoteri, stopped short of specific disclosures but escalated quickly into a second hashtag — #ArrestNadidaRowlands — elevating the tone from corporate complaint to criminal accusation.
The allegations remain unverified by independent reporting. But for COFEK, which has been watching East African Breweries Limited for over a decade, the script was instantly familiar.
The Man in the Hot Seat
Rowlands is no back-office figure. Appointed KBL Legal Director in June 2015 and elevated to EABL Group Legal Director in September 2018, he sits on the company’s executive leadership board, is publicly profiled on the corporate website, and has been cited under oath in High Court proceedings.
Crucially, EABL’s own description of his remit — as published in the GC Powerlist Africa 2018 — explicitly covers information management and security, corporate security, and brand protection across Kenya, Tanzania, and Uganda.
That detail is legally significant. Under Kenya’s Data Protection Act No. 24 of 2019, liability for a data breach does not rest with the technician who failed to patch a server.
It attaches at the level of governance — at the desk of the executive whose declared mandate includes information security. If the #EABLdataLeak allegations have merit, they target the precise person whose job it was to prevent exactly this kind of failure.
The Tracey Barnes Precedent
To understand why COFEK takes this seriously, one must go back to 2015 and the Tracey Barnes affair.
Barnes was EABL’s Group Finance Director, an expatriate seconded from Diageo’s global cadre, accused of systematic racial discrimination against Kenyan employees: setting deliberately unachievable performance targets, dismissing those who failed to meet them, and replacing them with foreign nationals.
When an anonymous complaint was filed with the Director of Immigration, COFEK did not wait for others to act. It wrote directly to the Directorate of Immigration demanding the immediate cancellation of Barnes’ work permit, warning that EABL had been allowed to function as a protected space for expatriate misconduct while
Kenyan workers suffered in silence on Kenyan soil. The letter was copied to EABL Group MD Charles Ireland and Diageo Global CEO Ivan Menezes.
Immigration summoned Barnes to Nyayo House. She subsequently departed Kenya.
EABL’s response was characteristic: the company denied having received any internal complaints and dismissed the allegations as calculated to tarnish a senior executive’s reputation. Barnes left. The institutional culture she represented did not.
Second Offence: Sandhya Padmanabhan
Barnes was barely out of the country before a second Diageo-seconded manager faced similar allegations. Sandhya Padmanabhan, Head of Premium Spirits Consumer Marketing, was reported by multiple sources inside and outside the company to have engaged in racially discriminatory treatment of Kenyan staff.
COFEK reported on the allegations directly. EABL stonewalled. The Padmanabhan episode was not merely additive to the Barnes affair — it established, beyond reasonable dispute, that EABL’s governance failures were systemic, a product of institutional culture rather than individual bad actors.
A Decade of Red Flags
The timeline tells its own story. In 2024, EABL was embroiled in anti-competitive practices allegations by African Originals, accused of orchestrating a product-launch smear campaign.
In December 2025, Diageo announced a $2.3 billion sale of its controlling 65% stake to Japan’s Asahi Group Holdings — a transaction still pending regulatory approval from the Competition Authority of Kenya, Tanzania, and Uganda.
By January 2026, Bia Tosha Distributors had filed a Further Amended Petition seeking to block the Asahi acquisition entirely, adding a KSh 45 billion claim and an injunction application.
By April 2026, Heineken’s Kenya Wine Agencies Limited (KWAL) had filed a formal complaint with CAK alleging long-standing dominant market abuse. And by June 2026, #EABLdataLeak and #ArrestNadidaRowlands were trending.
Why This Moment Is Different
The data leak allegations have surfaced at an extraordinarily consequential moment. EABL is in the middle of the $2.3 billion ownership transition to Asahi, a deal that Kenya’s Competition Authority has not yet approved and which is already under judicial siege from the Bia Tosha petition.
Into this volatile environment, allegations of internal data governance failure land with maximum disruptive potential.
For CAK, evaluating the public interest dimensions of the Asahi acquisition, evidence of systematic governance failures at EABL speaks directly to the institutional health of the entity being transferred — and to the adequacy of the compliance infrastructure that will govern the post-acquisition company.
Any evidence of governance failure that emerges before CAK’s decision could be deployed in the Bia Tosha litigation to argue that the target company’s compliance posture has materially deteriorated during the pendency of proceedings.
The Legal Exposure
The Data Protection Act is unambiguous. Section 43 empowers the Office of the Data Protection Commissioner (ODPC) to investigate breaches on its own motion or on complaint.
Section 69 empowers administrative fines where a breach is established. Section 72 creates criminal offences for intentional or reckless contraventions.
EABL holds personal data on over 1,600 direct employees and hundreds of thousands of indirect value chain participants — making it a major data controller.
Its Information Management and Security function, the function sitting squarely within Rowlands’ portfolio, is the primary governance mechanism through which it discharges its DPA obligations.
If that function has been compromised, the legal consequences flow directly upward to the accountable executive.
Critically, the DPA requires data controllers to notify the ODPC of a breach within 72 hours of becoming aware of it. Any gap between discovery and notification — or any failure to notify at all — would constitute an independent and serious contravention.
COFEK has seen this script before. Deny. Deflect. Wait for public pressure to dissipate. This time, the stakes — regulatory, financial, and legal — are far higher than a departing expatriate and a cancelled work permit.