Kenya’s data protection landscape is evolving in response to rapid digitalization, which has led to increased data processing across public and private sectors. This growth underscores the necessity for a comprehensive data protection law to safeguard individuals from potential harms associated with improper data handling while fostering a reputable framework that enhances trust and expands the data economy. Key challenges include risks related to the misuse of personal data, particularly in political contexts, as well as opaque practices by private entities that compromise fairness in data processing. Opportunities exist for learning from other jurisdictions and implementing effective enforcement mechanisms. The brief highlights the importance of establishing an independent regulatory authority to oversee data protection and recommends a forward-looking legal framework that prioritizes individual privacy rights while facilitating economic growth through responsible data use.

The Current State of Data Protection in Kenya

The Constitution of Kenya, 2010, enshrines the right to privacy, which includes protection against unauthorized intrusions into personal communications and the unwarranted disclosure of private information. As technology rapidly evolves and drives the digital economy, reliance on personal data has surged. This trend necessitates robust data governance and responsive regulations to protect individual privacy while fostering innovation and economic growth. The Data Protection Act, 2019, was established to regulate personal data processing and create a framework for handling such information. It mandates that data subjects are informed about how their data is processed and grants them rights to access and rectify their information. Moreover, data controllers and processors are required to implement stringent security measures to protect personal data from unauthorized access and breaches.

To operationalize the Data Protection Act, a task force was formed in January 2021 to develop comprehensive regulations, resulting in three key sets of regulations gazetted in early 2022. These include the General Regulations, which outline enforcement procedures for data subjects’ rights; the Registration Regulations for data controllers and processors; and the Complaints Handling Regulations which detail procedures for addressing non-compliance. Additionally, the Office of the Data Protection Commissioner launched its first strategic plan for 2022-2025, focusing on institutional capacity building, regulatory services, and awareness creation to enhance compliance with data protection standards. This framework not only marks a significant milestone for Kenya in data protection but also underscores the importance of balancing privacy rights with the need for a thriving digital economy.

In the past two decades, Kenya has experienced a remarkable surge in mobile communications and internet connectivity, leading to the emergence of a robust data economy. This data economy, which encompasses the wealth generated from data collection and processing, is pivotal to the fourth industrial revolution. Characterized by data-driven decision-making and the innovation of new products and services, this revolution harnesses digital technologies across various domains—physical, digital, and biological.

Data-driven decision-making has various effects on society which could result in more efficient distribution of resources such as water, health, and emergency services. However, collecting and using data has direct implications for people’s right to privacy, which is constitutionally protected in Kenya. Inappropriate use of data can also propagate existing inequalities as only those whose data is available are included in planning and decision-making. In other instances, data may be used to discriminate against particular groups. This may be deliberate or from automated decision making, where on the input given, the system makes erroneous or a rights demoting decision(s).

Data-driven decision-making can enhance the efficient allocation of resources like water and health services. However, it raises significant privacy concerns, as individuals’ rights to privacy are constitutionally safeguarded in Kenya. Misuse of data may exacerbate existing inequalities, limiting participation in decision-making to those whose data is accessible. Additionally, data can be weaponized against specific groups, either intentionally or through flawed automated systems that generate harmful decisions based on biased inputs.

Kenya’s data economy encompasses both public and private sectors, with the government digitizing paper records through the Integrated Population Registration Services (IPRS). This initiative has centralized vast databases containing personal information from various registries, including those related to births, deaths, immigration, and more. Notable projects include the National Education Management Information System (NEMIS), which consolidates data on all school-age children, and biometric databases from the Independent Electoral and Boundaries Commission (IEBC) and other national funds.

Kenya is experiencing a surge in biometric technology adoption, with numerous private organizations implementing systems for voice, fingerprint, facial, and iris recognition to combat fraud. Many of these entities, including banks and mobile network operators, utilize the centralized government database for identity verification. The focus is shifting from merely validating documents to authentically verifying individuals’ identities. Consequently, both public and private institutions are actively updating their databases, often requiring individuals to provide new photographs or primary documents even when existing records are available.

Numerous laws in Kenya mandate data confidentiality, including the Official Secrets Act, Children’s Act, HIV and AIDS Prevention and Control Act, and the Witness Protection Act. Other relevant legislation includes the Banking Act, Credit Reference Bureau Regulations, Capital Markets Act Access to Information Act, Public Archives and Documentation Service Act, Kenya Information and Communications Act (KICA), Private Security Regulation Act, and the Elections (Technology) Regulations of 2017. While these laws, along with professional ethics and judicial rulings, govern specific data processing scenarios, they do not comprehensively address all modern data processing challenges. For instance, educational institutions gather personal data from students without a requirement to safeguard it against unauthorized access. Additionally, online platforms like Facebook and Twitter lack data protection licensing under KICA. Previous legislative efforts to establish a data protection law have failed to progress in Parliament.

The rise of data-driven initiatives in Kenya has sparked concerns regarding economic, fairness, rights, and political implications. Economically, the absence of a policy or legal framework for the government’s digitalization project is troubling, as it collects vast amounts of personal data without clear guidelines on its intended use. While this data could enhance service delivery, it must be managed in ways that uphold rights and fairness. Long-term challenges in the data economy, such as internet access and capacity building for Kenya’s new economy, necessitate policy intervention. Although large corporations may already implement data protection measures and adapt to new standards once a framework is established, micro, small, and medium enterprises (MSMEs) and academic institutions may struggle without support. Therefore, targeted interventions are essential to help MSMEs enhance their data protection capabilities.

It is recommended that Kenya develop a comprehensive policy and legal framework for data protection, which should include an independent authority to ensure fair and just data processing while fostering the data economy. An effective framework must prioritize individual rights and address issues such as lack of awareness, consent, and automated decision-making, which can undermine fairness. Transparency should be a core principle, detailing how personal data is collected and ensuring informed consent from data subjects. The framework should also grant individuals the right to access, rectify their data, and protect them from decisions made solely through automated processes, as well as notify them in case of data breaches. This brief assesses the current state of data protection in Kenya, highlighting both challenges and opportunities.