Data Protection in Kenya

In the wake of high-profile cases like the recent lawsuit by Moi University student David Mokaya against Safaricom for alleged unauthorized disclosure of personal data, Kenya's data protection landscape is under intense scrutiny. The Data Protection Act, 2019 (DPA) serves as the cornerstone of privacy rights in the country, giving effect to Article 31 of the Constitution, which guarantees the right to privacy. As Kenya advances its digital economy—with rapid growth in fintech, e-services, AI adoption, and telecom infrastructure—robust data protection is essential to build public trust, prevent abuse, and foster innovation.

Legal Framework

The DPA, enacted in November 2019, is modeled after the EU's GDPR and applies to all data controllers and processors handling personal data of individuals in Kenya, whether public or private entities, including telecom operators like Safaricom. It establishes the Office of the Data Protection Commissioner (ODPC) as the independent enforcement authority responsible for registration, oversight, complaints handling, and imposing penalties.

Key supporting regulations include:



  • Data Protection (General) Regulations, 2021 – detailing data subject rights, breach notifications, and data protection by design.

  • Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021 – mandating registration for entities meeting certain thresholds, especially in high-risk sectors like telecommunications.

  • Data Protection (Complaints Handling Procedure & Enforcement) Regulations, 2021 – outlining procedures for investigations and remedies.

Organizations must register with the ODPC, appoint Data Protection Officers where required, conduct Data Protection Impact Assessments for high-risk processing, and implement security measures to protect data integrity.

Core Principles of Data Protection

Section 25 of the DPA outlines fundamental principles that every data controller or processor must follow:



  1. Lawfulness, Fairness, and Transparency: Personal data must be processed lawfully, fairly, and in a transparent manner.

  2. Purpose Limitation: Data collected for explicit, specified, and legitimate purposes cannot be further processed incompatibly.

  3. Data Minimization: Processing limited to what is adequate, relevant, and necessary.

  4. Accuracy: Data must be accurate and kept up to date; inaccurate data rectified or erased promptly.

  5. Storage Limitation: Data retained only as long as necessary for the purposes.

  6. Integrity and Confidentiality: Protected against unauthorized access, loss, or damage through appropriate security measures.

  7. Accountability: Controllers demonstrate compliance with all principles.

These principles ensure personal data—ranging from names and phone numbers to location and communication records—is handled responsibly, with explicit consent or other lawful bases required for most processing.

Enforcement and Recent Developments

The ODPC has increasingly demonstrated enforcement teeth. In the telecom sector, notable actions include fining Liquid Telecommunications Kenya KSh 700,000 in 2025 for unlawful processing without consent and failing to honor erasure rights. Other penalties have targeted unsolicited marketing, unauthorized data retention, and breaches involving sensitive data. These cases signal a shift toward stricter accountability, especially for telecoms handling vast subscriber datasets.

Violations can lead to administrative fines, enforcement notices, compensation orders, and reputational damage—underscoring that compliance is no longer optional in Kenya's evolving regulatory environment.

The Future of Data Protection in Kenya

As Kenya positions itself as a regional digital hub—driven by 5G rollout, AI integration, cloud services, and cross-border data flows—data protection trends point to greater maturity in 2026 and beyond. The ODPC's 2026 Data Privacy Conference emphasized "Trust the Data, Drive the Future," highlighting privacy as a strategic enabler of economic growth rather than a barrier.

Emerging trends include:



  • Stricter enforcement with more audits, higher fines, and sector-specific guidelines for telecoms, fintech, and AI.

  • Integration of global standards, potentially pursuing EU adequacy status for smoother data transfers.

  • Rising focus on AI governance, breach response (notifications within 72 hours), and privacy-enhancing technologies like tokenization and differential privacy.

  • Public awareness growth, leading to more complaints and demands for transparency in politically sensitive investigations.

  • Regulatory sandboxes and agile policies to balance innovation with protection amid rapid digital adoption.

The Mokaya case exemplifies these shifts: unauthorized disclosures without warrants challenge telecom compliance norms and could push for mandatory judicial oversight, stronger internal protocols, and ODPC intervention. Ultimately, effective data protection will underpin trust in Kenya's digital economy—ensuring security, freedom of expression, and inclusive growth for all citizens.


By learning from cases like this, individuals, businesses, and regulators can strengthen safeguards—proving that in the information age, privacy is foundational to a thriving, trustworthy digital Kenya.