Data & Privacy · Kenya
Data protection & privacy laws in Kenya (2026)
Kenya shaded by its data & privacy status
Kenya has a comprehensive, GDPR-style data-protection regime under the Data Protection Act 2019 (in force since 25 November 2019), supplemented by the 2021 General, Registration, and Complaints-Handling Regulations. The independent Office of the Data Protection Commissioner (ODPC) supervises and enforces the law, maintains a register of data controllers/processors, and issues binding determinations. A Data Protection (Amendment) Bill, 2025 is under consideration to strengthen enforcement and address AI and other emerging issues.
Key points
The Data Protection Act No. 24 of 2019 came into force on 25 November 2019 as Kenya's primary cross-sectoral data-protection statute, giving effect to the constitutional right to privacy under Article 31(c)-(d).
The Office of the Data Protection Commissioner, established under Section 5, is an independent body corporate that oversees implementation, enforces the Act, maintains the register of data controllers/processors, and handles complaints. The Commissioner serves a single six-year term.
Section 25 requires lawful, fair, transparent, purpose-limited, accurate and minimal processing. Section 18 obliges public and private bodies and individuals processing personal data to register with the ODPC under the 2021 Registration Regulations.
Data subjects have rights to be informed, to access their data (s.26), to rectification (s.40), erasure/deletion, and to object to or restrict processing, with remedies enforceable through complaints to the ODPC.
Section 48 (read with s.25(h)) restricts transfer of personal data outside Kenya unless adequate safeguards are demonstrated or the data subject consents; transfers of sensitive data may require the Data Commissioner's approval.
The Commissioner can impose administrative fines up to KES 5 million or 1% of annual turnover (whichever is lower) and issue binding determinations; by March 2025 the ODPC had handled thousands of complaints and penalised multiple entities. A Data Protection (Amendment) Bill, 2025 proposes higher penalties and a Data Protection Appeals Tribunal.
Timeline - major decisions & events
The Office of the Data Protection Commissioner issued an official notice confirming that Worldcoin/Tools for Humanity had permanently deleted all biometric (iris) data collected from Kenyans, closing out the long-running enforcement saga.
Business Daily ↗The High Court ruled that Worldcoin's iris-scanning in Kenya breached the Data Protection Act 2019 — collecting sensitive data without a Data Protection Impact Assessment or valid informed consent — and ordered permanent deletion within seven days under ODPC supervision.
Techpoint Africa ↗The ODPC fined digital lender Whitepath for listing an individual as a guarantor without consent and subjecting them to debt-collection calls — its second sanction against the lender, reinforcing scrutiny of the mobile-lending sector.
TechCabal ↗The ODPC fined Zuku Fibre's parent for continuing to send unsolicited marketing messages to a former customer who had terminated service and repeatedly requested data deletion, affirming the right to erasure and to object to direct marketing.
The Lawyer Africa ↗In a precedent-setting move, the ODPC fined Mulla Pride (KES 2.975M), Roma School (KES 4.55M) and Casa Vera Lounge (KES 1.85M) for unlawful debt-collection messaging and posting individuals'/minors' photos without consent — its first substantive penalty determinations.
ODPC ↗The Ministry of Interior suspended Worldcoin's public iris-scanning operations over concerns about consent, data security and lack of safeguards for biometric data, triggering a formal ODPC data-protection investigation.
Africanews ↗The Data Commissioner fined OPPO Kenya KES 5 million for failing to comply with an enforcement notice after posting an individual's image without consent — the regulator's debut use of its penalty powers.
ODPC ↗Legal Notices 263–265 of 2021 operationalised the Act — the General, Registration, and Complaints Handling & Enforcement Regulations — detailing data-subject rights, cross-border transfers, breach notification, mandatory registration thresholds and complaint procedures (commenced 14 January 2022).
Kenya Law ↗In Katiba Institute v Attorney General, the High Court declared rollout of the Huduma card illegal absent a Data Protection Impact Assessment, applying the Act retrospectively and setting a landmark precedent that state ID systems must comply with data-protection law.
Privacy International ↗Immaculate Kassait was sworn in as Kenya's inaugural Data Commissioner (single six-year term), operationalising the Office of the Data Protection Commissioner and giving the 2019 Act an enforcement body.
IAPP ↗Kenya's comprehensive, GDPR-aligned data-protection statute (Act No. 24 of 2019) took effect, giving effect to Article 31(c)(d) of the Constitution, establishing the ODPC and setting out lawful-processing principles, data-subject rights and cross-border transfer rules.
Kenya Law ↗Article 31 of the 2010 Constitution guaranteed every person the right not to have information relating to their private affairs unnecessarily required or revealed and to keep communications private — the constitutional foundation for all subsequent data-protection law.
Kenya Law Reform Commission ↗Kenya - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →