Data Protection in Kenya: Law, Cases, Compliance & Best Practices
- Muhoro & Gitonga Associates
- Jan 26, 2024
- 10 min read
Updated: Oct 2
Table of Contents
1. Introduction
In Kenya, data is the new oil—but unlike oil, mishandling data can destroy reputations, attract fines, and even lead to lawsuits. With the digital economy booming, the Data Protection Act, 2019 (“DPA”) has become one of the most important pieces of legislation for businesses, professionals, and individuals.
This article explores the law in depth and reports on recent cases that demonstrate how Kenyan courts and the Office of the Data Protection Commissioner (ODPC) are enforcing compliance.
2. Legal & Constitutional Foundations of Data Protection in Kenya
The Constitution of Kenya 2010 provides the foundation for data privacy. Article 31 protects every person’s right not to have their private affairs unnecessarily revealed or their communications infringed.
To give life to this right, Parliament enacted the Data Protection Act, 2019, which establishes rules for collection, storage, and use of personal data. The law is supported by regulations such as the Data Protection (General) Regulations, 2021 and sector-specific rules, making Kenya’s framework comparable to international standards like the European Union’s General Data Protection Regulation (GDPR).
3. Key Provisions of the Data Protection Act, 2019
The DPA defines personal data broadly, covering identifiers such as names, ID numbers, contact information, biometric data, and sensitive categories like health or religious beliefs.
The law is anchored on principles: lawfulness, fairness, transparency, purpose limitation, accuracy, storage limitation, integrity and confidentiality. It distinguishes between data controllers (who decide why and how data is processed) and data processors (who process data on behalf of controllers), imposing clear obligations on both.
4. Rights of Data Subjects
The Act empowers individuals (“data subjects”) with:
The right to access their data.
The right to rectification of inaccurate data.
The right to erasure, also called the “right to be forgotten.”
The right to object to processing, especially for direct marketing.
The right to data portability, enabling transfer of data between service providers.
5. Obligations of Data Controllers and Processors
Organizations must:
Register with the ODPC.
Conduct Data Protection Impact Assessments (DPIAs) for high-risk projects.
Notify the ODPC and affected individuals of breaches.
Maintain proper data processing agreements with third parties.
Appoint a Data Protection Officer (DPO) where necessary.
Implement strong security measures like encryption, access control, and staff training.
6. Enforcement, Penalties and Regulatory Oversight
The ODPC enforces compliance. Penalties include fines up to KES 5 million, suspension of licenses, and even criminal charges. Courts can also order compensation.
As of early 2025, the ODPC had received over 7,000 complaints, issued multiple fines, and ordered compensation in dozens of cases. This proves the reglator is active, not symbolic.
7. Recent Trends & Challenges
Businesses face challenges in:
Interpreting complex regulations.
Handling cross-border data transfers in cloud-based operations.
Obtaining valid consent, especially when processing minors’ data.
Dealing with penalties for unsolicited messages and unauthorized image use.
8. Recent Kenyan Data Protection Cases
Issue: Whether the Data Protection Commissioner (ODPC) acted without jurisdiction by concluding an investigation beyond the statutory 90-day period, and whether the applicants had locus to bring the complaint.
Holding: The court held that the ODPC’s determination, made after the 90-day statutory investigation period, was without jurisdiction and thus null and void. The applicants had locus to lodge the complaint as they were directly affected. The court quashed the ODPC’s decision and ordered a fresh investigation within 30 days.
Significance: This case underscores the mandatory nature of statutory timelines in administrative investigations, affirming that failure to adhere to such deadlines deprives the decision-making body of jurisdiction, rendering its decisions null. It also clarifies locus in data protection complaints under the Act.
Issue: Whether to grant a stay of execution of the High Court judgment of 12 May 2023, which ordered the Data Protection Commissioner (ODPC) to readmit and complete investigation of a complaint within 30 days, pending the hearing and determination of the appeal filed by the ODPC and an interested party.
Holding: The court refused to grant the stay of execution. It found that the ODPC and the interested party failed to prove sufficient cause for the stay, failed to show that the appeal was arguable and that the appeal would be rendered nugatory without the stay, or that it was in the public interest. The court also dismissed arguments based on speculative claims about the impact of complaints from legal entities. It ordered each party to bear its own costs.
Significance: The ruling affirms strict adherence to court orders for administrative investigations under the Data Protection Act. It clarifies conditions for granting stays pending appeal, emphasizing need for demonstrable cause, public interest, and real risk of nugatory appeal. The case also underscores courts' reluctance to grant stays based on speculative or unsubstantiated claims, promoting judicial economy and access to justice
Issue: Whether the Respondent (University of Kabianga) violated the Petitioner’s fundamental rights to privacy and human dignity by publishing his image in commercial advertisement without his express consent.
Holding: The court held that the Respondent violated the Petitioner’s constitutional rights by using his image without express consent for commercial purposes. The Petitioner’s personality rights were infringed. The court granted a permanent injunction restraining further use of the image without consent and awarded the Petitioner general damages of Ksh 500,000 plus costs.
Significance: This case reinforces the constitutional protection of privacy and human dignity in Kenya, establishing that use of an individual’s image for commercial advertising without consent infringes personality rights and entitles the aggrieved party to injunctive relief and damages.
Issue: Whether the petitioner’s constitutional rights to privacy and dignity were violated by the respondents’ continued use of her image beyond the contract period without her consent.
Holding: The court held that the contracts granted the respondents unrestricted use of the petitioner’s image for an indefinite period, and thus her constitutional rights to privacy and dignity were not violated. The petition was dismissed.
Significance: This case clarifies that where a contract expressly permits indefinite use of an image, the right to privacy under the Constitution may be deemed waived, and such disputes primarily fall under commercial law rather than constitutional jurisdiction.
Issue: Whether the suit filed by former WPP Scangroup CEO Bharat Thakrar against WPP PLC and others, alleging breach of data protection rights, reputational damage, and business loss arising from his suspension and resignation, was properly filed in the Commercial Court or ought to have been filed in the Employment and Labour Relations Court.
Holding: The High Court held that the matter was essentially an employment dispute arising from employer-employee relations and, therefore, the Commercial Court lacked jurisdiction. The suit was struck out for being filed in the wrong court, with the Employment and Labour Relations Court being the proper forum for Thakrar’s claims.
Significance: This ruling clarifies jurisdictional boundaries in Kenya for employment-related disputes involving data privacy claims and reputational harm, emphasizing that compensation and related reliefs for employer-employee disputes should be pursued under the Employment and Labour Relations framework. It highlights the importance of choosing the correct court to avoid procedural dismissal of substantive claims. The case also reflects the evolving intersection of data protection law and employment law in Kenya.
Issue: Whether the collection and processing of biometric data by Tools for Humanity Corp and related entities using Worldcoin's Orb device in Kenya violated the Data Protection Act 2019 and constitutional rights to privacy, including failure to conduct a required Data Protection Impact Assessment (DPIA), lack of informed and free consent from data subjects, and processing without proper registration and safeguards.
Holding: The High Court found that the respondents jointly collected and processed biometric data without conducting an adequate DPIA, failed to obtain valid consent as required by law, and improperly transferred sensitive data across borders. The court affirmed jurisdiction to hear the matter despite challenges regarding locus and exhaustion of remedies. The processing was held unlawful, ordering remedies consistent with data protection and constitutional privacy rights.
Significance: This landmark decision reinforces Kenya’s stringent data protection regime emphasizing that biometric data processing requires prior impact assessments, valid, freely given consent, and strict compliance with registration and cross-border data transfer safeguards. It clarifies the scope of judicial review over data protection violations, affirms constitutional privacy protections, and signals strong regulatory enforcement on innovative biometric technologies and cryptocurrency-linked data collection in Kenya.
Issue: Whether Milestone Games Limited (SportPesa) violated Lee Mutunga’s right to erasure under Kenya’s Data Protection Act by failing to delete his personal data despite multiple requests, and whether the company obstructed the Data Protection Commissioner's investigation.
Holding: The Office of the Data Protection Commissioner (ODPC) found that SportPesa violated the complainant’s right by requiring excessive personal data for account deletion, delaying deletion for over seven months until ODPC intervention, and being uncooperative and misleading during investigation. SportPesa was ordered to compensate Mutunga Ksh 350,000 for distress caused by the violation. The ODPC further recommended prosecution of SportPesa’s directors for obstructing its work.
Significance: This ruling highlights the enforcement of data privacy rights in Kenya, setting a clear precedent that companies must respect the right to erasure without imposing unnecessary data collection barriers and must cooperate with regulatory investigations. It underscores the legal risks of non-compliance with data protection laws and affirms the protective mandate of the ODPC over data subjects’ privacy rights.
Issue: Whether Whitepath Company Limited unlawfully processed personal data of Eric Migwi and Scholastica Onon by sending them persistent unsolicited messages demanding payment, violating data protection rights under the Data Protection Act and Constitution.
Holding: The Office of the Data Protection Commissioner (ODPC) found Whitepath Company Limited in breach of the Data Protection Act for unlawful processing of personal data and causing distress through unsolicited communications. The company was ordered to cease the unlawful processing, pay compensation to the complainants, and ensure compliance with data protection laws going forward.
Significance: This case emphasizes the protection of data subjects against unauthorized and persistent communications constituting harassment and breach of privacy. It reinforces enforcement of data protection regulations in Kenya and affirms the ODPC’s authority in safeguarding personal data rights and providing remedies for violations.
Issue: Whether Neqtar Medical Ltd unlawfully processed and used the complainant Stephen Kipchumba Kiptiness’s personal image for commercial purposes in brochures without his express consent, thereby violating data protection laws and constitutional privacy rights.
Holding: The Office of the Data Protection Commissioner (ODPC) found Neqtar Medical Ltd used the complainant’s image without valid consent for commercial gain. The Respondent did not respond to the complaint despite notifications, leaving the allegations uncontested. This conduct was held unlawful under the Data Protection Act. The Respondent was ordered to pay the complainant Ksh 500,000 (Five Hundred Thousand Kenya Shillings) as compensation for the unauthorized use of his personal data for commercial purposes.
Significance: This determination reaffirms the protection of personal data under Kenya’s Data Protection Act and constitutional privacy guarantees, emphasizing that commercial use of personal data such as images requires express consent. It highlights regulatory enforcement against non-compliant entities and underscores the legal consequences including substantial compensation for violations of data privacy rights.
Issue: Whether Kingdom Bank unlawfully processed and shared the complainant Martin Gikonyo’s personal data, including his disability status, with third parties such as the National Council of Persons with Disabilities and other entities without his consent, thus violating the Data Protection Act and constitutional privacy rights.
Holding: The Office of the Data Protection Commissioner (ODPC) found that while correspondence between Kingdom Bank and the Council occurred in relation to mediating an employment dispute with the complainant (who is a registered member of the Council), no personal data identifying the complainant was unlawfully shared. The bank’s action was aimed at resolving a workplace dispute rather than unauthorized data processing. There was no violation of the Data Protection Act. Accordingly, the complaint was dismissed for lack of merit.
Significance: This decision clarifies the scope of permissible data sharing in the context of employment dispute resolution, emphasizing that sharing minimal, non-identifying information for mediation purposes does not constitute unlawful data processing. It confirms that mediation involving registered bodies like the National Council is a lawful mechanism for resolving employment conflicts without breaching data protection laws. The ruling underscores the balance between privacy rights and legitimate workplace dispute management.
9. Best Practices for Compliance
Audit your data to know what you hold and why.
Update and publish clear privacy policies.
Train staff continuously on data handling.
Appoint a DPO where appropriate.
Secure your systems with encryption, firewalls, and access controls.
Ensure contracts with third parties meet Kenyan standards.
Prepare a breach response plan for 72-hour reporting.
Review your practices regularly as the law and case law evolve.
10. Conclusion
Kenya’s data protection regime is dynamic and actively enforced. The ODPC and the courts have demonstrated that they will impose real penalties for misuse of personal data—whether through image rights violations, spam, data leaks, or failure to register. For businesses, compliance is no longer a choice but a business survival strategy.
11. Frequently Asked Questions (FAQ)
Q1. What counts as personal data in Kenya?
Any information identifying a natural person, including name, ID, phone number, biometric data, health records, or images.
Q2. Do businesses have to register with ODPC?
Yes, data controllers and processors must register. Failure attracts penalties of up to KES 5 million.
Q3. Can organizations use images without consent?
No. Cases like Shimlon Kuria v University of Kabianga and Stephen Kipchumba Kiptiness vs Neqtar Medical Ltd confirm that using images without permission is unlawful.
Q4. What are the penalties for non-compliance?
Fines up to KES 5 million, possible imprisonment, suspension of licenses, and compensation to victims.
Q5. Can ODPC decisions be challenged?
Yes. Parties may seek judicial review in the High Court, as seen in the Gichuhi cases.
Q6. How soon must a breach be reported?
Ideally within 72 hours to both ODPC and affected data subjects.
Q7. Does Kenyan law regulate cross-border transfers?
Yes. Transfers are allowed only where adequate safeguards exist.
Q8. Are minors’ data treated differently?
Yes, using minors’ photos or data requires parental or guardian consent.
For more detailed information, you can refer to the Data Protection Act.
