Authored By: Shelby Wanjiru Ngigi
Kenya School of Law
Abstract
This article critically examines Kenya’s Data Protection Act, 2019 (DPA) and its evolving alignment with the European Union’s General Data Protection Regulation (GDPR). By early 2026, Kenya has transitioned from a foundational phase to assertive enforcement, with the Office of the Data Protection Commissioner (ODPC) reporting 9,061 complaints handled, 357 determinations, 134 enforcement notices, and 20 penalty notices. Compensation awards reached a record KES 30 million in 2025, underscoring the regulator’s growing reliance on financial remedies to enforce compliance.
The analysis highlights convergence between the DPA and GDPR in principles of lawfulness, fairness, and transparency, while noting key differences such as Kenya’s narrower “right to deletion” compared to the GDPR’s broader “right to erasure.” Landmark jurisprudence, including Worldcoin (2025), which invalidated biometric data collection for lack of a Data Protection Impact Assessment and invalid consent; Chabari v Longhorn Publishers (2025), affirming the DPA’s applicability to ongoing privacy violations; and Regus Kenya Ltd v ODPC (2025), where the High Court upheld administrative fines but reduced the maximum penalty for a first offender – demonstrates Kenya’s maturing judicial oversight.
Persistent challenges remain in institutional independence, public awareness, MSME compliance, and regulating emerging technologies such as AI and biometrics. The pending Data Protection (Amendment) Bill, 2025 proposes a dedicated Appeals Tribunal to resolve disputes within 60 days, enhancing autonomy and efficiency. Kenya’s trajectory illustrates both the promise and complexity of adapting global data protection standards to local realities, positioning the country as a potential regional leader in privacy regulation.
Introduction
In the digital economy, personal data has become a critical resource, driving innovation while simultaneously raising concerns about privacy and misuse. The European Union’s General Data Protection Regulation (GDPR), enacted in 2018, quickly established itself as the global benchmark for data protection, influencing legislation far beyond Europe. Kenya, recognizing the risks posed by rapid digital transformation, enacted the Data Protection Act (DPA) in 2019.
Initially viewed as a young institution, Kenya’s Office of the Data Protection Commissioner (ODPC) has since matured into an assertive regulator. By 2026, the ODPC has issued hundreds of determinations, expanded to eight regional offices, and overseen landmark cases such as the Worldcoin ruling. This article critically examines the extent to which Kenya’s DPA aligns with the GDPR, highlighting shared principles, key differences, and the evolving enforcement landscape.
Background
Global Context
The GDPR was designed to harmonize data protection laws across EU member states and strengthen individuals’ control over their personal information. Its extraterritorial scope, applying to any organization processing EU citizens’ data, regardless of location, made it a global standard. The regulation emphasizes lawfulness, fairness, transparency, purpose limitation, and accountability, backed by strong enforcement mechanisms including fines of up to €20 million or 4% of global turnover.
Kenya’s Context
Kenya’s digital transformation, driven by mobile money, e-commerce, and biometric systems, created an urgent need for comprehensive data protection. The DPA, enacted in 2019, was modeled heavily on the GDPR, incorporating principles of lawfulness, fairness, transparency, and data minimization. It also introduced mechanisms such as Data Protection Impact Assessments (DPIAs) and mandatory breach notifications within 72 hours.
By 2026, Kenya has entered a new enforcement phase. The ODPC has issued 357 determinations, 134 enforcement notices, and 20 penalty notices, while decentralizing operations through regional offices in Mombasa, Kisumu, and Eldoret. Draft legislation – the Data Protection (Amendment) Bill, 2025, is under review to further align Kenya’s framework with international standards and strengthen institutional independence.
Comparative Analysis: GDPR and Kenya’s DPA (2026 Status)
Scope and Applicability
Both the GDPR and Kenya’s DPA assert extraterritorial jurisdiction. While enforcement across borders was initially limited, Kenya’s courts have begun asserting authority. In May 2025, the High Court declared Worldcoin’s biometric data collection unlawful due to the absence of a mandatory Data Protection Impact Assessment (DPIA) and invalid consent. By January 2026, the ODPC confirmed that Worldcoin had permanently deleted all biometric data collected from Kenyan citizens, marking a landmark assertion of jurisdiction over global entities.
Rights of Data Subjects
The GDPR grants broad rights, including access, rectification, erasure (“right to be forgotten”), portability, and objection. Kenya’s DPA mirrors these rights but narrows the “right to deletion” to false or misleading data. Jurisprudence has expanded significantly: in Chabari v Longhorn Publishers (September 30, 2025), the High Court quashed the ODPC’s earlier discontinuance of a complaint, affirming that the DPA applies to ongoing privacy violations even if the data was collected before 2019. This reinforced that privacy is a constitutional right and that consent remains central to lawful processing.
Legal Bases for Processing
The GDPR sets out six lawful bases, including consent, contract, legal obligation, vital interests, public task, and legitimate interests. Kenya’s DPA adopts similar grounds but historically lacked clarity on “legitimate interests.” Recent ODPC guidelines (2024–2025) have clarified sector-specific applications, including electoral data and private security, thereby reducing uncertainty for controllers and strengthening compliance.
Supervisory Authority
The GDPR mandates independent supervisory authorities coordinated by the European Data Protection Board. Kenya’s ODPC, though initially resource-constrained, has matured significantly. By late January 2026, it had handled 9,061 complaints, issued 357 determinations, 134 enforcement notices, and 20 penalties, while expanding to eight regional offices including Mombasa, Kisumu, Nakuru, and Eldoret. This decentralization reflects a deliberate strategy to strengthen enforcement capacity nationwide.
Sanctions and Penalties
The GDPR’s fines – up to €20 million or 4% of global turnover – have been applied against major corporations. Kenya’s DPA caps fines at KES 5 million or 1% of local turnover.
Enforcement, however, has accelerated:
A school fined KES 4.55 million for posting minors’ photos without parental consent.
An entertainment venue fined KES 1.85 million for unauthorized use of a customer’s image.
In Regus Kenya Ltd v ODPC (September 30, 2025), the High Court upheld the ODPC’s authority to impose administrative fines for non-compliance with regulatory notices, though it reduced the maximum KES 5 million penalty to KES 2.5 million for a first offender.
Comparative Overview
The GDPR and Kenya’s DPA share important similarities but also diverge in key respects. Under the GDPR, maximum fines can reach €20 million or 4% of global turnover, whereas Kenya’s DPA caps penalties at KES 5 million or 1% of local turnover, with courts recently reducing the maximum to KES 2.5 million for first offenders. The GDPR provides a broad “right to erasure,” often referred to as the “right to be forgotten,” while Kenya’s DPA limits the “right to deletion” to false or misleading data. Enforcement under the GDPR is mature and consistently high-penalty, while Kenya has entered an assertive enforcement phase, handling over 9,000 complaints and issuing hundreds of determinations, notices, and fines in the range of KES 1–5 million. Supervisory authority in the EU rests with independent Data Protection Authorities coordinated by the European Data Protection Board, whereas Kenya’s ODPC has expanded to eight regional offices and issued 357 determinations by early 2026. Finally, both frameworks recognize multiple legal bases for processing, but Kenya has emphasized consent and clarified legitimate interests through sector-specific guidelines, while the GDPR provides a broader set of lawful bases including contract, legal obligation, and public task.
Challenges in Enforcement
Kenya’s data protection regime has entered a new enforcement phase, but several challenges continue to shape its effectiveness. These issues highlight the tension between legislative ambition and practical realities, underscoring areas where reform and institutional strengthening remain necessary.
Institutional Independence
The ODPC’s proximity to the Ministry of ICT has raised concerns about impartiality, particularly in cases involving government-linked projects such as digital ID systems. The Data Protection (Amendment) Bill, seeks to decouple the ODPC from ministerial influence and establish a dedicated Appeals Tribunal to provide specialized judicial oversight. Until enacted, however, questions of autonomy remain.
Public Awareness
Despite decentralization into eight regional offices, awareness of privacy rights remains uneven. Amnesty International’s 2025 report highlighted that rural and marginalized communities face barriers in accessing the ODPC’s complaints portal, creating a “literacy gap” in digital rights. Without widespread public understanding, enforcement risks being concentrated in urban areas, leaving vulnerable populations underprotected.
Technological Lag
The rapid rise of artificial intelligence and biometric systems has outpaced Kenya’s regulatory framework. Section 35 of the DPA, which addresses automated decision-making, is often criticized as too broad to regulate complex algorithms effectively. The absence of a standalone Artificial Intelligence Act leaves gaps in oversight, particularly in areas such as facial recognition and predictive analytics.
MSME Burden
Micro, small, and medium enterprises (MSMEs) face disproportionate compliance challenges. The ODPC’s penalty regime, capped at KES 5 million, was designed to deter violations but has proven potentially bankrupting for smaller startups. In response, the ODPC issued Compliance Guidelines for MSMEs in 2025, aiming to provide tailored support and reduce the burden of compliance. Nevertheless, resource constraints continue to hinder smaller businesses compared to multinational corporations.
Cross-Border Jurisdictional Friction
Kenya’s integration into global digital markets has intensified concerns about cross-border data transfers. The Worldcoin ruling in 2025 demonstrated Kenya’s willingness to assert jurisdiction by ordering the deletion of biometric data stored abroad. Yet, verifying compliance with such orders remains technically and diplomatically challenging, particularly when data is hosted on global cloud servers.
Summary
Kenya’s enforcement landscape has shifted from rare action to assertive regulation, with over 350 determinations and high-profile fines against entities such as Regus Kenya and Roma School. The challenge now lies not in initiating enforcement but in ensuring consistency, independence, and adaptability to emerging technologies. Addressing these issues will be critical for Kenya to consolidate its position as a leader in African data protection.
Conclusion
Kenya’s Data Protection Act, 2019 represents a significant milestone in the country’s digital governance journey. Modeled closely on the GDPR, it incorporates core principles of lawfulness, fairness, transparency, and accountability, while granting data subjects rights of access, rectification, and deletion. Over the past seven years, Kenya has transitioned from a nascent framework to an assertive enforcement phase, marked by landmark rulings such as Worldcoin and Chabari v Longhorn Publishers, as well as the issuance of hundreds of determinations and penalties by the ODPC.
Yet, challenges remain. Institutional independence is still under negotiation, with the Data Protection (Amendment) Bill, 2025 seeking to insulate the ODPC from ministerial influence. Public awareness gaps persist, particularly in rural and marginalized communities, limiting the accessibility of redress mechanisms. The rapid evolution of artificial intelligence and biometric technologies continues to outpace existing legal provisions, while MSMEs struggle to comply with stringent requirements under a penalty regime that risks disproportionate impact. Cross-border enforcement, though symbolically strengthened by the Worldcoin ruling, remains technically and diplomatically complex.
Despite these hurdles, Kenya’s trajectory is promising. The ODPC’s decentralization, sector-specific guidelines, and growing jurisprudence demonstrate a commitment to building a robust data protection culture. If the pending reforms succeed in enhancing independence and adaptability, Kenya could consolidate its position as a regional leader in privacy regulation. In doing so, it would not only align more closely with international standards but also set a precedent for African nations navigating the balance between innovation and individual rights.
Ultimately, Kenya’s experience illustrates that effective data protection requires more than legislative alignment with global models like the GDPR. It demands institutional strength, public literacy, technological foresight, and equitable enforcement. As Kenya continues to refine its framework, it offers valuable lessons on how emerging economies can safeguard privacy while embracing digital transformation.
Bibliography
1. Primary Legislation
Kenya: Data Protection Act (No. 24 of 2019). Available at KenTrade Legal Database.
Kenya: Data Protection (Amendment) Bill, 2025 (Draft). Summary available at Wamae & Allen LLP.
European Union: Regulation (EU) 2016/679 (General Data Protection Regulation). Full text available at the EU Official Journal.
2. Judicial Decisions (Kenya & International)
Kenya High Court: Chabari & Another v Longhorn Publishers (Kenya) PLC (Civil Appeal E1338 of 2024) [2025] eKLR. Judgment available at Kenya Law.
Kenya High Court: Regus Kenya Limited v Office of the Data Protection Commissioner (Appeal No. E029 of 2024) [2025] eKLR. Summary available at The Judiciary of Kenya.
Kenya High Court: In re Worldcoin: Data Protection Commissioner v Tools for Humanity (2025). Case analysis available at CIPIT Strathmore University.
European Court of Justice: Google Spain SL, Google Inc v Agencia Española de Protección de Datos (AEPD) [2014] ECLI:EU:C:2014:317.
Kenya Court of Appeal: Longhorn Publishers Kenya v Karen Karagania Njuguna (Civil Appeal 316 of 2023) [2023] eKLR. Available at Kenya Law.
3. Institutional Reports & Guidelines
Amnesty International Kenya, 5 Years On: Citizens’ Perspectives on Kenya’s Data Protection Act Implementation (2025). Available at Amnesty Kenya Reports.
Office of the Data Protection Commissioner (ODPC), Annual Report and Financial Statements 2024/2025. Available at ODPC Publications.
Office of the Data Protection Commissioner (ODPC), Compliance Guidelines for Micro, Small, and Medium Enterprises (MSMEs) (2025). Available at ODPC Knowledge Centre.
Office of the Data Protection Commissioner (ODPC), Guidance Notes on Electoral Data Processing and Biometric Data (2024/2025). Available at ODPC Media Center.
