Authored By: Angellah Kemunto Ogise
University of Nairobi
Abstract
Kenya’s National Artificial Intelligence Strategy for 2025–2030 aims to establish the nation as a hub for innovation, moral leadership, and extensive digital transformation. Its priorities include enhancing data management, developing digital infrastructure, and supporting regional research initiatives. The strategy seeks to implement artificial intelligence (AI) responsibly while protecting privacy and respecting human rights. With AI increasingly incorporated into key sectors such as the public sector, healthcare, and educational institutions, serious questions arise about whether existing laws are adequate to safeguard individual rights and address the ethical and legal challenges AI presents.1 This article evaluates the effectiveness of current legislation — most notably the Data Protection Act 2019 — while examining the intersections between AI development and data privacy in Kenya. It also identifies regulatory gaps and underscores the urgent need for AI-specific laws to promote transparency, accountability, and the protection of constitutional rights.
1. Introduction
The use of AI across different industries has raised global concerns about privacy and data security. The protection of personal information in Kenya has gained renewed significance owing to advancements in digital innovation and mobile technology. AI adoption in sectors like healthcare, finance, and surveillance is growing rapidly, and the privacy risks AI poses are equally alarming. This article examines how Kenya’s legal system is responding to the challenges posed by Artificial Intelligence. It analyses the available legal frameworks, reviews recent privacy case law, and assesses privacy advocacy across various sectors. Drawing on diverse sources relating to AI and privacy in Kenya, the article offers concrete recommendations on the subject. The article concludes with targeted recommendations for legislative reform, institutional capacity-building, and international alignment.
2. Legal Framework
2.1 The Constitution of Kenya, 2010
Understanding the constitutional foundation of data protection illuminates the need for robust legal protection. Article 31(c) and (d) of the Constitution of Kenya (the Constitution) provides that every person has: the right not to have information relating to family or private affairs unnecessarily required or revealed; and the right not to have the privacy of communications infringed.
The Constitution therefore protects citizens from infringements of privacy that AI technologies may cause. AI systems heavily depend on the collection and processing of personal data, which may infringe upon the right not to have private information disclosed or communications intercepted. AI incursions are curtailed by Article 31 and reinforced by Article 19(2), both of which subject such technologies to the restrictions the Constitution places on the infringement of human rights. AI technologies must accordingly ensure adherence to the principles of transparency, consent, fairness, and accountability.
2.2 The Data Protection Act (2019)
The Data Protection Act (DPA) gives legislative effect to Article 31(c) and (d) of the Constitution by regulating how personal data is handled. It establishes the role of the Data Protection Commissioner, outlines the rights of data subjects, and sets out the obligations of data controllers and processors. This Act is the primary legislation governing data protection in Kenya. The DPA is broadly inspired by international data protection standards, most notably the General Data Protection Regulation (GDPR) in the European Union.
2.3 Related Legal Instruments
(a) Kenya’s Data Protection Act safeguards crucial privacy rights linked to AI systems, including the prohibition against being subjected to automated decision-making that produces significant legal consequences or comparable effects, and the requirement for consent-based data processing.2 Furthermore, Data Protection Impact Assessments (DPIAs) are mandated when processing poses risks to individuals. The High Court’s ruling suspending the rollout of the Huduma Namba digital identification system — on grounds of inadequate DPIA compliance — reaffirmed this principle.3
(b) The Computer Misuse and Cybercrimes Act, 2018 — This Act criminalises computer-related offences including identity theft, data interference, and cyber harassment. It strengthens data privacy protections and provides legal remedies. It also addresses crimes related to AI, including AI-generated cyberattacks.
(c) Cybersecurity Guidelines for Payment Service Providers (PSPs) — Central Bank of Kenya (2019) — The objective of these Guidelines is to establish baseline cybersecurity standards for PSPs that manage sensitive information. The Guidelines include requirements for breach reporting, the development of cybersecurity governance structures, incident response procedures, and ensuring that AI systems comply with applicable privacy and data protection regulations.
2.4 Ongoing Developments
Kenya is in the process of developing more targeted AI regulations. Chief among these is the Kenya National AI Strategy (2025–2030), which aims to position Kenya as a continental leader in AI innovation, with priority industries including public service, healthcare, education, and agriculture. The strategy emphasises inclusive growth, ethical AI use, and capacity building, while ensuring privacy, transparency, and public confidence. Its overarching goal is responsible AI adoption in support of digital transformation and broader socioeconomic objectives.
3. Judicial Interpretations
3.1 Judicial Enforcement of Data Protection Rights
Recent Kenyan decisions have demonstrated a growing judicial understanding of data privacy rights. The courts have begun enforcing constitutional protections by carefully reviewing state and institutional practices that affect personal data.
In Republic v. Joe Mucheru, Cabinet Secretary, Ministry of ICT & 2 Others ex parte Katiba Institute & Yash Pal Ghai (Judicial Review Application No. E1138 of 2020) [2021] KEHC 122 (the Huduma Namba case), the High Court held that the Data Protection Act, 2019 applies retroactively.5 This means that even where data collection predated the Act’s commencement, the Act still requires completion of a Data Protection Impact Assessment (DPIA). The court found that the implementation of Kenya’s digital identification system, Huduma Namba, without a prior DPIA was unconstitutional and unlawful. Accordingly, it cancelled the decision to roll out Huduma Cards and ordered that a DPIA be completed before any further processing of personal data.
This case marked an important step in confirming that government programmes are equally subject to data protection regulations.
Kenya’s judiciary has also begun institutionally integrating AI and data protection into its own operations, developing an AI Adoption Policy Framework to ensure the ethical use of AI tools. The policy is intended to improve administrative support, legal research, case management, and predictive analytics, while protecting due process, data privacy, and judicial independence.4 Transparency and oversight are prioritised throughout.
4. Critical Analysis
4.1 Gaps in the Legal Framework
Despite being a vital tool for protecting privacy rights, the Data Protection Act remains difficult to implement in practice. The framework’s vague provisions regarding AI technologies have created uncertainty about how these systems ought to be governed.
(a) Challenges with Data Localisation and Cross-Border Transfer: Kenyan server restrictions on data localisation and cross-border data transfers potentially restrict access to cloud services and hinder international operations, with adverse consequences for efficiency and innovation.
(b) Regulatory Independence and Capability: The Office of the Data Protection Commissioner (ODPC) lacks meaningful regulatory independence owing to its dependency on the Cabinet Secretary for ICT, and is insufficiently resourced for public education and enforcement.6
(c) Low Culture of Compliance and Public Awareness: Insufficient public awareness of data protection rights hinders effective law enforcement. Businesses and organisations also struggle with compliance owing to inadequate internal systems, training, and cultural norms.
The legislative process frequently lags behind the rapid pace of technological advancement, resulting in delayed responses to emerging privacy concerns. Consent ambiguity presents serious problems, particularly for automated systems that depend on large volumes of personal data. The notion of informed consent is further undermined by widespread ignorance of how AI systems use personal data.
(d) Rapid Technological Growth Outpacing the Law: The absence of technology-neutral, flexible regulatory frameworks makes it difficult for the law to keep pace with emerging technologies such as AI, biometrics, and social media platforms.
This leads to regulatory gaps concerning AI-specific privacy risks, including algorithmic bias, profiling, automated decision-making, and AI transparency.7
Finally, although businesses are required to abide by data protection laws, corporate interests frequently lead to non-compliance. A stronger enforcement mechanism is necessary; the weak penalties currently available may foster a culture of disregard for privacy rights.
4.2 Comparative Analysis with Foreign Jurisdictions
The European Union’s GDPR offers a more comprehensive and detailed framework for regulating AI and data privacy — including clear guidelines on automated decision-making and profiling — compared to Kenya’s relatively nascent and still-evolving framework.
Kenya has not yet fully adopted the trend seen in other jurisdictions of establishing regulatory sandboxes within which AI innovations can be assessed under controlled conditions.
Kenya’s ongoing efforts to achieve GDPR adequacy status reflect a commendable aspiration to meet international norms, but they also draw attention to areas that require reform, including definitional clarity and enforcement procedures.
In sum, Kenya’s legal environment for AI and data protection is evolving, but faces challenges including unclear terminology, political influence over regulatory institutions, and resource limitations. To ensure robust privacy protection in an AI-driven future, improvements are needed in regulatory independence, legal clarity, public education, and technology-specific regulation.
5. Recommendations
(a) Legislative Developments: Recent legislative discussions have sought to update current privacy laws to address technological advancements. Proposed DPA amendments aim at comprehensive regulation of AI technologies, including rules for data handling, automated decision-making, and liability for violations. The National Assembly should prioritise the passage of such amendments within the current legislative calendar.
(b) Adopt AI-Specific Legislation: Kenya should enact a standalone AI Act that prohibits unjust surveillance, requires judicial review of real-time data collection, and mandates algorithmic transparency. Such legislation should require AI Impact Assessments, adopt a risk-based regulatory framework, and explicitly protect the rights of data subjects in AI-driven decision-making processes — drawing on the model established by the EU AI Act.
(c) Enhance Public Awareness: It is essential to raise public awareness of data protection rights and the implications of AI technologies. Educational campaigns that inform people about their rights and how to exercise them effectively can serve as a powerful tool for empowerment.
(d) Align with International Standards: Kenya should adopt global best practices. The regulatory experience of jurisdictions such as the European Union — where the GDPR has successfully protected individuals’ right to privacy — offers valuable lessons. Effective strategies from these frameworks should be adapted to the Kenyan context.
(e) Strengthen Partnerships: To develop a more comprehensive policy response to the privacy and AI challenges Kenya faces, government agencies, legal professionals, technologists, and civil society organisations should collaborate. Stakeholders should be encouraged to engage through collaborative workshops and seminars to address emerging issues jointly.
(f) Empower Institutional Oversight: The Office of the Data Protection Commissioner (ODPC) must be granted the authority to conduct audits of AI systems, enforce transparency requirements, and impose penalties for non-compliance. Additionally, an independent AI ethics board — comprising representatives from civil society, the technology sector, and human rights specialists — should be established to guide policy development and oversee AI implementation.
(g) Strengthen Enforcement Mechanisms: Enforcement agencies must be adequately funded and trained to ensure compliance with the DPA. Introducing explicit sanctions for non-compliance can deter violations and encourage a culture of respect for privacy rights.
(h) Reform Surveillance Practices: All AI-supported surveillance tools must be disclosed and publicly justified. Security agencies — including the National Intelligence Service (NIS) and the National Police Service (NPS) — must comply with the warrant procedures provided for under the Constitution.8 Global technology collaboration agreements involving foreign companies should also be reviewed to protect privacy rights and prevent unchecked external influence over Kenya’s data ecosystem.
Conclusion
Kenya must adapt its legal system to the realities of technological advancement as it navigates the complex terrain of AI and privacy. By addressing the regulatory gaps identified in this article and implementing international best practices, Kenya can create a robust environment for innovation while genuinely protecting its citizens’ right to privacy. The path forward — illustrated by the constitutional jurisprudence of the Huduma Namba case, the urgent need for ODPC independence, and the imperative of AI-specific legislation — requires coordinated effort across all branches of government and across sectors.
A more secure and just future remains attainable through the collective effort of all stakeholders engaged in the ongoing work of developing an effective legal response to the challenges of privacy and AI. Kenya must confront AI risks, data sovereignty concerns, algorithmic accountability, digital labour implications, and surveillance threats to ensure a future in which AI serves citizens while preserving privacy, democracy, and justice. Proactive, inclusive, and legally binding AI governance is not merely desirable — it is essential.
Footnote(S):
1 Ministry of Information, Communications and the Digital Economy, Kenya Artificial Intelligence Strategy 2025–2030 (2025) https://ict.go.ke/sites/default/files/2025-03/Kenya%20AI%20Strategy%202025%20-%202030.pdf accessed 23 August 2025.
2 The Data Protection Act, 2019, s 31.
3 Bulelani Jili, ‘Kenya Must Update its Regulatory Frameworks to Keep Pace with AI’ (Tech Policy Press, October 2023) (discussing the NIIMS High Court halt under s 31).
4 The Judiciary of Kenya, ‘Judiciary to Leverage AI to Enhance Justice‘ accessed 24 August 2025.
5 Republic v. Joe Mucheru, Cabinet Secretary, Ministry of ICT & 2 Others ex parte Katiba Institute & Yash Pal Ghai (Judicial Review Application No. E1138 of 2020) [2021] KEHC 122 (High Court, 14 October 2021).
6 Kenya Institute for Public Policy Research and Analysis (KIPPRA), ‘Strengthening Data Protection in Kenya: Opportunities and the Way Forward’ (KIPPRA Blog, 30 June 2024) https://kippra.or.ke/strengthening-data-protection-in-kenya-opportunities-and-the-way-forward/ accessed 24 August 2025.
7 Ibid.
8 MGW Advocates, Centering Human Rights in Kenya’s AI Regulation (MGW Advocates LLP) (documenting surveillance risks and constitutional implications).
