• Home
  • Blog
  • Kenya Parliament Passes Data Protection Amendment Strengthening Citizen Privacy

Kenya Parliament Passes Data Protection Amendment Strengthening Citizen Privacy

Kenya Parliament Passes Data Protection Amendment Strengthening Citizen Privacy

0 comments

ShareWhatsApp

Kenya’s National Assembly passed the Data Protection (Amendment) Act 2026 on Wednesday evening, legislating the most significant overhaul of the country’s digital privacy framework since the original Data Protection Act was enacted in 2019. The bill cleared the House with 198 votes in favour and 34 against, before receiving Senate concurrence in an expedited sitting that concluded past midnight.

The amendments, developed over 14 months of consultation coordinated by the Office of the Data Protection Commissioner, were partly driven by a wave of high-profile personal data breaches in 2024 and 2025 that exposed the records of an estimated 4.7 million Kenyans held by telecommunications companies, financial institutions, and government agencies. A particularly damaging breach at a third-party SHA data processor in November 2025 exposed health records and M-Pesa transaction data linked to roughly 1.2 million subscribers.

Key Changes in the Amendment

The amendment’s most consequential provision introduces mandatory breach notification within 72 hours of a data controller becoming aware of a personal data breach. Under the previous act, no specific timeline existed, and the Data Protection Commissioner’s office recorded multiple instances where Kenyans learned about breaches affecting their data from media reports rather than from the institutions holding their data.

Penalties for violations have been substantially increased. The maximum fine for a data breach attributable to negligence has been raised from Ksh 5 million to Ksh 10 million for individuals and to three per cent of annual turnover for corporate entities — a provision deliberately calibrated to bite meaningfully at large telcos and banks rather than simply writing a manageable cheque.

The amendments also introduce a genuine opt-in consent standard for sensitive personal data categories, including health records, biometric data, political opinions, and financial information. Previously, companies could rely on buried consent clauses in multi-page terms and conditions. Under the new rules, consent for sensitive data must be “granular, specific, and separately obtained” — language borrowed from the European Union’s General Data Protection Regulation, which the amendment explicitly benchmarks against.

A new right to data portability has been introduced, requiring data controllers to provide individuals with a machine-readable copy of their personal data within 21 days of a request. This provision is expected to have particular commercial significance given Safaricom’s dominance in mobile financial services and the large volumes of behavioural data held within the M-Pesa ecosystem.

Industry Reaction

The Kenya Bankers Association and the Association of Kenya Insurers both expressed concern about the compliance costs associated with the amendment’s 72-hour breach notification requirement, arguing that complex technical investigations often cannot be completed within that window. Data Protection Commissioner Immaculate Kassait, however, was firm. “Seventy-two hours is about notifying us that you believe a breach has occurred, not about handing us a completed forensic report. There is no excuse for silence,” the commissioner said.

Safaricom, whose M-Pesa platform processes over Ksh 25 billion in daily transactions and holds financial behavioural data on more than 32 million Kenyans, said it welcomed the amendment’s clarity on consent standards and would commission an independent audit of its data governance practices within 90 days of the act’s commencement.

Civil Society and Digital Rights

Digital rights organisations, including the Kenya ICT Action Network (KICTANet) and Article 19 East Africa, gave the amendments a qualified welcome. KICTANet’s chair Grace Githaiga described the bill as a “meaningful step forward” but flagged two remaining concerns: the absence of independent algorithmic auditing requirements for artificial intelligence systems deployed by public bodies, and the dilution of a proposed clause that would have restricted KRA from accessing financial data without a court order.

That latter omission is politically significant. The KRA’s aggressive use of financial data under its enhanced compliance programme, in which M-Pesa transaction histories have been used to reconstruct taxpayers’ income, has generated considerable public discomfort. Parliament’s decision to exclude a judicial warrant requirement for KRA data requests reflects the government’s prioritisation of revenue enforcement under its IMF programme commitments over enhanced taxpayer privacy protections.

The Act commences 90 days after presidential assent, which President Ruto is expected to grant before the end of July.

About the Author

Follow me


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}