Following the declaration of COVID-19 as a global pandemic, Kenya has witnessed a digital surge amidst national restrictions and social distancing norms. This has propelled a digital renaissance amongst the Kenyan population as individuals and organization seek for a resemblance of normalcy in both life and work in such unprecedented times.

However, with a growing internet footprint taking hold and increased reliance on social and commercial digital platforms, data privacy concerns have become more relevant than ever.  As personal data continues to cross “digital” boarders, a need has followed to ensure that personal data is collected, processed and used for the intended and lawful purpose.


In 2010, Kenya made significant strides towards the protection of personal data rights. Through the promulgation of the Constitution, every person is guaranteed a derogable right to privacy, including the right to have their personal information protected from unnecessary and unlawful disclosures.

While lauded as a momentous effort in its time, the reality is protection of personal data rights was not fully actualized in Kenya until 2019 when the long-awaited Data Protection Act (“DPA”) was enacted.

The DPA’s introduction amongst Kenya’s legislative framework is a welcome lift to data privacy rights as it has come amidst widespread privacy concerns and a fragmented data regulatory framework.


 With increased government surveillance amongst the population and specifically through mass data collection drives such as the controversial “Huduma Namba”, there are concerns that data, despite being collected for legitimate reasons is being used for deceptive purposes.

This has already been evident with national elections around the corner,  as reports have surfaced that certain political parties have already bought personal data for purposes of registering the unsuspecting members of the public to their respective political parties. This led to an uproar by Kenyans who have with good reason protested their illegal registration as members to parties without their consent.

There is therefore growing unrest that if action is not taken, personal data shall be abused for commercial and political gain. After all how many times have you received infringing marketing texts on your phone from certain suppliers, despite never consenting to the same?

The Office of the Data Protection Commissioner has a lot to do to earn public trust and this starts by taking the bull by the horns and demonstrating a bite to its bark. It has to take an active role in dealing with and prosecuting data misuse offenders and not just exercising mere oversight.

This is an informative article and contains general information. It should not be construed as legal advice. Should legal advice be required, contact MMW Advocates LLP at for further assistance. The reproduction of this article is also prohibited without the prior consent of MMW ADVOCATES LLP. 

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.