Kenya DPA

Kenya Data Protection Act 2019

Kenya's comprehensive law with Section 35 rights against harmful automated decisions. DATA LOCALIZATION requirement: one serving copy on Kenyan servers for certain contexts.

Jurisdiction

Kenya

Enacted

Nov 8, 2019

Effective

Nov 25, 2019

Enforcement

Office of the Data Protection Commissioner (ODPC)

ODPC Kenya

Why It Matters

Data localization creates infrastructure compliance consideration. East African hub; compliance facilitates regional expansion.

At a Glance

Requires

Transparency User Rights Data Minimization

Who Must Comply

Data controllers/processors in Kenya
Foreign entities processing Kenyan residents' data

Obligations fall on:

Safety Provisions

Section 35: Right to object to automated decisions causing significant harm
Section 31: Data localization—at least one serving copy on Kenya server in certain contexts
Section 44: DPIA for high-risk processing
Section 32: Children (under 18) require parental/guardian consent
Section 29: Sensitive data (health) requires explicit consent

Compliance & Enforcement

Penalties

KES 5M; criminal (up to 2yr)

Criminal liability

Primary Source

ODPC Kenya

https://www.odpc.go.ke/data-protection-laws-kenya/

View on map

Kenya

Focus Areas

Mental health & crisis

Child safety

Algorithmic accountability

Active safeguards required

Cite This

APA

Kenya. (2019). Kenya Data Protection Act 2019.

Related Regulations

Proposed KE

Kenya AI Bill

First comprehensive AI bill in Sub-Saharan Africa. Proposes creation of AI Commissioner, AI Authority, and Advisory Committee. Establishes risk-based regulatory model aligned with EU AI Act framework, criminalizes harmful deepfakes, and mandates AI content labeling.

In Effect ZM

Zambia DPA

Zambia's comprehensive data protection law with special protections for vulnerable persons and DPIA requirements for high-risk processing.

In Effect BW

Botswana DPA

Botswana's modernized data protection law requiring Data Protection Impact Assessment and establishing age 16 for consent.

In Effect SC

Seychelles DPA

Seychelles' modern data protection law requiring DPO for large-scale processing and recognizing Cross-Border Privacy Rules certification.

In Effect RW

Rwanda AI Policy

First African country to adopt comprehensive national AI policy. Establishes Responsible AI Office (RAIO) under MINICT. Implements RURA ethical guidelines covering beneficence, non-maleficence, autonomy, justice, explicability, transparency. Non-binding framework.

In Effect US

White House AI Legislative Framework

Non-binding White House framework outlining seven legislative pillars for Congress, including child safety protections, federal preemption of state AI laws, liability limitations for AI developers, intellectual property protections, free speech safeguards, AI infrastructure investment, and workforce development. Calls for a unified national standard superseding state AI regulations while preserving state child safety, consumer protection, and anti-fraud laws.

All regulations Check if this applies to you

Last updated February 17, 2026. Verify against primary sources before relying on this information.