Skip to main content
NOPE
In Effect Law Data Protection Context Relevance

Kenya DPA

Kenya Data Protection Act 2019

Kenya's comprehensive law with Section 35 rights against harmful automated decisions. DATA LOCALIZATION requirement: one serving copy on Kenyan servers for certain contexts.

Jurisdiction

Kenya

KE

Enacted

Nov 8, 2019

Effective

Nov 25, 2019

Enforcement

Office of the Data Protection Commissioner (ODPC)

Who Must Comply

This law applies to:

  • Data controllers/processors in Kenya
  • Foreign entities processing Kenyan residents' data

Who bears obligations:

Data ControllerData Processor

Safety Provisions

  • Section 35: Right to object to automated decisions causing significant harm
  • Section 31: Data localization—at least one serving copy on Kenya server in certain contexts
  • Section 44: DPIA for high-risk processing
  • Section 32: Children (under 18) require parental/guardian consent
  • Section 29: Sensitive data (health) requires explicit consent

Enforcement

Enforced by

Office of the Data Protection Commissioner (ODPC)

Penalties

KES 5M; criminal (up to 2yr)

Max fine: $5,000,000
Criminal liability(up to 2y)

Up to KES 5M (~$39K) or 1% turnover (whichever lower); up to 2 years imprisonment.

Quick Facts

Binding
Yes
Mental Health Focus
Yes
Child Safety Focus
Yes
Algorithmic Scope
Yes

Why It Matters

Data localization creates infrastructure compliance consideration. East African hub; compliance facilitates regional expansion.

What You Need to Comply

You need: explicit consent for health data; parental consent for under-18s; data localization consideration (Kenyan server); DPIA; objection mechanism.

NOPE can help

Cite This

APA

Kenya. (2019). Kenya Data Protection Act 2019. Retrieved from https://nope.net/regs/ke-dpa

BibTeX

@misc{ke_dpa,
  title = {Kenya Data Protection Act 2019},
  author = {Kenya},
  year = {2019},
  url = {https://nope.net/regs/ke-dpa}
}

Related Regulations

In Effect ZM Data Protection

Zambia DPA

Zambia's comprehensive data protection law with special protections for vulnerable persons and DPIA requirements for high-risk processing.

In Effect BW Data Protection

Botswana DPA

Botswana's modernized data protection law requiring Data Protection Impact Assessment and establishing age 16 for consent.

In Effect SC Data Protection

Seychelles DPA

Seychelles' modern data protection law requiring DPO for large-scale processing and recognizing Cross-Border Privacy Rules certification.

In Effect RW AI Safety

Rwanda AI Policy

First African country to adopt comprehensive national AI policy. Establishes Responsible AI Office (RAIO) under MINICT. Implements RURA ethical guidelines covering beneficence, non-maleficence, autonomy, justice, explicability, transparency. Non-binding framework.

In Effect INTL Child Protection

UNICEF AI for Children

Most specific international guidance on children and AI. Ten requirements for child-centered AI including development/wellbeing support, data/privacy protection, and safety.

In Effect NP AI Safety

Nepal AI Policy

Nepal national AI policy establishing governance framework and development priorities. Creates AI Governance Council (chaired by Minister for Communications and IT), AI Regulation Council, National AI Centre, and AI Regulatory Authority. Six pillars including ethics, human resource development, and sectoral application.

Back to all regulations Check if this applies to you