Skip to main content
NOPE
In Effect Law Data Protection

Kenya DPA

Kenya Data Protection Act 2019

Kenya's comprehensive law with Section 35 rights against harmful automated decisions. DATA LOCALIZATION requirement: one serving copy on Kenyan servers for certain contexts.

Jurisdiction

Kenya

Enacted

Nov 8, 2019

Effective

Nov 25, 2019

Enforcement

Office of the Data Protection Commissioner (ODPC)

ODPC Kenya

Why It Matters

Data localization creates infrastructure compliance consideration. East African hub; compliance facilitates regional expansion.

At a Glance

Who Must Comply

  • Data controllers/processors in Kenya
  • Foreign entities processing Kenyan residents' data

Obligations fall on:

Safety Provisions

  • Section 35: Right to object to automated decisions causing significant harm
  • Section 31: Data localization—at least one serving copy on Kenya server in certain contexts
  • Section 44: DPIA for high-risk processing
  • Section 32: Children (under 18) require parental/guardian consent
  • Section 29: Sensitive data (health) requires explicit consent

Compliance & Enforcement

Penalties

KES 5M; criminal (up to 2yr)

Criminal liability

View on map

Kenya

Focus Areas

Mental health & crisis
Child safety
Algorithmic accountability
Active safeguards required

Compliance Help

Requires explicit consent for health data; parental consent for under-18s; data localization consideration (Kenyan server); DPIA; objection mechanism.

See how NOPE helps

Cite This

APA

Kenya. (2019). Kenya Data Protection Act 2019.

Related Regulations

In Effect ZM

Zambia DPA

Zambia's comprehensive data protection law with special protections for vulnerable persons and DPIA requirements for high-risk processing.

In Effect BW

Botswana DPA

Botswana's modernized data protection law requiring Data Protection Impact Assessment and establishing age 16 for consent.

In Effect SC

Seychelles DPA

Seychelles' modern data protection law requiring DPO for large-scale processing and recognizing Cross-Border Privacy Rules certification.

In Effect RW

Rwanda AI Policy

First African country to adopt comprehensive national AI policy. Establishes Responsible AI Office (RAIO) under MINICT. Implements RURA ethical guidelines covering beneficence, non-maleficence, autonomy, justice, explicability, transparency. Non-binding framework.

In Effect CN

China CSL Amendments

First major revision of China's foundational Cybersecurity Law since 2017. Introduces formal AI governance provisions, significantly increases penalties, and expands extraterritorial application to all cybersecurity violations.

In Effect US-CA

CA SB 524

Requires law enforcement agencies to disclose when AI is used to write or assist in creating official police reports, maintain audit trails, and preserve AI-generated first drafts.

All regulations Check if this applies to you

Last updated February 17, 2026. Verify against primary sources before relying on this information.