On May 26, 2026, Kenya's Ministry of Information, Communications and the Digital Economy opened public consultation on its Draft National Data Governance Policy, a framework that treats data as a national strategic asset and sets rules on data security, cross-border transfers, and who controls data generated inside Kenya's borders. Public comments close June 5, 2026, with implementation expected in July (KICTANet). The consultation window is short, and the stakes are larger than the timeline suggests: how Kenya defines "control" and "security" here will shape whether its data economy grows or calcifies.
The case for a sovereignty framing
Start with the strongest version of the government's position. A state that suffers a major breach of citizen records cannot outsource accountability to a foreign cloud provider's terms of service. Treating data as a strategic asset is a legitimate response to real risks — foreign surveillance, opaque processing, and the loss of economic leverage when the value generated from Kenyan data accrues entirely offshore. The EU's own GDPR rests on the premise that personal data deserves serious, enforceable protection. Kenya is right to want the same, and right to want a domestic data economy that captures value at home rather than exporting it wholesale.
The problem is not the goal. It is the instinct to pursue it through geography.
Control is not the same as security
The draft's framing — who controls data generated within Kenya's borders — points toward data localization: mandates that data be stored or processed onshore. That instinct conflates the location of data with its safety. A patient record sitting on a server in Nairobi is no more secure than one in Frankfurt if neither is properly encrypted; and one in Nairobi protected by strong cryptography is far safer than an unencrypted copy anywhere. Security is a property of how data is protected, not where it physically rests.
This is where encryption belongs at the center of the policy, and where the current draft falls short. Local analysts have already flagged that it "remains remarkably vague on strict cryptographic benchmarks, zero-trust architecture requirements, or a clear liability framework" for breaches (HapaKenya). A policy serious about data security would specify encryption in transit and at rest, mandate modern key-management practices, and reward end-to-end encryption for sensitive categories — health, financial, and biometric data. Those are the controls that survive a stolen laptop, a misconfigured bucket, or a hostile insider. Borders do not.
What localization actually costs
The economic evidence against localization is well-documented. The Information Technology and Innovation Foundation found that a one-point increase in a country's data-restrictiveness reduces its gross trade output by 7 percent, slows productivity by 2.9 percent, and raises downstream prices for data-reliant industries by 1.5 percent over five years — and that 66 countries already impose such measures (ITIF). For Kenya specifically, this is not abstract. Most Kenyan startups run on AWS, Azure, and Google Cloud; forcing premature migration to nascent local infrastructure would "drive up operating costs and cause investors to look elsewhere" (HapaKenya). A localization mandate would tax the very digital economy the policy claims to nurture.
The encryption debate is already politicized — codify standards now
There is a second reason to anchor the policy in clear cryptographic standards rather than vague "control": encryption is a contested global battleground, and ambiguity invites overreach. On May 22, 2026, the Texas Attorney General sued Meta alleging that WhatsApp — used by more than 3 billion people — does not actually deliver the end-to-end encryption it advertises, despite the app's reliance on the well-reviewed open-source Signal protocol (Ars Technica). Whatever the suit's merits, it shows how easily encryption claims become political instruments. A Kenyan framework that leaves "data security" undefined leaves the door open for future officials to reinterpret "control" as a backdoor mandate or a ban on strong encryption. Writing cryptographic benchmarks into the policy now — and explicitly protecting the right to deploy E2EE — forecloses that drift.
Kenya already has a better template
Kenya does not need to invent a regime from scratch. Its Data Protection Act (No. 24 of 2019) and the Office of the Data Protection Commissioner already provide four lawful routes for moving data abroad — adequacy decisions, appropriate safeguards, necessity, and explicit consent (ODPC). And on May 7, 2024, the EU and Kenya launched the first data-protection adequacy dialogue on the African continent, a track that, if completed, would let personal data "flow freely from the EU to Kenya without any limitations or restrictions" (EEAS). That is the prize: trusted, two-way data flows that make Kenya a regional hub. A localization turn would undercut the adequacy bid, because adequacy is premised on safe transfer, not confinement.
A proportionate path
The draft should keep its ambition and change its method. Define data security through enforceable encryption and key-management standards. Protect, rather than weaken, end-to-end encryption. Lean on the ODPC's existing transfer mechanisms and the EU adequacy track instead of onshore-storage mandates. And resolve the institutional overlap between the proposed governance council and the ODPC before July, so a future breach does not strand citizens between two regulators. Sovereignty over data is a worthy goal. The way to achieve it is to make Kenyan data unreadable to adversaries — not merely resident.