When Humanitarian Work Meets Fragmented Law
When participants from 16 nationalities gathered in Mombasa on June 2 for a Data Protection Officer Humanitarian Action Certification Course, the venue was deliberate. Kenya's Office of the Data Protection Commissioner (ODPC) co-hosted the event alongside the International Committee of the Red Cross (ICRC) and the European Centre on Privacy and Cybersecurity at Maastricht University — and Data Commissioner Immaculate Kassait used it to make a pointed argument: data protection in humanitarian contexts cannot function when regulatory regimes stop at national borders.
"Even in times of crisis, the rights to privacy, dignity, and autonomy must be upheld. Protecting personal data is not optional — it is essential to preserving trust and humanity." — Data Commissioner Immaculate Kassait, June 2, 2026
She urged participants to adopt "coordinated actions, information sharing, and harmonised approaches" to tackle cybersecurity threats that she described as compounded by fragmented legal frameworks. The course drew professionals from across Africa and beyond — a room that embodied exactly the cross-border regulatory dissonance Kassait was addressing. Backed by the ICRC and a European academic institution, it was also a signal about where Kenya sees its regulatory ambitions pointing: outward, to the continent.
What Kenya Has Built at Home
The ODPC's bid for a continental convening role rests on what it has achieved domestically since Kenya's Data Protection Act (No. 24 of 2019) came into force. The Commissioner's office has expanded from a Nairobi headquarters to regional offices in seven additional cities: Mombasa, Kisumu, Nakuru, Eldoret, Machakos, Garissa, and Nyeri. Enforcement has kept pace: in September 2023, the ODPC imposed a KSh 4.55 million fine against Roma School for publishing images of minors without parental consent — a case that put the market on notice that the 2019 Act had operational teeth.
Kassait herself has become a visible figure in global data governance conversations. She attended the Data Protection Authorities Roundtable at Mobile World Congress in Barcelona in March 2026 and the ID4Africa Forum in Addis Ababa in May 2026. Kenya's Cabinet has already approved accession to the African Union's Malabo Convention on Cyber Security and Personal Data Protection, with the ODPC running public stakeholder consultations through late 2025.
That accession matters more than it may appear. The Malabo Convention entered into force in June 2023, but has attracted only 16 ratifications from 55 AU member states — a fragile mandate for a treaty designed to anchor continental data and cybersecurity governance. Kenya completing its accession would add institutional weight and could nudge neighbouring EAC bloc states toward ratification.
The Coordination Problem in Practice
The Mombasa event's humanitarian focus gives concrete shape to an otherwise abstract policy challenge. When a humanitarian organisation operates across several African countries — registering refugees in one, managing health records in another, transmitting data to a European donor-country partner — it encounters incompatible consent standards, different breach notification timelines, conflicting data localisation requirements, and no clear mechanism for cross-border regulatory cooperation.
The ICRC's Handbook on Data Protection in Humanitarian Action identifies precisely this structural gap: cross-border data flows are intrinsic to emergency response, yet most national data protection frameworks are written with domestic enforcement in mind. A DPO managing a regional response programme cannot easily determine which country's law governs, which regulator has jurisdiction, or how to satisfy simultaneous and potentially contradictory legal obligations.
At the regional level, the East African Community has been developing a Data Governance Policy Framework. A validation workshop in Kigali in October 2024 brought together all eight EAC partner states — Burundi, Democratic Republic of Congo, Kenya, Rwanda, Somalia, South Sudan, Uganda, and Tanzania — to advance harmonised standards aligned with the AU Data Policy Framework adopted in 2022. The African Continental Free Trade Area's Protocol on Digital Trade adopted a cross-border data transfers annex in February 2025. Both are meaningful steps forward. But both instruments still require domestic ratification and implementation before they close the coordination gap Kassait flagged in Mombasa.
The Case For, and Against, Continental Standards
The strongest argument for what Kenya is championing is consequentialist. A Future of Privacy Forum analysis found that cross-border data transfer mechanisms across African jurisdictions remain "uneven," with many countries lacking practical guidance even where laws exist on paper. For humanitarian organisations, this creates legal uncertainty that delays field deployments and raises compliance costs. For African tech firms, incompatible rules across neighbouring markets increase overhead and fragment what could be a continental-scale growth opportunity.
The counter-argument deserves a fair hearing. Harmonisation carries its own risks: standards designed with European civil-law assumptions may sit awkwardly in common-law contexts, or impose compliance burdens that outpace regulatory capacity to enforce. The Malabo Convention's thin ratification record partly reflects this anxiety — some states have preferred to adapt rather than import a framework wholesale. Sovereignty over domestic data governance is not an empty concern in a region with a long history of regulatory conditionality imposed from outside.
The more proportionate response — and the one Kassait's Mombasa remarks appear to point toward — is interoperability rather than uniformity. Agreed mechanisms for cross-border regulatory cooperation: joint investigation procedures, mutual recognition of enforcement decisions, shared complaint channels. These can prevent the worst coordination failures without requiring every jurisdiction to adopt identical rules. That is how mature frameworks like the EU-US Data Privacy Framework operate, and there is no reason Africa's approach to humanitarian data governance should aim for anything less functional.
Kenya as Convening Authority, Not Template
What Kenya can realistically offer is institutional depth, enforcement credibility, and growing international visibility — not a model to be exported wholesale. The ODPC's track record since 2019, Kassait's rising profile at global fora, and Kenya's pending Malabo accession position it as a natural convening authority: a place where pan-African data governance conversations can be hosted, interoperability standards piloted, and DPO capacity built across borders.
The June 2 Mombasa course was that role in miniature — 16 nationalities, the ICRC, and a European academic institution gathered on Kenyan soil to work through a problem that no single national regulator can solve alone. Whether it translates into durable continental infrastructure depends on three things: Kenya completing its Malabo accession, the EAC framework gaining enforceable form, and the AfCFTA digital trade protocol attracting the 22 ratifications it needs to function. The ambition is clear. The architecture is still under construction.