A Billing Reform With a Surveillance-Shaped Footprint
On July 1, 2026, Kenya's National Assembly gave a First Reading to the Kenya Information and Communications (Amendment) Bill, 2025, sponsored by Aldai MP Marianne Kitany. A day later, on July 2, the bill was committed to the Departmental Committee on Communication, Information and Innovation for scrutiny. On paper, it is a consumer-protection measure: it would require internet service providers to assign every subscriber a unique, permanent "meter number," monitor data consumption in real time, and bill customers for what they actually use rather than charging flat monthly rates (Techweez; Parliament of Kenya, bill text).
The steelman case for usage-based billing is not frivolous. Metered pricing is standard in electricity and water utilities, and proponents can plausibly argue it would let low-usage subscribers — students, rural users, the price-sensitive — pay less than they do under current flat-rate ISP plans, expanding affordability at the bottom of the market. Kenya has a real broadband-access gap outside Nairobi and Mombasa, and a tariff structure that rewards low consumption is not inherently hostile to that goal.
But the bill does not stop at billing mechanics. It also requires ISPs to submit detailed subscriber usage records to the Communications Authority of Kenya (CA) annually, and — per legal analysis from Wamae & Allen LLP — separately mandates that operators collect subscribers' full names, national ID numbers, birth dates, and physical addresses, while imposing an age-verification requirement compelling social media users to confirm identity via national ID (Wamae & Allen LLP). That is a materially different proposition from a smart electricity meter: it links a person's real-world identity to a continuous, itemized log of their internet activity, held first by private ISPs and then handed annually to a state regulator.
The Data Protection Act Problem
Kenya already has an answer to how personal data should be handled: the Data Protection Act, 2019 (Act No. 24 of 2019), enacted to give effect to Article 31(c) and (d) of the Constitution, which protects the right to privacy. The Act created the Office of the Data Protection Commissioner (ODPC) specifically to regulate how entities collect, store, and process personal data, and to give data subjects enforceable rights over their own information (ODPC).
The International Commission of Jurists–Kenya (ICJ Kenya) argues the 2025 bill was drafted as though that framework doesn't exist. In a formal statement, the organization calls the bill "a Trojan horse for mass surveillance," noting it creates a system capable of "monitoring real-time usage" and converting it into "detailed, itemized logs," while leaving unaddressed how the resulting dataset will be stored, secured, or accessed — questions the Data Protection Act was written to answer for exactly this kind of processing (ICJ Kenya). Wamae & Allen's independent legal review reaches a parallel conclusion, describing the bill's data-collection provisions as representing "a clear regression from the progress Kenya has made under the Data Protection Act, 2019," and warning that they "undermine established principles for personal data" (Wamae & Allen LLP).
What's conspicuous in both critiques, and in the bill text as reported, is the absence of the ODPC itself. A bill that creates a new nationwide pipeline of identity-linked usage data — flowing from ISPs to a regulator with no described retention limit — would ordinarily be expected to specify the Data Protection Commissioner's role in oversight, a data protection impact assessment, or a legal basis under Section 25 of the 2019 Act. None of the available drafting summaries mention such a mechanism.
Why the Sequencing Matters
Kenya's recent history gives this concern teeth rather than making it abstract. ICJ Kenya, alongside the Law Society of Kenya, Katiba Institute, and the Kenya Union of Journalists, has previously litigated against state-directed internet disruptions — meaning the same civil society coalition warning about this bill has direct experience with Kenyan authorities using network-level control during politically sensitive moments. A permanent, identity-linked meter number attached to every subscriber's traffic would hand any future administration a readymade tool for exactly that kind of targeting, regardless of the current bill's stated billing rationale.
This is where proportionality analysis should bind lawmakers. A usage-based billing regime does not require identity-linked, centrally reported logs — carriers already meter data for their own billing purposes without submitting subscriber-level records to a regulator, and anonymized or aggregated reporting could satisfy any legitimate CA interest in market oversight. The bill's committee stage is the moment to test that distinction: does the Departmental Committee on Communication, Information and Innovation need annual, identity-linked usage submissions to achieve the tariff-reform goal, or would aggregate, de-identified reporting serve the same purpose with a fraction of the surveillance exposure?
What Should Happen Next
The committee stage that began July 2 is a genuine opportunity for course correction, not a formality. At minimum, any version of this bill that advances should: require a Data Protection Impact Assessment under the 2019 Act before implementation; give the ODPC — not just the CA — a statutory oversight role over the subscriber database; cap data retention periods explicitly; and strip out identity-linked reporting requirements that go beyond what billing reform needs. Kenya doesn't have to choose between modern telecom regulation and its own privacy law — but this bill, as drafted, currently asks Parliament to pick the former while ignoring the latter.