Kenya Kenya data protection authority ODPC

Kenya's ODPC Has Built a Real Enforcement Record. Now It Wants Bigger Teeth.

Seven years after the Data Protection Act's passage, Kenya's data regulator is issuing mass compensation orders, criminal referrals, and backing a proposed fine hike.

Kenya ODPC Enforcement Scorecard People of Internet Research · Kenya 9,061 Total complaints filed Complaints received since the Data… 357 Determinations issued Total ODPC determinations issued s… 184 Jan 2026 compensation orders Orders issued in a single batch on… KES 26M+ Assessed penalties total Total financial penalties assessed… peopleofinternet.com

Key Takeaways

Seven Years From Paper to Practice

For most of its existence, Kenya's Office of the Data Protection Commissioner operated more like a well-intentioned start-up than a functioning regulator — building institutional capacity, registering data controllers, and issuing sector guidance notes. That phase is over. Seven years after the Data Protection Act, 2019 came into force, 2026 marks a distinct inflection point: the ODPC is issuing mass compensation orders, recommending criminal prosecution of company directors, and backing a legislative amendment that would substantially raise fine ceilings. The shift from law-on-paper to enforcement-in-practice is now unmistakable.

On January 26, 2026, Data Commissioner Immaculate Kassait announced 184 compensation orders to Kenyans whose personal data had been mishandled — among the largest single batches of relief orders in the regulator's history. These came against a backdrop of 9,061 total complaints received since the Act's enactment, yielding 357 determinations, 134 enforcement notices, and 20 penalty notices. The ODPC has also expanded to eight regional offices nationwide and registered over 15,000 entities for compliance.

The LOLC Kenya Ruling: A Threshold Moment

The trajectory sharpened further in April 2026. On April 14, the Data Commissioner ruled against LOLC Kenya Microfinance Bank Limited, finding the institution had unlawfully posted a former employee's images and personal details on its social media platforms without consent — effectively blacklisting him publicly after his resignation in July 2025. The bank failed to respond to a formal notice in March, preventing it from establishing any lawful basis for processing.

The ruling ordered LOLC Kenya to delete the employee's data from all online platforms within 14 days. More significantly, the Commissioner recommended prosecution of the bank's directors for obstruction of the investigation — an offence carrying penalties of up to KES 5 million or two years' imprisonment. Parties retain 30 days to appeal to the High Court.

This matters beyond the facts of the individual case. LOLC Kenya is not an unlicensed lender operating out of a makeshift call centre — it is a licensed microfinance bank regulated by the Central Bank of Kenya. The ODPC's readiness to recommend criminal referrals against board-level executives at a formal financial institution marks a meaningful threshold. The regulator is signalling that institutional status does not confer immunity.

Digital Lending in the Crosshairs

The sector absorbing the heaviest regulatory scrutiny is digital credit. The ODPC's published Guidance Note for Digital Credit Providers established clear requirements around consent, data minimisation, and purpose limitation. Since then, enforcement has intensified across complementary regulatory channels.

The Central Bank of Kenya now ties digital credit licensing directly to data protection compliance — applicants must produce an ODPC certificate of registration as a condition of operating. Digital lender Mulla Pride (operating as KeCredit/Faircash) was fined KES 2.975 million for abusive third-party debt collection, a penalty subsequently upheld on appeal by the High Court. Total financial penalties assessed across sectors have exceeded KES 26 million. The Business Laws (Amendment) Act, 2024 — which took effect on January 1, 2025 — elevated data harassment from an administrative infraction to a criminal offence, giving affected borrowers access to criminal prosecution for the first time.

The public interest rationale for this enforcement focus is real and worth stating plainly. Mobile credit has expanded rapidly in Kenya, often targeting low-income borrowers with limited access to legal recourse. Practices like mining phone contacts without consent, shaming defaulters to family members or employers, and sharing personal financial data with third parties cause documented harm. The ODPC's enforcement toolkit — compensation orders, criminal referrals, mandatory deletion directives — is proportionate to the scale of the injury.

A Proportionality Question: The Amendment Proposal

The case for robust ODPC enforcement is straightforward. The harder question is whether the proposed escalation of penalty ceilings is correctly calibrated.

The Data Protection Amendment Bill 2025 proposes replacing the current fine structure — up to KES 5 million or 1% of annual turnover, whichever is lower — with "whichever is higher." For a large bank or multinational, this dramatically increases financial exposure. Proponents argue this is necessary to bring Kenya closer to GDPR-level deterrence and that capped fines allow large corporations to treat violations as an acceptable cost of doing business. That argument is not without merit.

But the counterpoint deserves fair consideration. Kenya's digital economy is still developing. Fintech start-ups, health data platforms, and agricultural credit companies are building compliance infrastructure with limited legal resources. A penalty framework designed to discipline a major commercial bank should not apply identically to a 20-person rural lender. The risk of poorly-calibrated penalty escalation is that it deters investment in precisely the sectors — telemedicine, micro-insurance, agricultural data services — where data-driven services create genuine developmental value.

Getting the Balance Right

The ODPC under Commissioner Kassait has shown awareness of this tension. On June 2, 2026, Kassait emphasised "coordinated action among data protection officers" across sectors — a signal that the regulator is investing in compliance culture, not only punitive enforcement. The parallel collaboration with the Media Council of Kenya on data awareness reflects an institution that has not abandoned preventive tools even as it sharpens the punitive ones.

The productive path forward is precision, not restraint. The proposed fine amendment is appropriate if paired with proportionality provisions that account for company size, revenue, and the nature of the breach. Graduated enforcement — higher penalties and lower tolerance for repeat violators or those who obstruct investigations, lighter thresholds for first-time technical breaches by small operators — would preserve deterrent value without chilling the digital economy Kenya needs.

Kenya's data protection framework is the most operationally credible in sub-Saharan Africa. The question heading into the second half of 2026 is whether the ODPC can extend that credibility into the penalty debate without sacrificing the proportionality that makes its enforcement model worth emulating.

Sources & Citations

  1. ODPC Official Website
  2. ODPC 2026 Determinations Register
  3. ODPC — 2026 Determinations (LOLC Kenya ruling)
  4. The Kenya Times — 184 Compensation Orders
  5. Pay Hero Kenya — ODPC and Financial Institutions (2026)