Kenya's Office of the Data Protection Commissioner (ODPC) is no longer a paper tiger. Six years after the Data Protection Act 2019 was passed, and under the leadership of Commissioner Immaculate Kassait, the authority has steadily moved from registration drives and awareness campaigns into the harder business of enforcement — issuing administrative penalties against firms for unlawful processing, and now drafting guidance on automated decision-making and artificial intelligence systems.
For Kenya's tech economy — the most active in East Africa, home to fintech leaders like M-Pesa, mobility startups such as BasiGo and Roam, and a growing cohort of AI-adjacent ventures — this transition matters. Strong, predictable data protection enforcement is a genuine asset: it builds trust, aligns Kenya with the EU's General Data Protection Regulation (GDPR) for cross-border data flows, and gives consumers a credible avenue for redress. But the next phase of ODPC's work, particularly its draft guidance on automated decision-making, will determine whether Kenya's regime becomes a model for proportionate African regulation — or a brake on the very digital sector Nairobi has spent a decade cultivating.
From Register-and-Warn to Enforce-and-Fine
The Data Protection Act 2019 closely tracks the GDPR's structure: lawful bases for processing, rights of access and erasure, mandatory registration of data controllers and processors, and an independent regulator empowered to issue enforcement notices and administrative penalties of up to KES 5 million or 1% of annual turnover, whichever is lower. For the first few years, the ODPC understandably focused on standing up the machinery — registering thousands of controllers, publishing sector guidance, and resolving complaints informally.
That changed visibly from 2023 onward. The ODPC has reportedly issued penalties against digital credit providers, schools, real-estate firms, and other businesses for unlawful processing — most commonly the use of personal data (phone numbers, contact lists, photographs) without a valid lawful basis or for marketing without consent. Through 2025 and into 2026, the authority has continued this enforcement posture, signalling that registration is the floor, not the ceiling, of compliance.
This is a welcome maturation. Without credible enforcement, data protection laws collapse into box-ticking — and Kenya's digital lenders in particular have generated repeated complaints over aggressive debt collection practices that involved shaming borrowers' contacts. A regulator willing to fine bad actors strengthens the legitimacy of the entire framework.
The Harder Question: AI and Automated Decisions
The more consequential move is the ODPC's work on guidance for automated decision-making and AI systems. Article 35 of the Data Protection Act gives data subjects the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects — a provision lifted almost verbatim from GDPR Article 22.
What that means in practice is far from settled anywhere in the world. Does a credit-scoring model that informs, but does not solely determine, a loan officer's decision fall within Article 35? What counts as "meaningful human involvement"? How should explainability obligations apply to large language models that no developer can fully interpret? European regulators have spent years on these questions, and clear answers remain elusive even after the EU AI Act's phased entry into force.
Kenya's ODPC is now drafting guidance in this thicket. The opportunity is real: a clear, risk-based framework, co-designed with industry and civil society, could give Kenyan AI builders the regulatory certainty their European counterparts lack. The risk is equally real: prescriptive rules — particularly around mandatory algorithmic audits, blanket prior authorisation for AI deployments, or sweeping data localisation — could push capital and talent toward jurisdictions with lighter touches.
What Proportionate Guidance Looks Like
From a pro-innovation perspective, three principles should anchor the ODPC's approach:
- Risk-tiering, not blanket rules. A spam-filter algorithm and a benefits-eligibility model carry vastly different harm profiles. Guidance should focus oversight on consequential decisions (credit, employment, housing, healthcare, justice) and leave low-risk applications largely unregulated.
- Outcome-based explainability. Requiring full model interpretability is technically impossible for many modern systems and would simply exclude Kenyan deployers from using state-of-the-art tools. The better standard is meaningful information about the logic, significance, and consequences of automated decisions, paired with a right to human review.
- Interoperability with major regimes. Kenyan firms increasingly serve cross-border markets. Aligning with GDPR, the EU AI Act's risk categories, and emerging African Union frameworks reduces compliance fragmentation and supports Kenya's bid for an EU adequacy decision — which would meaningfully lower friction for export-oriented tech firms.
Enforcement Capacity and Due Process
One quiet concern deserves more attention: the ODPC remains a small office handling a fast-growing caseload. Civil society groups have welcomed its activism, but firms have raised concerns about the speed of investigations, consistency of penalty calculations, and limited published reasoning behind decisions. As fines escalate, so will judicial review challenges — the High Court has already heard appeals from penalised entities. Publishing detailed enforcement decisions, sentencing guidelines for administrative fines, and clearer procedural rules would strengthen both legitimacy and predictability.
The Bigger Picture
Kenya occupies a particular position in African tech policy. It has a credible legal framework, an active regulator, a vibrant private sector, and visible political appetite for digital industrial policy. The ODPC's enforcement and AI guidance choices over the next 12-18 months will shape whether that combination produces a Lagos-and-Kigali-rivalling hub or an over-regulated market that founders quietly exit.
The right answer is neither maximalist enforcement nor regulatory holiday. It is a credible, proportionate, transparent regulator that punishes genuine abuse, leaves room for experimentation, and treats AI guidance as a living document — iterated openly with the industry it governs. On current trajectory, the ODPC can get there. The next drafts will tell.