On April 28, 2026, the Kenya National Bureau of Statistics published the Statistics Bill 2026, a measure that would dissolve KNBS — the body created by the Statistics Act No. 4 of 2006 — and replace it with a new Kenya Statistics Authority. The headline change is institutional, but the consequential changes are about data. Clause 28 lets the new Authority collect biometric identifiers in censuses and surveys; a supremacy clause lets the new law prevail where it conflicts with others; and the administrative-data provisions compel government and private holders to hand over information, with confidentiality narrowly construed. Together they expand what the state can systematically gather about every resident.
The case for modernising Kenya's statistics
It is worth stating the regulator's strongest argument first, because it is real. National statistics offices across Africa are under pressure to count people accurately, deduplicate records, and integrate administrative and satellite data so that policy is built on facts rather than guesses. KNBS frames Clause 28's biometrics as a tool "for purposes of improving accuracy, preventing duplication and ensuring integrity of data," and the Bill pairs that with genuine safeguards: biometric data must be "anonymised or pseudonymised as soon as practicable," cannot be shared for administrative, enforcement, or investigative purposes except by court order, is not mandatory for children, and cannot be used to exclude anyone from a census (ppc.land). A modern, well-counted Kenya is a legitimate public good, and these are not the drafting choices of a body indifferent to privacy.
Where proportionality breaks down
The problem is that the Bill's architecture undercuts its own safeguards. Clause 28 authorises fingerprints, facial images, iris scans, "and other identifiers that may be added later" — meaning new categories of biometric surveillance can be introduced administratively, without returning to Parliament (Techweez). Open-ended delegation of this kind is the opposite of proportionate. The whole point of a statutory list of sensitive identifiers is that expanding it should require democratic deliberation, not a regulator's notice.
The supremacy clause compounds the issue. By providing that the Statistics law takes priority where it conflicts with other laws on data collection or sharing, the Bill weakens the Data Protection Act 2019 precisely where the two overlap. That 2019 Act exists to give effect to the privacy right in Article 31 of Kenya's Constitution and established the Office of the Data Protection Commissioner (ODPC). A later statute that can override the general data-protection regime for one powerful collector inverts the normal hierarchy, in which sector laws operate within the privacy framework, not above it.
The compelled-access provisions raise a third concern. The Bill empowers the Authority to demand administrative data from government entities, and confidentiality laws cannot block sharing "unless that law expressly excludes such use." In practice this reverses the burden: a data demand is presumed valid unless the holder can point to an explicit statutory carve-out, with non-compliance penalised by fines reportedly up to KES 5 million (Techweez). Pressure of that magnitude, applied to custodians of tax, health, and registration records, is how a statistics mandate quietly becomes a centralised data pipeline.
Kenya has already litigated this question
This is not a hypothetical risk in Kenya — the country has run the experiment. In October 2021, the High Court declared the Huduma Namba / NIIMS biometric ID rollout illegal because the government had processed Kenyans' personal data without first conducting the Data Protection Impact Assessment that Section 31 of the Data Protection Act requires. The court held the 2019 Act applied to the rollout and ordered the assessment done before any further processing (Future of Privacy Forum).
That ruling is the precedent the Statistics Bill should be built on, not around. The DPIA requirement, independent oversight by the ODPC, and constitutional privacy review are exactly the guardrails that made Huduma Namba's mass biometric registration accountable. A supremacy clause that can subordinate the Data Protection Act risks engineering away the very legal hook the courts used in 2021. The lesson of Huduma Namba was not "biometrics are forbidden" — it was "collect them only inside a proper impact-assessed, independently supervised framework."
A more proportionate path
None of this requires abandoning a statistics upgrade. The fixes are narrow and well understood. Parliament should strike the "identifiers added later" language and require fresh legislation for any new biometric category. The supremacy clause should be replaced with an explicit subordination clause confirming that the Data Protection Act and ODPC oversight continue to apply in full. The compelled-access power should carry a clear necessity-and-proportionality test rather than a presumption of validity, and a mandatory DPIA — the Huduma trigger — should be written into the face of the statute, not deferred to future regulations. Techweez's reviewers make the same structural point: peer systems "build independent supervision into the law from the start instead of leaving it to later regulations" (Techweez).
Kenya can have a credible, deduplicated census and a thriving data economy without granting one authority open-ended biometric reach above the privacy law. The public-participation window that ran through May 20 was the moment to narrow the Bill; the committee stage is the last one. Counting people well and protecting them are not in tension — but only if the safeguards sit above the collection power, not beneath it.