The Impact of Artificial Intelligence on Data Protection in Kenya

by: Gabriel Mwangi, Carolyne Kaunda, Margaret Wanjiru & Sumeiya Yunis

Introduction

Kenya, like many other countries, is experiencing rapid advancements in Artificial Intelligence technologies, which are being used across various sectors including banking, healthcare, education, transportation, and government services. While Artificial Intelligence presents significant opportunities for economic growth and development, it also brings considerable challenges to data protection and privacy which we will delve into in this article.

Artificial Intelligence and Data Privacy in Kenya

Artificial Intelligence systems depend heavily on the collection and processing of large amounts of personal data. This data can range from simple identifiers such as names and phone numbers to more sensitive information, such as biometric data (fingerprints, facial recognition), health records, financial transactions, and even behavioral patterns. As Artificial Intelligence technologies become more ingrained in daily life, the potential for misuse of personal data worsens.^[1]

AI-powered systems, especially in sectors like banking, telecommunications, and healthcare, can gather and process data in ways that often go unnoticed by the average user. For example, AI tools are used to assess creditworthiness in the financial sector by analyzing a person’s financial behavior, including spending habits and payment history. ^[2]Similarly, in the healthcare industry, AI can analyze patient data to improve medical diagnoses or provide personalized treatments, but this involves the collection of highly sensitive personal health information.

Key Challenges of Artificial Intelligence when it comes to Data Protection in Kenya

1. Lack of Awareness and Transparency– One of the main challenges faced by Kenyan citizens is a lack of awareness regarding how their data is being collected, used, and shared. Many consumers are unaware of the extent to which their personal information is being used in AI systems. In many cases, companies collect data without clearly informing users, leading to a lack of transparency. For example, AI algorithms that target consumers with personalized ads or offers often operate behind the scenes, leaving consumers vulnerable to privacy violations. This lack of transparency can erode trust and hinder the responsible adoption of AI technologies.^[3]
2. Inadequate Legal and Regulatory Frameworks– Kenya’s legal and regulatory frameworks surrounding data protection are still evolving. While the Data Protection Act (2019) was passed to protect individuals’ privacy rights and regulate data collection, use, and sharing, it is still relatively new and faces challenges in implementation and enforcement. Many organizations, especially smaller companies, may not fully comply with these laws, which leads to inconsistent data protection practices. Additionally, the current laws may not be fully equipped to address the specific risks posed by AI technologies, such as algorithmic biases or the unethical use of AI-driven surveillance tools.^[4]
3. Algorithmic Bias and Discrimination– AI systems in Kenya, like elsewhere, are vulnerable to biases embedded in the algorithms. For example, AI models used in credit scoring, hiring processes, or law enforcement could inadvertently disadvantage specific groups of people. If these systems are trained on biased datasets or are not regularly audited, they could perpetuate discrimination, making data privacy not just about security, but also fairness. In a diverse country like Kenya, this is particularly concerning, as it could lead to the unfair treatment of certain ethnic or socioeconomic groups who are already facing discrimination against in the current system.
4. Security Threats and Cybercrime– As AI systems become more integrated into Kenya’s digital infrastructure, the risk of cyberattacks targeting AI-driven platforms increases. For instance, AI-powered banking apps or healthcare management systems could be hacked, leading to the theft of sensitive personal data such as financial details, health records, and identity information. Kenya has seen a rise in cybercrime, with hackers targeting both individuals and organizations. ^[5]AI systems, if not properly secured, can become an attractive target for cybercriminals, who could exploit vulnerabilities to access and misuse personal data. Bringing it closer home, on January 31, 2025, cybercriminals targeted the Business Registration Services database, a key government registry storing sensitive information about registered companies, including business owners, directors, and beneficial owners. The breach, potentially involving an insider threat, exposed confidential data, some of which is now at risk of being sold on the dark web.^[6]
5. Data Sovereignty and Cross-Border Data Flow– The nature of AI technologies often leads to concerns about data sovereignty—the worry being whether personal data remains under the control of the individual and nation or is subject to foreign jurisdictions. Many AI systems in Kenya are developed by international tech giants, and data generated by Kenyan users may be stored and processed in other countries. This raises concerns about the adequacy of data protection standards in other jurisdictions and whether Kenyan citizens’ privacy rights are adequately protected when their data crosses borders.^[7]

Opportunities for Growth of Data Protection when it comes to Artificial Intelligence in Kenya

Despite the aforementioned challenges, AI also holds potential to improve data protection and enhance privacy management in Kenya:

1. AI can be used to strengthen data protection in Kenya- AI can be used to strengthen data security systems. Algorithims can be used to detect unusual patterns of data access or its usage, allowing businesses and institutions to quickly identify and respond to data breaches. In sectors like banking, AI systems are already being used to monitor transactions in real-time, identifying fraudulent activity and minimizing the risk of financial data theft.^[8]
2. AI Powered Privacy enhancement– AI tools can help organizations automate and enhance their data protection practices. For example, AI-driven encryption can be used to protect sensitive data during processing. Additionally, AI can be used to help organizations comply with privacy regulations by automatically identifying and flagging personal data that needs to be protected or deleted.
3. Improved regulatory compliance– AI can assist regulatory bodies and businesses in ensuring compliance with data protection laws. For instance, AI tools can help organizations track consent records, ensuring that they have obtained proper permissions from individuals before collecting or processing their data. Similarly, AI can help with audits by analyzing vast amounts of data to ensure that organizations are following data protection protocols.
4. Enhancing Public Awareness– AI-driven tools can help raise awareness about data privacy issues. Chatbots, for example, could be used by government agencies or private companies to educate consumers about their rights and how to protect their personal data. This can empower users to make more informed decisions about how they interact with AI technologies. An example of this is the Ardhisasa platform which uses chatbots to offer information that can guide any person using the platform.^[9]

The Future of Data Protection and AI in Kenya

At present, Kenya has no laws or regulations that specifically regulate AI. It has been noted in the past that the challenge in regulating AI is in striking a balance between supporting innovation and competition while protecting consumers, market integrity, financial stability and human life. However, the legal and regulatory framework is evolving to address complexities of AI and data protection, particularly with the release of the Kenya National Artificial Intelligence Strategy 2025 – 2030 (“the Strategy”).

In developing such regulation, existing laws such as the Constitution of Kenya, the Data Protection Act, 2019 and the Consumer Protection Act, 2012 provide a foundational framework for addressing issues related to AI. The Strategy signifies one of the first steps towards addressing AI governance.

The objectives of the Strategy include establishing a robust governance framework for AI, enhancing AI adoption across critical sectors such as agriculture, security, healthcare, education and public service delivery and fostering the growth of local AI ecosystems. These sectors are data-intensive and involve sensitive personal information, making data protection a central concern. Recognising this, the Strategy emphasizes the need for legal and regulatory frameworks that support the ethical and responsible use of the AI technologies. It advocates for a balanced approach that promotes innovation while safeguarding human rights, ensuring good governance and proactively mitigating associated risks.

Other significant strides have been made on AI Regulations in Kenya, with the Kenya Bureau of Standards (“KEBS”) introducing the Draft Information Technology Artificial Intelligence Code of Practice, 2024. The Code aims to guide organisations in developing and deploying AI responsibly. Additionally, the proposed Robotics and Artificial Intelligence Society Bill of 2023 adopts a risk-based approach, categorizing AI systems into high, moderate and low-risk tiers, each with corresponding regulatory measures.

Despite its potential impact, the Bill has stalled in draft form, largely due to limited engagement and support from key stakeholders including government bodies, regulators, civil society, and the private sector. Furthermore, the Computer Misuse and Cybercrimes Act, 2018 remains pertinent, especially concerning the protection of critical information infrastructure and the prevention of cybercrimes related to AI Systems.

Collectively, these initiatives aim to establish a comprehensive legal and regulatory framework that balances innovation with the protection of individual rights in Kenya’s AI landscape.

1. New Age: The Interplay Between Artificial Intelligence and Data Privacy by Jacob Ochieng https://www.oraro.co.ke/new-age-the-interplay-between-artificial-intelligence-and-data-privacy ↑
2. The Role Of AI In Transforming Credit Risk Assessment Process by Ritesh Shetty, 30^th May 2024 https://arya.ai/blog/ai-in-credit-risk-assessment ↑
3. Safeguarding Data Rights in the Information Age by Dennis Ondieki 7^th March 2025 https://www.theelephant.info/analysis/2025/03/07/safeguarding-data-rights-in-the-information-age/ ↑
4. Strengthening Data Protection in Kenya: Opportunities and the Way Forward by KIPPRA 30^th June 2024 https://kippra.or.ke/strengthening-data-protection-in-kenya-opportunities-and-the-way-forward/ ↑
5. Kenya’s Digital Infrastructure Under Threat? A Look at Anonymous Sudan’s Thwarted Cyberattack Attempt and its Implications for Kenya’s Digital Systems Joshua Kitili & Doreen Abiero August 22, 2023 https://cipit.strathmore.edu/kenyas-digital-infrastructure-under-threat-a-look-at-anonymous-sudans-thwarted-cyberattack-attempt-and-its-implications-for-kenyas-digital-systems/ ↑
6. The BRS Cyberattack: A Wake-Up Call for Data Privacy in East Africa 2^nd February 2025 https://www.wka.co.ke/the-brs-cyberattack-a-wake-up-call-for-data-privacy-in-east-africa/ ↑
7. Kenya’s Digital Infrastructure Under Threat? A Look at Anonymous Sudan’s Thwarted Cyberattack Attempt and its Implications for Kenya’s Digital Systems Joshua Kitili & Doreen Abiero August 22, 2023 https://cipit.strathmore.edu/kenyas-digital-infrastructure-under-threat-a-look-at-anonymous-sudans-thwarted-cyberattack-attempt-and-its-implications-for-kenyas-digital-systems/ ↑
8. Strengthening Personal Data Protection in the AI Age in Kenya Jashon Owano 14^th November 2024 https://www.linkedin.com/pulse/strengthening-personal-data-protection-ai-age-kenya-jashon-owano-vjf4e ↑
9. Leveraging AI-Powered chatbots to enhance customer serviceefficiency and future opportunities in automated support Abel Uzoka, Emmanuel Cadet, & Pascal Ugochukwu Ojukwu Computer Science & IT Research Journal, Volume 5, Issue 10, October 2024 ↑