Kenya is intensifying its efforts to enforce data privacy compliance, particularly targeting multinational companies that store sensitive user data on foreign servers beyond Kenya’s legal reach. This practice, often employed by apps processing Kenyan data, poses significant challenges for enforcement under the country’s Data Protection Act (DPA). To address this issue, the East-African country is seeking assistance from foreign governments through Mutual Legal Assistance (MLA) agreements, aiming to strengthen cross-border enforcement against such violations.
This development, announced by Data Protection Commissioner Immaculate Kassait, aims to formalise legal cooperation between Kenya and other jurisdictions. MLA agreements will allow Kenyan authorities to collaborate on investigations and prosecutions of companies that breach data protection laws. These efforts will be guided by Kenya’s Mutual Legal Assistance Act of 2011, which already facilitates international cooperation on various legal matters, including money laundering.
“Mutual Legal Assistance is critical for enhancing enforcement actions against firms that store Kenyan data abroad without safeguards,” Kassait said. This move underscores Kenya’s commitment to safeguarding its citizens’ data and ensuring compliance with the DPA’s mandates for data storage and processing transparency.
Recent incidents have spotlighted Kenya’s challenges with data privacy enforcement. Truecaller, a Swedish app, is facing litigation over allegations of unauthorised data transfers abroad. Similarly, Safaricom, Kenya’s leading telecommunications company, recently denied claims of sharing customer data with law enforcement without proper legal channels.
Adding to the debate, the ride-hailing company Bolt was recently ordered to pay a driver KSh 500,000 as compensation for a data breach. The court also instructed the firm to bolster its data protection measures. These cases reflect growing scrutiny over the actions of multinational corporations operating in Kenya.
Kenya’s push for MLA agreements is part of a broader global conversation on data sovereignty and privacy enforcement. Many countries are now advocating for tighter rules on cross-border data transfers amid increasing reliance on cloud services and artificial intelligence technologies. The agreements are expected to establish a framework for mutual accountability, allowing Kenyan authorities to enforce local privacy laws more effectively.
Critics of the current framework argue that while the DPA lays a solid foundation for data protection, it requires updates to address emerging threats posed by AI and other technologies. This includes provisions for regulating automated decision-making systems and algorithmic transparency, both of which have implications for data misuse and surveillance.
Kenya’s pursuit of MLA agreements sends a clear message to multinational firms: compliance with local data laws is non-negotiable. Companies operating in Kenya may now need to localize their data storage practices or risk penalties. The ODPC is expected to tighten enforcement efforts as more cases of data misuse come to light.
By prioritising data privacy and seeking international collaboration, Kenya is positioning itself as a leader in the fight for digital rights. These measures will likely have far-reaching implications, influencing corporate practices and setting benchmarks for other countries in the region.
