Data Protection, AI and Emerging Technologies

HIGHLIGHTS
In 2025, the following trends and developments are likely to be witnessed:

• Increased vigilance by the Office of the Data Protection Commissioner. Data protection compliance should therefore not be just a buzz work but an imperative for all entities handling personal data
  
• Enhancements to the Data Protection Legal Framework through passage of the Compliance Audit Regulations and the Data Sharing Code
  
• More clarity and direction on Kenya’s stance on Artificial Intelligence following the adoption of the Draft National AI Strategy.
  
• Tighter regulation of Virtual Asset Service Providers with the enactment of the Virtual Asset Service Providers Bill, 2025 and the adoption of the draft Policy.

1. Increased Vigilance by the ODPC

In 2024, the Office of the Data Protection Commissioner (ODPC) marked five years of the Data Protection Act, (DPA) 2019. There was also increased vigilance by ODPC, resulting in several entities being fined.

Notably, according to a report published by KICTANet in 2024, the financial services sector has been identified as being notorious for DPA violations with 5,315 complaints issued and 106 determinations, 60 enforcement notices, and 9 penalty notices issued. For instance, in 2024, a local bank was fined for sending spam messages to a non-customer. The failure to obtain consent is also a leading complaint with respect to DPA violations.

Key Implications

In 2025, the ODPC is likely to continue to be more alert and remain tightfisted in ensuring entities are compliant with data protection laws and that complaints are heard and determined with appropriate reliefs. All entities should thus ensure they are acquiescent, alert, compliant, and adaptable to the data protection laws and regulations to avoid sanctions and maintain their good standing reputation.

2. The Draft Data Protection (Conduct of Compliance Audit) Regulations, 2024
In December 2024, the ODPC published new regulations that aim to provide for Data Protection Compliance Audits of Data Controllers and Data Processors. The Regulations provide for the following:

(a) The framework for the conduct of data protection audits (periodic or special audits)
(b) The Procedure to establish a framework for the accreditation of data protection auditors by the Office

(c) Guidance to the ODPC in its role of overseeing and monitoring data protection audit activities conducted by accredited firms Notably, the ODPC may conduct a data protection audit on its
own, outsource the conduct of the audit from an accredited auditor or affirm a data protection audit report submitted to the Office by an accredited auditor.

Key Implications

• The Draft Data Protection (Conduct of Compliance Audit) Regulations, 2024 are a notable effort to bolster Kenya’s data protection framework.
• When passed into law, the Regulations will enhance the ODPC’s ability to conduct compliance audits as it will be possible to outsource the same to accredited auditors. Since the establishment of the ODPC in 2019, the office has conducted only 58 audits and inspections. Increased capacity to conduct inspections will thus promote further compliance and protect data subject rights while upholding quality and consistency of data protection audits.

3. The Draft Data Sharing Code 2024

The draft Data Sharing Code published in December 2024 outlines the requirements that data controllers and processors are to observe prior to carrying out the sharing of personal data, as well as the measures to put in place in sharing the personal data to ensure data protection of the data subject.

The data sharing code highlights key data sharing principles such as lawfulness, fairness, transparency, data minimization, data accuracy, accountability, integrity and confidentiality.

It also provides for cross-border sharing of personal data requiring data controllers and data processors to conduct cross-border transfers in a lawful, fair and transparent manner, bvensuring that the rights of data subjects are respected.

Key Implications

• The Data Sharing Code once passed will implement section 55 of the Data Protection Act, 2019 which provides for the issuance of a Data sharing code by the Data Commissioner, containing practical guidance in relation to the sharing of personal data
• Furthermore, with the increasing volume and complexity of data, coupled with the growing sophistication of data collection and processing techniques, which have raised privacy concerns, a Data Sharing Code is pertinent in providing a clear framework for responsible and ethical data sharing practices.

4. Draft Kenya National Artificial Intelligence (AI) Strategy 2025 – 2030

On 14th January 2025, the Ministry of Information, Communications and the Digital Economy published the draft national AI Strategy. The Strategy aims to make the country a leader in AI innovation & Research in Africa, driving sustainable development growth, economic growth, and social inclusion. It focuses on using AI to address local needs in areas like agriculture, security, healthcare, education, and public service delivery while ensuring fairness and adhering to ethical principles.

The strategy is anchored on three key pillars and supported by four enablers:

1. AI Digital Infrastructure, which underscores the need for accessible and affordable AI infrastructure and a modernized national digital infrastructure for AI access and development.
   
2. Data, which seeks the establishment of a robust sustainable data ecosystem for AI and innovation.
   
3. AI Research and Innovation, it emphasizes the drive to develop cutting-edge localized AI models and solutions through thriving local Research & Development, innovation and commercialization.
   

Also notably, the strategy aims to address key concerns regarding the deployment of AI technologies in the country including labour disruptions, digital divide, data sovereignty and privacy and regulatory unpreparedness.

Key Implications

• The strategy is a call to action for stakeholders to collaborate in realizing this vision and cementing Kenya’s position as a stalwart participant in AI development through innovation, commercialization, research and facilitation of AI adoption.
  
• The AI Strategy when adopted will also provide a framework for Kenya to realise the promise the promise that AI holds in spurring economic growth. It will also provide a clear path to address concerns that arise from the deployment of AI.

5. Draft National Policy on Virtual Assets and Virtual Asset Service Providers

Blockchain technology, one of the significant emerging technologies of our time, continues to transform how financial technologies are conducted. This has led to the emergence of Virtual assets (VAs), such as crypto currency and digital tokens. In response to this development, the National Treasury recently developed a Draft National Policy on Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs) that outlines Kenya’s plan to regulate digital assets.

Key proposals include developing a legal framework, promoting financial literacy, ensuring consumer protection, and fostering innovation.

Implementation will be led by the National Treasury, with regular monitoring and reviews to adapt to emerging trends and maintain market stability.

Key Implications

• The Draft Policy on Virtual Assets and Virtual Asset Service Providers is a significant milestone in safeguarding Kenya’s financial sector from potential risks such as fraud, money laundering, and terrorism financing associated with trade in virtual assets.
• Furthermore, the policy will close the gaps in the absence of a legal and regulatory framework for VAs and VASPs in the country and promote consumer protection, governance, data privacy, and cybersecurity.

6. The Virtual Asset Service Providers Bill, 2025.
This Bill seeks to provide a legislative framework to regulate virtual asset service providers in Kenya and address risks associated with the misuse of virtual asset products and virtual asset service provider services (VASP).

The Bill seeks to regulate locally incorporated VASPs or foreign VASPs issued with a certificate of compliance. They include Virtual Asset Wallet Providers, Payment Processors, Brokers, investment advisors, Asset Managers, Escrow Service Providers among others.

The objectives of the proposed Act are to:

(a) Provide for the establishment of VASPs and issuers of initial virtual asset offerings in Kenya

(b) Licensing of virtual assets service providers in Kenya

(c) Approval of issuance of initial virtual asset offering

Key Implications
– If enacted into law in 2025, the Virtual Asset Service Providers Bill, will close a regulatory loophole in the regulation of VASPs in Kenya.

– For VASPs, this will mean increased compliance as they will be required to obtain a license to operate in Kenya and offer their services. Additionally, the entities will be subjected to audits to ensure compliance as well as prevention of money laundering and fraud.

Disclaimer:

The information provided in this article is intended for informational purposes only and should not be construed as legal advice. Don’t hesitate to get in touch with us at info@koassociates.co.ke for any queries or legal advice.