Skip links

Training

2025 TRAINING CALENDAR
WEBINAR CALENDAR 2025
Facebook Twitter Youtube Linkedin

Customer Support +254 115867309

South-End Tech
Published in: Compliance

Consent in the Shadows: Kenya Information & Communication (Amendment Bill), 2025

Author
Published on:

Blog by
Ian Makambu
Legal and Data Protection Associate, South-End Tech Limited
Date: 27th May, 2025

In 2025, Kenya faces a critical digital crossroads. The Kenya Information & Communication (Amendment) Bill, introduced as National Assembly Bill No. 9 of 2025 and published via Gazette Supplement No. 36, raises serious constitutional red flags.
While the Constitution of Kenya enshrines a robust Bill of Rights that upholds privacy, dignity, and transparency, this proposed legislation threatens to erode these freedoms under the pretext of consumer protection and digital innovation.
Introduced by Hon. Marianne Kitany MP, the Bill indicates a concerning shift towards expansive state surveillance guised as the government’s concern for consumer interests. Mechanisms that could infringe and undermine consumer rights as envisaged under Article 46 of the Constitution of Kenya are significantly present within the Bill. By examining the intent, investigating the surveillance risks, and contrasting it with a privacy-conscious approach in the UK’s Data (Use and Access) Bill, I critique the violation of constitutional safeguards by the KICA Amendment Bill 2025.

Overview of the Amendment
The object of the Bill within the Memorandum of Objects and Reasons section is to mitigate exploitation and secure interests of internet users.
To achieve this, the bill proposes that internet service providers develop;
   1. A metered billing system where customer usage may be monitored, usage data generated into readable details and develop invoices based on these consumptions.;
   2. An “advanced electronic signature.” designed to uniquely identify with individuals, bind data to individuals, and generate metadata with possibly revealing personal identifiers and sensitive personal data.
What the Bill frames as an administrative convenience for consumer interests is, in fact, an unnecessary and disproportionate demand for personal data and economic coercion.

Violation of Constitutional Safeguards
When combined with location data, almost always shared by every user and easily accessible to ISPs, creation of metadata on data shared over the internet risks infringing on private communications contrary to Article 31 (d). This type of data attached to personal communications is also an unnecessary request of sensitive data that could lead to profiling of individuals.
Furthermore, this system pits consumers’ right to informed consent and voluntary user control over personal data contravening the fundamental right to be protected from unfair, deceptive, and harmful practices as per Article 46 of the Constitution of Kenya (2010).
Other possible surveillance concerns include the safety concern raised by the projected collection of new datasets by ISPs in formats that can easily be accessed at the request of the government. While there is legitimate public interest in criminal investigations, past actions including trumping up of charges and malicious prosecutions emphasizes the need to limit such administrative excesses.
The Bill further, fails to prescribe necessary safeguards for responsible and secure safeguards in the collection, processing, and storage of personal data as Section 25 of the Data Protection Act 2019 mandates. This entrenches the departure from a rights-based approach to an administrative expediency model whose intentions could easily expand consumer protection to outright surveillance.

How to Balance Innovation and Privacy
To address these surveillance concerns in the proposed legislation, a comparative analysis with how other jurisdictions are balancing privacy and user control amidst growing innovation is useful.
The UK provides the perfect benchmark of what a digital identity should entail in consideration of privacy. To maintain consumer interests, the UK bill centers voluntary consent and user-controlled data sharing approaches within digital identity systems.
The UK Bill proposes digital identities, fundamentally different from Kenya’s approach in the following ways;
     1. This identity is completely voluntary and every user may control who receives their data.
     2. The identities offer an alternative and voluntary digital identity in place of physical documentation.
     3. The bill prohibits profiling or the creation of large data sets capable of revealing sensitive personal information about an individual.
     4. Unlike the Kenyan proposal, the UK framework is trust based and oversighted by an authority under which all providers will be certified.

Transparency and Informed Consent
The two bills’ contrasts intent by lawmakers in promoting respect for data protection. Whereas privacy is emphasized in the UK Bill, the Kenyan Bill outrightly violates the principles of data minimization, necessity, and proportionality. The Kenyan Bill should adopt a user-centric approach to the electronic signature. As evidenced in other jurisdictions, such a unique digital identifier should be voluntary and allow users control over who can receive this data.

Why This Should Alarm Kenyans
The Bill contravenes multiple constitutional rights, particularly:
    a. Article 31(d) – Protection of the privacy of communications. The creation of metadata tied to personal identifiers opens the door to profiling and targeted surveillance.
    b. Article 46 – Protection from unfair practices. The Bill forces users into a data ecosystem where consent is not genuinely voluntary.
There’s more:
    a. Data Protection Act, 2019 violations: The Bill fails to comply with Section 25, which mandates lawful, limited, and transparent data processing.
    b. Government access loopholes: The Bill allows for potential backdoor access by authorities to large datasets held by ISPs—without clear judicial or oversight frameworks.
With Kenya’s history of politically-motivated investigations and misuse of data, this legislation could pave the way for mass surveillance disguised as reform.

What Can Kenya Learn from the UK?
The UK’s Data (Use and Access) Bill offers a privacy-conscious alternative. It embraces:
     1. Voluntary participation: Digital identities are optional, empowering users to decide when and how their data is shared.
     2. Strict prohibitions on profiling: No large datasets may be created that can reveal intimate personal details.
     3. Independent oversight: Certified identity providers operate under the authority of a regulatory body—ensuring transparency and accountability.
This rights-based model places user control and trust at the center of innovation.

What Should Be Done?
Kenya must not trade freedom for convenience. Any digital identity system or billing technology must:
     1. Be voluntary and user-controlled
     2. Embed data minimization and privacy by design
     3. Mandate strict oversight and judicial safeguards
     4. Ensure full transparency around data collection, access, and use

Lawmakers must urgently reconsider the KICA Amendment Bill, 2025 and realign it with Kenya’s constitutional values and data protection laws.
Final Word: Stay Vigilant, Stay Informed. This is not just a legal issue it’s about our digital freedom. The time to act is now.

 

📞 For inquiries, training, and tailored Data Protection & Cybersecurity Solutions, contact us at:
📧 jombiro@southendtech.co.ke | dataprotection@southendtech.co.ke | info@southendtech.co.ke
📱 +254 115 867 309 | +254 721 864 169 | +254 710 673 839

 

You may also like

This website uses cookies to improve your web experience. Privacy Policy