The High Court of Kenya recently delivered one of the most significant data privacy decisions – the Worldcoin case. The matter captured national attention and involved collecting sensitive biometric data through an Orb device, incentivised by financial rewards. When the issue first emerged in 2021, the Office of the Data Protection Commissioner (ODPC) was still in its infancy, with Commissioner  Immaculate Kassait as its inaugural commissioner and the Data Protection Act, 2019, newly enacted. This case, therefore, became a landmark test of both the ODPC’s regulatory authority and the robustness of Kenya’s constitutional right to privacy under the 2010 Constitution.

The Court ruled in favour of the applicants, prohibiting Worldcoin from collecting, processing, or transferring biometric data gathered in Kenya using the Orb, due to the absence or inadequacy of a Data Protection Impact Assessment. The court further ordered the erasure and destruction of any biometric data already collected. In response to calls for stronger regulation of the commercial use of personal data, the Office of the Data Protection Commissioner (ODPC) announced it was reviewing the Data Protection Act, 2019, to address emerging challenges and technological advancements.

Even though the Worldcoin case has accelerated the review of the Data Protection Act, the legislation itself was born out of heightened public debate, legal challenges, and scrutiny surrounding the rollout of the National Integrated Identity Management System (NIIMS), commonly known as Huduma Namba, under former President Uhuru Kenyatta’s administration.

Proposed Amendments to the Data Protection Act, 2019

Against the backdrop of the Worldcoin judgement and the evolving digital landscape, the Kenya Data Protection Amendment Review Committee, a joint initiative between the Ministry of Information, Communications and the Digital Economy (MICDE) and the Office of the Data Protection Commissioner (ODPC), has initiated a comprehensive review of the Data Protection Act, 2019. This stakeholder-driven process has led to developing the Draft Data Protection (Amendment) Bill, 2025, prepared by the Data Privacy and Governance Society of Kenya (DPGSK).

Institutional Independence

A key concern in the data privacy realm is the perceived proximity of the ODPC to the Ministry of Information, Communications and the Digital Economy (MICDE) and national security agencies. The draft bill proposes measures to strengthen the ODPC’s institutional independence by removing provisions that allow collaboration with these entities. It limits ministerial influence in appointing ODPC directorates, issuing regulations and exemptions, and formulating data governance guidelines, particularly those affecting commercial use of personal data.

This would enhance the ODPC’s actual and perceived independence, especially in cases where government agencies are themselves data controllers or processors. Such autonomy is critical to maintaining public trust and enabling timely, impartial responses to data protection breaches. The reforms align with international best practices, particularly Article 52 of the EU GDPR, which mandates operational independence for supervisory authorities.

Reform of the Appellate Mechanism

The draft bill proposes the creation of a Data Protection Appeals Tribunal, providing a more straightforward, more efficient path for appealing ODPC decisions. Only data subjects or their representatives can file complaints, and appeals must be pursued through the High Court. The proposed Tribunal would streamline this process, allowing appeals from ODPC administrative actions and penalties, with subsequent appeals progressing to the High Court and finally the Court of Appeal on law matters.

Broadening Access to Lodge Complaints

Under the current Act, only data subjects or their authorised representatives may lodge complaints. The proposed amendment would expand standing to include any person(natural or legal). While this broadens access and could enhance accountability, it risks misuse through frivolous or malicious complaints, potentially overwhelming the ODPC and harming reputations. Unlike the GDPR, which restricts complaints to data subjects or their mandated representatives (e.g. non-profits), the Kenyan proposal requires further scrutiny to balance openness with safeguards. Apparent limitations and liability clauses should be integrated into the revised Complaints Handling Regulations.

Expansion of Data Subject Rights

The amendment seeks to enshrine data portability and protection from automated decision-making as explicit data subject rights under Part VI of the Act. While currently referenced under Sections 35 and 38, they are not formally recognised as enforceable rights. Codifying them would improve clarity, strengthen enforcement, and align Kenya’s legal framework with GDPR provisions (Articles 20 and 22).

Expansion of Data Protection Principles

The bill proposes two significant additions: the integrity and Confidentiality principle, which elevates data security to a core protection principle, and Accountability, which mandates that data controllers and processors not only comply but demonstrate compliance through documentation, audits, and certifications (e.g., ISO standards). These reforms shift compliance from a reactive to a proactive stance, requiring organisations to always be audit-ready and embed a culture of accountability across data ecosystems.

The Draft Data Protection (Amendment) Bill, 2025, represents a critical step in fortifying Kenya’s data protection regime and enhancing institutional independence, reforming the appellate framework, expanding enforceable rights and principles and aligning with international standards such as the GDPR. As the digital economy evolves, so too must the legal and regulatory frameworks that safeguard the rights and freedoms of individuals. However, for businesses cognizant of these changes, the Bill also signals an increased compliance burden that necessitates greater investment in data privacy capacity building and internal governance processes to ensure adherence to upcoming enhanced obligations.