Kenya's Data Protection Crisis: Millions of Citizens' Personal Information Harvested Without Consent

Kenya has a Data Protection Act. What it doesn't have is enforcement, and millions of Kenyans are paying the price as their personal information is harvested, sold, and exploited without their knowledge or consent.

Every time a Kenyan enters an office building, apartment complex, or institution and writes their name, phone number, or ID in a visitor's book, that data doesn't simply disappear. In many cases, it is digitized, stored carelessly, and sold or shared with third parties. No one asks permission. No one explains what will happen to the information. The visitor simply signs and walks away, unaware they have just fed the data mining machine.

Online platforms present an even bigger problem. Job hiring websites collect CVs, phone numbers, emails, work history, and ID numbers from desperate job seekers. Many Kenyans believe this information is used only for recruitment. Instead, some platforms quietly monetize it by selling access to recruiters, advertisers, or data brokers, all buried in vague "terms and conditions" that no one reads and few would understand.

The result is endless spam calls, targeted scams, and systematic privacy violations. Random callers somehow know your name, your job status, your location. This is not magic. This is digital exploitation, and it is happening at scale.

Kenya's Data Protection Act, 2019, was supposed to prevent exactly this. Section 25 requires lawful, fair, and transparent processing of personal data. Section 26 requires explicit consent for data collection. Section 29 gives individuals the right to know how their data is used. Section 30 restricts unauthorized sharing of personal data.

Most data collection in Kenya fails every single one of these tests.

Yet enforcement remains weak to nonexistent. The Office of the Data Protection Commissioner has limited resources, limited visibility, and limited political will behind it. Meanwhile, institutions, platforms, and businesses continue harvesting Kenyan data as if it were a free resource ripe for extraction.

This is not a technical problem. This is a governance problem. Data has value. Right now, that value is being extracted from ordinary Kenyans unlawfully and carelessly, while the profits flow to platforms and intermediaries who face zero accountability.

Dr. Grace Mutung'u, a Kenyan digital rights researcher, has repeatedly warned that without enforcement, Kenya's data protection law is merely decorative. "We have the legislation," she told a tech conference in Nairobi last year. "What we don't have is the political commitment to protect citizens from data abuse."

The solution is not complicated. Enforce the law. Audit platforms and institutions. Fine those who violate consent requirements. Educate the public about their rights. Empower the Data Protection Commissioner to act.

Until that happens, millions of Kenyans will continue to be mined for data they never agreed to share, in a country that passed a law to protect them but refuses to use it.

54 countries, 2,000 languages, 1.4 billion people. In Kenya, their data is being stolen in plain sight.