Kenya ODPC Enforcement Ramp-Up: First POPIA-Style Fines Signal East African Data Rights Era

By Policy & Regulation Reporter, BETAR.africa
Published: Week of 24 March 2026
Category: Data Protection | Regulatory Analysis
Issue: BETA-473

In January 2026, Kenya’s Office of the Data Protection Commissioner issued 184 compensation orders in a single enforcement sweep — the largest single enforcement action the regulator has taken since the Data Protection Act came into force in 2019. For every tech company, fintech, digital lender, and international platform operating in Kenya, the message was clear: the era of low-risk data non-compliance is over.

“Privacy violations can no longer be treated as low-risk,” Data Commissioner Immaculate Kassait, SC, MBS, told attendees at the Annual Data Privacy Conference 2026. The statement marked a shift from the ODPC’s early years, when the regulator focused primarily on building institutional capacity, to an era of active enforcement.

From Complaints to Consequences

Since the Data Protection Act 2019 came into full effect, the ODPC has received 9,061 data protection complaints from Kenyans. Of those, it has issued 357 formal determinations, 134 enforcement notices, and 20 penalty notices — a record that places Kenya among the most enforcement-active data regulators on the continent.

The penalty notices have been pointed. In September 2023, the ODPC issued KES 7.975 million in fines across three organisations in a single round. Digital lender Mulla Pride was fined KES 2.975 million for using third-party personal data to send threatening messages and make harassing calls to borrowers — a practice the ODPC found had no lawful basis. Whitepath Company and Regus Kenya were fined a combined KES 5 million for unlawfully accessing subscriber data to send unsolicited marketing messages.

More recent cases show the enforcement net widening. Liquid Telecommunications Kenya was fined KES 700,000 after failing to erase a customer’s data for over a year despite a formal erasure request — a violation of the Act’s right to be forgotten provisions. Wananchi Group Kenya (Zuku Fibre) was fined KES 500,000 for continuing to send marketing messages to a former customer who had terminated services and repeatedly requested deletion. In that case, the ODPC went further: it recommended the criminal prosecution of Zuku’s directors under Section 61 of the Act, signalling that the regulator is prepared to escalate beyond administrative fines to personal liability.

By early 2026, the 184 compensation orders issued in January span county governments, banks, health platforms, and digital services — confirming the ODPC’s intention to hold organisations across every sector accountable.

Who Faces the Highest Scrutiny?

The pattern emerging from ODPC determinations points to three sectors facing the greatest regulatory exposure.

Digital lending and fintech sit at the top. The Mulla Pride case established a precedent on data sourcing: fintechs that purchase or otherwise obtain user data from third-party data brokers, then use it in collections or marketing, face a high risk of enforcement. Kenya’s Fintech sector, which processes millions of loan applications monthly, must now demonstrate both the lawful basis for data collection and the consent architecture underlying data sharing with credit bureaus and third-party processors.

Telecoms are under scrutiny for two reasons. The Liquid Telecom and Zuku cases addressed data retention — specifically the failure to honour erasure requests. Separately, in March 2026, the Law Society of Kenya filed a constitutional petition alleging that multiple telecommunications providers disclosed subscriber data of protesters to government agencies without court orders, in violation of the Data Protection Act and constitutional privacy guarantees. Justice Lawrence Mugambi scheduled directions hearings for April 9, 2026. If upheld, the petition could result in landmark liability for the sector.

Healthcare is an emerging enforcement frontier. The 2026 determinations roster already includes Penda Health Limited, Shree Swaminarayan Hospital, and Megahealth Insurance Brokers — a cluster that suggests ODPC investigators are moving into medical data, where sensitivity is highest and institutional compliance processes have historically been weakest.

The Extraterritorial Question

For international companies, Kenya’s Data Protection Act carries a reach that many have underestimated. Section 4 of the Act applies it to any data controller or processor — regardless of where they are established — that processes the personal data of individuals located in Kenya.

The practical scope is broad. An e-commerce platform headquartered in Lagos that ships to Nairobi customers, a SaaS provider based in London whose Kenyan clients process staff data through its platform, or a pan-African edtech startup incorporated in Rwanda but serving Kenyan students — all fall within the Act’s jurisdiction.

International operators face two compliance obligations that have no equivalent in many home markets. First, ODPC registration: every data controller or processor handling Kenyan personal data must register with the Commissioner, regardless of physical presence. Second, data localisation: at least one serving copy of personal data relating to Kenyan data subjects must be stored on a server or data centre located in Kenya. Cross-border transfers of sensitive personal data are additionally restricted and require explicit consent or adequate safeguards — a GDPR-adjacent adequacy framework that is still being operationalised.

Kenya, South Africa, Rwanda: East Africa’s Diverging Data Regimes

Kenya’s enforcement surge sits within a broader East African data governance landscape that is maturing unevenly.

South Africa’s POPIA — the closest regional comparator — entered full enforcement in 2021 under the Information Regulator. South Africa’s maximum fine is ZAR 10 million (approximately KES 65 million), considerably higher than Kenya’s KES 5 million ceiling. The Information Regulator has issued enforcement notices against major corporates including financial institutions and the Department of Justice following a ransomware breach. POPIA’s data subject rights architecture is more comprehensive, including an explicit right to data portability absent from Kenya’s Act.

Rwanda’s Data Protection Law (2021) shares GDPR-inspired principles with the Kenya DPA but emphasises data localisation more strongly. Rwanda requires certain categories of sensitive personal data to be processed exclusively within the country — a stricter regime than Kenya’s “one serving copy” requirement. Rwanda’s National Cyber Security Authority is the designated enforcement body, but enforcement action at scale remains limited.

Kenya occupies the middle ground: a more developed enforcement track record than Rwanda, a lower penalty ceiling than South Africa, but an accelerating institutional capacity curve that is closing the gap quickly.

Compliance Action Items for Businesses

For any organisation operating in the Kenyan market, the ODPC’s 2026 enforcement posture requires five immediate actions:

1. Register with the ODPC. Registration as a data controller or processor is mandatory before handling any personal data of Kenyan residents. Unregistered entities face administrative fines and potential criminal liability.

2. Audit consent architecture. Every data collection point must have a clearly documented lawful basis. For marketing communications, explicit, withdrawable consent is required — Zuku and Mulla Pride were both undone by this failure.

3. Implement data erasure workflows. The right to erasure is actively enforced. Build internal processes to honour deletion requests within a defined timeframe and maintain a compliance log. The Liquid Telecom case showed that a year-long delay attracts both fines and reputational damage.

4. Review data sourcing and third-party agreements. If your business purchases, receives, or shares personal data with third parties — credit bureaus, data brokers, marketing partners — each data-sharing arrangement must be governed by a data processing agreement that specifies lawful bases and processing limitations.

5. Establish Kenya data storage infrastructure. For businesses outside Kenya processing Kenyan data, the one-serving-copy localisation requirement must be addressed. Cloud providers with Kenyan Points of Presence (including AWS Nairobi, Google Cloud Nairobi, and Microsoft Azure South Africa paired deployments) can satisfy this requirement, but the obligation is the operator’s, not the cloud provider’s.

Outlook

The ODPC’s 2025–2029 strategic plan commits to expanding institutional capacity, deepening enforcement reach via eight regional offices, and strengthening Kenya’s cross-border data transfer framework. Commissioner Kassait has been explicit: the complaint-resolution target is 90 days, and the regulator will continue moving from guidance to enforcement.

For businesses that have treated Kenya’s data protection framework as a compliance checkbox, Q1 2026 is a calibration moment. The 184 compensation orders, the sector spread of 2026 determinations, and the telco petition collectively signal that Kenya’s data protection era has entered its enforcement phase — and those still operating on a pre-enforcement risk model are now behind.

Sources: ODPC determinations and press releases (odpc.go.ke); IAPP reporting on ODPC penalty notices; Clyde & Co data protection compliance brief (October 2023); Cliffe Dekker Hofmeyr analysis of DPA extraterritorial applicability; Dawan Africa / ODPC Annual Data Privacy Conference reporting (January 2026); Capital FM reporting on LSK constitutional petition (March 2026); DLA Piper Data Protection Laws of the World — Kenya.

Word count: ~1,090 words
Status: Corrected draft — ready for Editorial Director review
Deadline: 21 March 2026
Publication target: Week of 24 March 2026