Articles

The Impact of Artificial Intelligence on Data Protection in Kenya

Kenya is witnessing a surge in Artificial Intelligence (AI) adoption across sectors like banking, healthcare, education, transportation, and government services. While AI offers immense potential for economic growth, it also poses significant challenges to data protection and privacy. This article explores the interplay between AI and data protection in Kenya, highlighting key challenges, opportunities, and the evolving legal landscape.

AI systems rely on vast amounts of personal data, ranging from basic identifiers like names and phone numbers to sensitive information such as biometric data, health records, and financial transactions. As AI becomes more integrated into everyday life, the risk of data misuse grows. For instance, in banking, AI analyzes spending habits to assess creditworthiness, while in healthcare, it processes patient data for personalized treatments. These processes, often opaque to users, raise significant privacy concerns.

Key Challenges of AI in Data Protection

1. Lack of Awareness and Transparency

Many Kenyans are unaware of how their data is collected, used, or shared by AI systems. Companies often fail to disclose data practices, particularly in AI-driven advertising, eroding trust and leaving consumers vulnerable to privacy violations.

2. Inadequate Legal and Regulatory Frameworks

The Data Protection Act of 2019 is a step toward safeguarding privacy, but its implementation and enforcement remain inconsistent. Smaller organizations often lack compliance, and the law struggles to address AI-specific risks like algorithmic biases or unethical surveillance practices.

3. Algorithmic Bias and Discrimination

AI systems can perpetuate biases if trained on flawed datasets. In Kenya, this could lead to unfair outcomes in credit scoring, hiring, or law enforcement, disproportionately affecting marginalized groups and exacerbating existing inequalities.

4. Security Threats and Cybercrime

AI-driven platforms, such as banking apps and healthcare systems, are prime targets for cybercriminals. A notable example is the January 2025 cyberattack on the Business Registration Services database, which exposed sensitive company data, highlighting the growing risk of breaches in AI-integrated systems.

5. Data Sovereignty and Cross-Border Data Flow

Many AI systems in Kenya are developed by international companies, raising concerns about data storage and processing in foreign jurisdictions. This challenges Kenya’s ability to enforce its data protection standards and protect citizens’ privacy.

Opportunities for Enhancing Data Protection with AI

Despite these challenges, AI offers promising solutions for improving data protection in Kenya:

  • Strengthening Security: AI algorithms can detect unusual data access patterns, enabling rapid responses to breaches. In banking, AI monitors transactions to prevent fraud, safeguarding financial data.

  • Privacy Enhancement: AI-driven encryption and automated compliance tools can protect sensitive data and ensure adherence to privacy regulations.

  • Improved Regulatory Compliance: AI can streamline consent tracking and audits, helping organizations meet legal requirements efficiently.

  • Public Awareness: AI-powered tools, like chatbots on platforms such as Ardhisasa, can educate users about their data rights, fostering informed decision-making.

The Future of AI and Data Protection in Kenya

Kenya currently lacks specific AI regulations, but efforts are underway to address this gap. The Kenya National Artificial Intelligence Strategy 2025–2030 aims to establish a governance framework that balances innovation with ethical AI use. It emphasizes robust data protection in data-intensive sectors like healthcare, agriculture, and public services.

Additional initiatives include the Draft Information Technology Artificial Intelligence Code of Practice (2024) by the Kenya Bureau of Standards, which guides responsible AI development, and the Robotics and Artificial Intelligence Society Bill of 2023, which proposes a risk-based regulatory approach. However, the Bill’s progress has been stalled due to limited stakeholder engagement.

Existing laws, such as the Constitution of Kenya, the Data Protection Act of 2019, and the Computer Misuse and Cybercrimes Act of 2018, provide a foundation for addressing AI-related issues. These frameworks aim to protect individual rights while fostering innovation.

Conclusion

As AI continues to transform Kenya’s digital landscape, it brings both opportunities and challenges for data protection. Strengthening legal frameworks, enhancing transparency, and leveraging AI for security and compliance are critical steps toward responsible AI adoption. By addressing these issues, Kenya can harness AI’s potential while safeguarding citizens’ privacy and rights.

Adapted from: Mohammed Muigai LLP