Artificial Intelligence (AI) is no longer a distant concept in Kenya. From facial recognition software to large language models like ChatGPT, AI technologies are now shaping how businesses, governments and individuals operate. But as these technologies proliferate, they also threaten one of the most fundamental rights guaranteed under Article 31 of the Constitution of Kenya 2010 the right to privacy. AI thrives on vast amounts of personal data, raising questions about how Kenyans’ information is collected, stored and used. This tension between innovation and privacy has sparked urgent debates about whether Kenya’s legal framework is equipped to protect citizens from misuse of their personal data.
AI has evolved dramatically since its mid-20th century origins, when it was mainly a theoretical field. Today, it powers systems capable of learning, predicting and even mimicking human decision-making. At the same time, the right to privacy has expanded from shielding family life to protecting personal data. Yet the speed of technological advancement has outpaced privacy protections. This mismatch is evident worldwide. In the United Kingdom, the Court of Appeal in Ed Bridges v South Wales Police (2020) ruled that live facial recognition technology breached privacy and equality laws. In the United States, cases such as Janecyk v IBM and Mutnick v Clearview AI have revealed how companies scrape billions of online images to train AI models without users’ consent.
Kenya has not been spared. In 2021, Worldcoin, a cryptocurrency project backed by OpenAI, began scanning Kenyans’ irises in exchange for digital tokens. Many people handed over their biometric data without fully understanding the risks. By 2023, the Office of the Data Protection Commissioner had intervened, and the High Court of Kenya issued conservatory orders halting Worldcoin’s operations amid mounting privacy concerns. This case underscored how quickly AI-driven projects can outpace regulatory oversight and erode constitutional rights. It also illustrated how financial incentives can obscure the long-term consequences of giving away sensitive biometric data.
Kenya’s legal framework provides a foundation for privacy protection but contains notable gaps. Article 31 of the Constitution guarantees every person the right to privacy, while the Data Protection Act 2019 created the Office of the Data Protection Commissioner to enforce data rights and levy fines. The Computer Misuse and Cybercrimes Act 2018 also prohibits unauthorised access to and interception of data. In Kenya Human Rights Commission v Communications Authority of Kenya (2018), the High Court reaffirmed these protections by striking down a device management system that would have given regulators access to mobile subscriber data. Yet none of these laws explicitly defines or regulates Artificial Intelligence. The KSh5 million fine under the Data Protection Act is modest for large corporations, risking a culture where companies simply pay penalties as the cost of doing business. The Computer Misuse and Cybercrimes Act also does not address how AI systems themselves not just the humans behind them might infringe privacy rights.
Three major challenges stand out. First, Kenya’s laws lag behind the rapid pace of AI innovation, leaving individuals vulnerable to privacy breaches. Second, regulatory agencies lack the technical expertise and resources needed to scrutinise complex AI systems. Third, public awareness of AI and its privacy risks remains low. Many Kenyans do not fully understand how AI works, making informed consent difficult and weakening public demand for stronger privacy protections.
Experts argue that Kenya must take proactive steps to close these gaps. Amending the Data Protection Act to include AI-specific provisions on transparency, accountability and safeguards would strengthen the law without stifling innovation. Increased funding and training for the Office of the Data Protection Commissioner and other regulators would enable them to hire technical experts and keep pace with fast-moving technologies. Judges, lawyers and law enforcement officers also need training on AI’s technical and ethical implications to ensure informed decision-making in courtrooms and policy processes. Civic education is equally important: by raising public awareness of AI and data rights, Kenyans can make more informed choices and push for stronger privacy protections. Collaboration between government, civil society and the private sector will be critical in building a comprehensive national AI strategy that balances innovation with rights protection.
AI promises enormous benefits for Kenya, from improving healthcare delivery to boosting efficiency in public services. But without robust safeguards, it risks eroding one of our most fundamental rights: the right to privacy. Protecting privacy in the age of AI is not anti-innovation it is about ensuring that technological progress serves people, not the other way around. As Kenya positions itself as a leader in Africa’s digital transformation, lawmakers, regulators and citizens alike must act to ensure that the right to privacy remains a cornerstone of our digital future.