Section 6 of the Official Secrets Act requires “any person who owns or controls any telecommunications apparatus used for the sending or receipt of any data to or from any place outside Kenya” to provide such data to the government. Such requests may be authorised by the president’s cabinet security rather than through the courts. Those who refuse risk a one-year prison term, a fine of 1 million shillings (USD 8,800), or both.

The Copyright Act establishes a safe harbour regime for intermediaries for copyright infringements. Section 35A of the Act outlines the limitations of liability for Internet Service Providers (ISPs) in cases of copyright infringement. ISPs may rely on these limitations under the following conditions:
- They do not initiate the transmission of the copyright;
- They do not select the addressee of the content;
- They perform their functions in an automatic, technical manner without selection of materials;
- They do not interfere with the lawful use of technology to obtain information on the use of the copyrighted material;
- They do not have actual knowledge that the content or activity related to the material is infringing the rights of a third party;
- They are not aware of the facts or circumstances of the alleged copyright infringing activity unless the infringing nature of the material is apparent and
- They remove or disable access to copyright-infringing content upon receipt of a valid takedown notice.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Kenya's law and jurisprudence. Except for the provisions in Section 35 of the Copyright Act, there are no explicit limitations on liability for activities such as "hosting, caching, linking, or acting as mere conduits." The Electronic Transactions Bill of 2007, which was eventually repealed, had proposed limitations on both criminal and civil liability for third parties involved in caching, information location, and conduit functions, drawing extensively from the EU Commerce Directive.

Regulation 5 of the Registration of SIM-Cards Regulations requires every telecom operator to register its users, including the provision of personal data such as names and national identity cards.

Section 13 of Act No. 12 creates the offence, and outlaws hate speech, and Section 62 makes an offence for any media enterprise to publish words intended to incite feelings of contempt, hatred, hostility, violence or discrimination against any person, group or community on the basis of ethnicity or race. A media enterprise can be fined up to one million shillings (USD 8,800) for publishing hate speech.
In addition, under the "Guidelines for the Prevention of Dissemination of Undesirable Bulk Political SMS and social media content via Electronic Communications Networks", intermediaries (bulk messaging and social media service providers) can be held liable for spreading falsehoods, hate speech and insults. Art. 13.6 of the Guidelines establishes that it shall be the responsibility of the Administrator of a social media platform to moderate and control undesirable content and discussions that have been brought to their attention on their platform. In this respect, Art. 13.7 provides that social media service providers shall be required to pull down accounts used in disseminating undesirable political content on their platform that have been brought to their attention within 24 hours.

It is reported that, for the second consecutive year, the authorities in Kenya restricted access to Telegram during national examinations in 2024.

Pursuant to Section 28 of the "Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024", proprietors of critical information infrastructure within Kenya are mandated to ensure that such infrastructure is physically situated within the national territory. Should an owner seek to store critical information outside the country, an application must be submitted to the National Computer and Cybercrimes Co-ordination Committee. The Committee is tasked with evaluating whether the application satisfies prescribed security standards and is required to render a decision within thirty days. In its deliberations, the Committee shall consider factors including, but not limited to, the adequacy of security measures, the necessity of the proposed arrangement, implications for national security, the public interest, data protection requirements, and representations made by the operator. In addition, the Committee is obliged to consult the National Security Council and other relevant agencies during the review process.
Under Section 2 of the "Computer Misuse and Cybercrimes Act, 2018", the term critical infrastructure refers to the processes, systems, facilities, technologies, networks, assets, and services that are essential to the health, safety, security, or economic well-being of Kenyans, as well as to the effective functioning of Government.

Art. 48 of the Data Protection Act No. 24 of 2019 states that a data controller or data processor may transfer personal data to another country only where the data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of the personal data. Alternatively, data can be transferred if the transfer is necessary for: the performance of a contract, for any matter of public interest, for the establishment, exercise or defence of a legal claim, in order to protect the vital interests of the data subject or of other persons; or for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.
Art. 49 highlights safeguards prior to transfer of personal data out of Kenya, which include: (1) The processing of sensitive personal data out of Kenya shall only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards; (2) The Data Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the security safeguards or the existence of compelling legitimate interests; (3) The Data Commissioner may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject the transfer to such conditions as may be determined.

Kenya has not joined any free trade agreement committing to open transfers of cross-border data flows.

The Data Protection Act provides a comprehensive regime of data protection in Kenya. The Act sets out, among other things, data subject rights, principles of data processing, and obligations related to data transfers, direct marketing, and breach notifications.

While The Kenya Information and Communications Act (Registration of SIM Cards) Regulations 2015 does not specify any period of retention of data, Section 4.4 requires that the telecommunications companies provide quarterly records of all registered SIM Cards and a report of the maintenance of the records of SIM Cards registered as under the Regulations. This inadvertently means that there is a requirement for these record of SIM Card registration almost indefinitely and the Kenya Communications Authority expects regular updates.

Guide 7 of the 2019 Guidelines for Reporting on SIM-Card Registration by Telecommunications Operators outlines various measures that operators must follow in the SIM card registration process. Although the retention period is not explicitly specified, it is anticipated that the data collected for each mobile user should be retained for as long as the user holds the telecom's SIM card and continues to use their services.

Paragraph 7.2.4 of the National Information Communication and Technology Policy Guidelines of 2020 mandated that a company must have at least 30% substantive Kenyan ownership to be licensed by the Communication Authority to provide ICT services in Kenya. This requirement applied until August 2023 when, through Gazette Notice 11079 dated 22 August 2023, the Kenyan Cabinet Secretary for Information, Communications, and the Digital Economy formally announced the deletion of the paragraph. According to Section 2 of the Kenya Information and Communications Act, information and communication technologies encompass the technologies used in collecting, storing, using, or transmitting information, including those involving computers or any telecommunication system. This definition includes ICT, telecommunication, and audiovisual services. Previously, this ownership requirement was 20% for telecommunications licensees.

The Kenyan government has stakes in several telecom companies. It ows 35% of Safaricom Limited, 35% of Vodacom, 5% of Vodafone and 30% of Telekom Kenya.

It is reported that Kenya does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.