It is reported that, for the second consecutive year, the authorities in Kenya restricted access to Telegram during national examinations in 2024.

The Communications Authority of Kenya (CA) is mandated to license all telecommunications systems and services in the country, including content service providers. The Content Service Provider licence allows a licensee to provide content-related services to end users who are customers of the application service providers. Content service providers use the infrastructure of network facilities providers and the application service providers' systems to reach their customers. The services offered by content service providers are of information, entertainment, education, health, social, etc. nature, which can either be text, voice, or video clips delivered to a customer’s mobile device on request or as subscribed to by the customer.
CA is guided by the provisions of the relevant statutes, including the Kenya Information and Communications Act, 1998 (Section 25) and the Kenya Communications Regulations 2001 (Part V). The CA has a Unified Licensing Framework (ULF) in place, which is technology- and service-neutral. The ULF market is structured into three main licenses: Network Facilities Provider, Application Service Provider, and Content Service Provider.

Section 26.1 of the National Payment Act provides that the Central Bank, the Central Bank settlement system participants, payment clearing house system operators and system operators shall retain all records obtained by them during the course of the operations and administration of a payment system or the issuance of a payment instrument, for a period of seven years from the date of each particular record.

Section 31 of the Data Protection Act No. 24 of 2019 requires the performance of protection impact assessment in cases where a processing operation is likely to result in high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context and purposes.

Section 27.3 of Act No. 3 empowers the Anti-Corruption Commission to issue a notice requiring any person to provide, within a reasonable time specified in the notice, any information or documents in the person’s possession that relate to a person suspected of corruption or economic crime. This notice does not require a court order or court warrant and may be issued when the Anti-Corruption Commission is investigating financial crimes.

Paragraph 7.2.4 of the National Information Communication and Technology Policy Guidelines of 2020 mandated that a company must have at least 30% substantive Kenyan ownership to be licensed by the Communication Authority to provide ICT services in Kenya. This requirement applied until August 2023 when, through Gazette Notice 11079 dated 22 August 2023, the Kenyan Cabinet Secretary for Information, Communications, and the Digital Economy formally announced the deletion of the paragraph. According to Section 2 of the Kenya Information and Communications Act, information and communication technologies encompass the technologies used in collecting, storing, using, or transmitting information, including those involving computers or any telecommunication system. This definition includes ICT, telecommunication, and audiovisual services. Previously, this ownership requirement was 20% for telecommunications licensees.

The Kenyan government has stakes in several telecom companies. It ows 35% of Safaricom Limited, 35% of Vodacom, 5% of Vodafone and 30% of Telekom Kenya.

It is reported that Kenya does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.

Kenya has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the Communication Authority of Kenya, the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

The National ICT Policy Guidelines (paragraph 4.4) provide that all arms of government build, deploy, operate and manage locally built back-end and front-end systems. The Guidelines also require that all Kenyan data remains in Kenya and is stored safely and in a manner that protects the privacy of citizens to the utmost.

Section 50 of the Data Protection Act provides that the Cabinet Secretary may prescribe, based on the grounds of strategic interests of the state or protection of revenue, processing of a certain nature that should only be conducted through a server or data centre located in Kenya. Regulation 26.1 of the Data Protection (General) Regulations further clarifies that, pursuant to Section 50 of the Act, a data controller or data processor who processes personal data for the purposes of strategic interests of the state outlined in Regulation 26.2 should process such personal data through a server and data centre located in Kenya; or store at least one serving copy of the concerned personal data in a data centre located in Kenya (whereby no definitions have been provided for the term 'serving copy'). The strategic purposes contemplated in Regulation 26.1 include the processing of personal data for:
- administering the civil registration and legal identity management systems;
- facilitating the conduct of elections for the representation of the people under the constitution;
- overseeing any system for administering public finances by any state organ;
- providing primary or secondary healthcare for a data subject in the country;
- offering any form of early childhood education and basic education under the Basic Education Act No. 14 of 2013; and
- running any system designated as a protected computer system in terms of Section 20 of the Computer Misuse and Cybercrimes Act.
Under the Computer Misuse and Cybercrimes Act, a protected system is defined as a computer system used directly in connection with or necessary for:
- the security, defence, or international relations of Kenya;
- the existence or identification of a confidential source of information relating to the enforcement of a criminal law;
- the provision of services directly related to communications infrastructure, banking and financial services, payment and settlement systems and instruments, public utilities, or public transportation, including government services delivered electronically;
- the protection of public safety, including systems related to essential emergency services, such as police, civil defence, and medical services;
- the provision of national registration systems; or
- such other systems as may be designated relating to the security, defence, or international relations of Kenya, critical information, communications, business, or transport infrastructure, and protection of public safety and public services as may be designated by the Cabinet Secretary responsible for matters relating to information, communication, and technology.

Pursuant to Section 28 of the "Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024", proprietors of critical information infrastructure within Kenya are mandated to ensure that such infrastructure is physically situated within the national territory. Should an owner seek to store critical information outside the country, an application must be submitted to the National Computer and Cybercrimes Co-ordination Committee. The Committee is tasked with evaluating whether the application satisfies prescribed security standards and is required to render a decision within thirty days. In its deliberations, the Committee shall consider factors including, but not limited to, the adequacy of security measures, the necessity of the proposed arrangement, implications for national security, the public interest, data protection requirements, and representations made by the operator. In addition, the Committee is obliged to consult the National Security Council and other relevant agencies during the review process.
Under Section 2 of the "Computer Misuse and Cybercrimes Act, 2018", the term critical infrastructure refers to the processes, systems, facilities, technologies, networks, assets, and services that are essential to the health, safety, security, or economic well-being of Kenyans, as well as to the effective functioning of Government.

Art. 48 of the Data Protection Act No. 24 of 2019 states that a data controller or data processor may transfer personal data to another country only where the data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of the personal data. Alternatively, data can be transferred if the transfer is necessary for: the performance of a contract, for any matter of public interest, for the establishment, exercise or defence of a legal claim, in order to protect the vital interests of the data subject or of other persons; or for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.
Art. 49 highlights safeguards prior to transfer of personal data out of Kenya, which include: (1) The processing of sensitive personal data out of Kenya shall only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards; (2) The Data Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the security safeguards or the existence of compelling legitimate interests; (3) The Data Commissioner may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject the transfer to such conditions as may be determined.

Kenya has not joined any free trade agreement committing to open transfers of cross-border data flows.