A basic legal framework on intermediary liability beyond copyright infringement is absent in Kenya's law and jurisprudence. Save for the provisions in Section 35 of the Copyright Act, there is no clear of limitation of liability for “hosting, caching, linking, or mere conduits” in Kenya. The now-defunct Electronic Transactions Bill of 2007, borrowing extensively from the EU Commerce Directive, would have provided limitations on criminal and civil liability for third parties, where they acted as mere conduits, in caching processes, and when used as information location tools.

Regulation 5 of the Registration of SIM-Cards Regulations requires every telecom operator to register its users including provision of personal data such as names, national identity cards.

Kenya has a safe harbour regime in place for intermediaries for copyright infringements. The Copyright Act (Section 35A) has provisions on the limitation of liability of Internet Service Providers (ISP) in copyright infringement. The limitations may be relied upon by ISPs where:
- They do not initiate the transmission of the copyright;
- They do not select the addressee of the content;
- They perform their functions in an automatic, technical manner without selection of materials;
- They do not interfere with the lawful use of technology to obtain information on the use of the copyright material;
- They do not have actual knowledge that the content or activity related to the material is infringing the rights of a third party;
- They are not aware of the facts or circumstances of the alleged copyright infringing activity unless the infringing nature of the material is apparent; and
- They remove or disable access of copyright infringing content upon receipt of a valid takedown notice.

Pursuant to Section 42 (1) and (2) of the National Intelligence Service Act 2012, the Director General of Intelligence may obtain warrants from the High Court of Kenya to obtain any information, monitor communication in order to preserve national security.
Despite the law requires a warrant, an investigation by Privacy International in March 2017 revealed that the National Intelligence Agency (NIS) has direct access to Kenya’s telecommunications networks, which allows for the interception of both communications data and content. Direct access describes situations where state agencies have a direct connection to telecommunications networks which allows them to obtain digital communications content and data (mobile and/or internet) without prior notice or judicial authorisation and without the involvement of the telecommunications provider or internet service provider that owns or runs the network.

Section 6 of the Official Secrets Act requires “any person who owns or controls any telecommunications apparatus used for the sending or receipt of any data to or from any place outside Kenya” to provide such data to the government. Such requests may be authorized by the president’s cabinet security, rather than through the courts. Those who refuse risk a one-year prison term, a fine of 1 million shillings (USD 8,800), or both.

Section 31 of the Data Protection Act No. 24 of 2019 requires performance of protection impact assessment in cases where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes.

Section 27(3) of Act No. 3 empowers the Anti-Corruption Commission to issue a notice requiring any person to provide, within a reasonable time specified in the notice, any information or documents in the person’s possession that relate to a person suspected of corruption or economic crime. This notice does not require a court order or court warrant and may be issued when the Anti Corruption Commission is investigating economic crimes.

Section 26(1) of the National Payment Act provides that the Central Bank, the Central Bank settlement system participants, payment clearing house system operators and system operators, shall retain all records obtained by them during the course of the operations and administration of a payment system or the issuance of a payment instrument, for a period of seven years from the date of each particular record.

While The Kenya Information and Communications Act (Registration of SIM Cards) Regulations 2015 does not specify any period of retention of data, Section 4 (4) require that the telecommunications companies provide quarterly records of all registered SIM Cards and a report of the maintenance of the records of SIM Cards registered as under the Regulations. This inadvertently means that there is a requirement for these record of SIM Card registration almost indefinitely and regular updates are expected by the Kenya Communications Authority.

Guide 7 of the Guidelines for Reporting on SIM-Card Registration by Telecommunications Operators of 2019 several things measures that the telecommunications operators are expected to do in the registration of SIM Cards and while again the time for retention is not specifically stipulated, the data collected on each mobile user is expected to be held for as long as the user is holding the telecom's SIM card and using their services.

Kenya has not joined any free trade agreement committing to open transfers of cross-border data flows.

Section 3 of the Data Protection Act No. 24 of 2019 sets out the objectives of the law to include regulating the processing of personal data, protection of the privacy of individuals, establishing mechanisms of personal data protection and providing data subjects with rights and remedies to proceed their personal data.

Art. 48 of the Data Protection Act No. 24 of 2019 states that a data controller or data processor may transfer personal data to another country only where the data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data. Alternatively, data can be transferred if the transfer is necessary for: the performance of a contract; for any matter of public interest; for the establishment, exercise or defence of a legal claim; in order to protect the vital interests of the data subject or of other persons; or for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.
Art. 49 highlights safeguards prior to transfer of personal data out of Kenya, which include: (1) The processing of sensitive personal data out of Kenya shall only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards; (2) The Data Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the security safeguards or the existence of compelling legitimate interests; (3) The Data Commissioner may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject the transfer to such conditions as may be determined.

Art. 50 of the Data Protection Act No. 24 of 2019 states that "the Cabinet Secretary may prescribe, based on grounds of strategic interests of the state or protection of revenue, certain nature of processing that shall only be effected through a server or a data centre located in Kenya."

The National ICT Policy Guidelines (paragraph 4.4) provide that all arms of government build, deploy, operate and manage locally built back-end and front-end systems. The Guidelines also require that all Kenyan data remains in Kenya and is stored safely and in a manner that protects the privacy of citizens to the utmost.