Guide 7 of the Guidelines for Reporting on SIM-Card Registration by Telecommunications Operators of 2019 several things measures that the telecommunications operators are expected to do in the registration of SIM Cards and while again the time for retention is not specifically stipulated, the data collected on each mobile user is expected to be held for as long as the user is holding the telecom's SIM card and using their services.

Section 26(1) of the National Payment Act provides that the Central Bank, the Central Bank settlement system participants, payment clearing house system operators and system operators, shall retain all records obtained by them during the course of the operations and administration of a payment system or the issuance of a payment instrument, for a period of seven years from the date of each particular record.

Kenya has not joined any free trade agreement committing to open transfers of cross-border data flows.

While The Kenya Information and Communications Act (Registration of SIM Cards) Regulations 2015 does not specify any period of retention of data, Section 4 (4) require that the telecommunications companies provide quarterly records of all registered SIM Cards and a report of the maintenance of the records of SIM Cards registered as under the Regulations. This inadvertently means that there is a requirement for these record of SIM Card registration almost indefinitely and regular updates are expected by the Kenya Communications Authority.

Art. 48 of the Data Protection Act No. 24 of 2019 states that a data controller or data processor may transfer personal data to another country only where the data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data. Alternatively, data can be transferred if the transfer is necessary for: the performance of a contract; for any matter of public interest; for the establishment, exercise or defence of a legal claim; in order to protect the vital interests of the data subject or of other persons; or for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.
Art. 49 highlights safeguards prior to transfer of personal data out of Kenya, which include: (1) The processing of sensitive personal data out of Kenya shall only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards; (2) The Data Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the security safeguards or the existence of compelling legitimate interests; (3) The Data Commissioner may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject the transfer to such conditions as may be determined.

The National ICT Policy Guidelines (paragraph 4.4) provide that all arms of government build, deploy, operate and manage locally built back-end and front-end systems. The Guidelines also require that all Kenyan data remains in Kenya and is stored safely and in a manner that protects the privacy of citizens to the utmost.

Art. 50 of the Data Protection Act No. 24 of 2019 states that "the Cabinet Secretary may prescribe, based on grounds of strategic interests of the state or protection of revenue, certain nature of processing that shall only be effected through a server or a data centre located in Kenya."

According to The National Communication and Information Technology Policy Guidelines 2020 (paragraph 6.2.4), as last amended in April 2021, it is required for telecommunication companies to have at least 30% Kenyan ownership for the Communications Authority to grant it a license. This requirement should be met within three years of being licensed, although it is possible to seek an exemption or extension.

The Kenyan government has stakes in several telecom companies. It ows 35% of Safaricom Limited, 35% of Vodacom, 5% of Vodafone and 30% of Telekom Kenya.

It is reported that Kenya does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.

Kenya does not have a comprehensive framework in place that provides effective protection of trade secrets, but there are limited measures addressing some issues related to them. The protection of trade secrets is mostly by way of common law and equity (and there are a few judicial decisions on this topic). Trade secret protection can be inferred from common law protection of confidentiality. However, regarding whether trade secrets are kept confidential during court proceedings, there is currently no clear judicial precedent on the handling of evidence containing a trade secret while still maintaining its confidentiality. A review of the available case law shows that such matters are determined on a case-by-case basis, and one must demonstrate that the trade secret is indeed useful and applicable in the relevant trade or industry; is not public knowledge or public property; is of economic value to the business seeking to protect it and that the disclosure of such information would be prejudicial to the business.
Moreover, protection is granted locally by virtue of the Constitution (Arts. 2(5) and 2(6)). Some form of protection of trade secrets can also be found in various pieces of legislation, such as those relating to employment and contracts.

It is reported that Kenya does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.

Kenya has signed the World Intellectual Property Organization (WIPO) Copyright Treaty in December 1996, but has not ratified it.

Kenya has signed the World Intellectual Property Organization (WIPO) Copyright Treaty in December 1996, but has not ratified it.

It is reported that enforcement of IPR continues to pose a challenge to rights holders. It is estimated that piracy and counterfeiting of business software, records, music, and electronics such as mobile phones, costs firms over USD 300 million in lost sales annually. However, several case laws in Kenya highlight the commitments in protection of the IP rights of authors and content creators. The ruling of 2013 in the case "Nonny Gathoni Njenga & anor v. Catherine Masitsa & 2 ors" (Civil Case No. 490 of 2013) is one of several cases where court decisions have affirmed rights of copyright holders against abuse or continued infringement. In addition, it is reported that the rate of unlicensed software installation in the country was 74% in 2017 (above the 56% rate of the Middle Eastern and African countries), for an estimated commercial value of USD 99 million.