Section 27(3) of Act No. 3 empowers the Anti-Corruption Commission to issue a notice requiring any person to provide, within a reasonable time specified in the notice, any information or documents in the person’s possession that relate to a person suspected of corruption or economic crime. This notice does not require a court order or court warrant and may be issued when the Anti Corruption Commission is investigating economic crimes.

Section 26(1) of the National Payment Act provides that the Central Bank, the Central Bank settlement system participants, payment clearing house system operators and system operators, shall retain all records obtained by them during the course of the operations and administration of a payment system or the issuance of a payment instrument, for a period of seven years from the date of each particular record.

While The Kenya Information and Communications Act (Registration of SIM Cards) Regulations 2015 does not specify any period of retention of data, Section 4 (4) require that the telecommunications companies provide quarterly records of all registered SIM Cards and a report of the maintenance of the records of SIM Cards registered as under the Regulations. This inadvertently means that there is a requirement for these record of SIM Card registration almost indefinitely and regular updates are expected by the Kenya Communications Authority.

Guide 7 of the Guidelines for Reporting on SIM-Card Registration by Telecommunications Operators of 2019 several things measures that the telecommunications operators are expected to do in the registration of SIM Cards and while again the time for retention is not specifically stipulated, the data collected on each mobile user is expected to be held for as long as the user is holding the telecom's SIM card and using their services.

Kenya has not joined any free trade agreement committing to open transfers of cross-border data flows.

Section 3 of the Data Protection Act No. 24 of 2019 sets out the objectives of the law to include regulating the processing of personal data, protection of the privacy of individuals, establishing mechanisms of personal data protection and providing data subjects with rights and remedies to proceed their personal data.

Art. 48 of the Data Protection Act No. 24 of 2019 states that a data controller or data processor may transfer personal data to another country only where the data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data. Alternatively, data can be transferred if the transfer is necessary for: the performance of a contract; for any matter of public interest; for the establishment, exercise or defence of a legal claim; in order to protect the vital interests of the data subject or of other persons; or for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.
Art. 49 highlights safeguards prior to transfer of personal data out of Kenya, which include: (1) The processing of sensitive personal data out of Kenya shall only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards; (2) The Data Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the security safeguards or the existence of compelling legitimate interests; (3) The Data Commissioner may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject the transfer to such conditions as may be determined.

Art. 50 of the Data Protection Act No. 24 of 2019 states that "the Cabinet Secretary may prescribe, based on grounds of strategic interests of the state or protection of revenue, certain nature of processing that shall only be effected through a server or a data centre located in Kenya."

The National ICT Policy Guidelines (paragraph 4.4) provide that all arms of government build, deploy, operate and manage locally built back-end and front-end systems. The Guidelines also require that all Kenyan data remains in Kenya and is stored safely and in a manner that protects the privacy of citizens to the utmost.

It is reported that the Communication Authority of Kenya, the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Kenya has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that Kenya does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.

According to The National Communication and Information Technology Policy Guidelines 2020 (paragraph 6.2.4), as last amended in April 2021, it is required for telecommunication companies to have at least 30% Kenyan ownership for the Communications Authority to grant it a license. This requirement should be met within three years of being licensed, although it is possible to seek an exemption or extension.

The Kenyan government has stakes in several telecom companies. It ows 35% of Safaricom Limited, 35% of Vodacom, 5% of Vodafone and 30% of Telekom Kenya.

It is reported that Kenya does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.