The Data Protection Act provides a comprehensive regime of data protection in Kenya. The Act sets out, among other things, data subject rights, principles of data processing, and obligations related to data transfers, direct marketing, and breach notifications.

While The Kenya Information and Communications Act (Registration of SIM Cards) Regulations 2015 does not specify any period of retention of data, Section 4.4 requires that the telecommunications companies provide quarterly records of all registered SIM Cards and a report of the maintenance of the records of SIM Cards registered as under the Regulations. This inadvertently means that there is a requirement for these record of SIM Card registration almost indefinitely and the Kenya Communications Authority expects regular updates.

Guide 7 of the 2019 Guidelines for Reporting on SIM-Card Registration by Telecommunications Operators outlines various measures that operators must follow in the SIM card registration process. Although the retention period is not explicitly specified, it is anticipated that the data collected for each mobile user should be retained for as long as the user holds the telecom's SIM card and continues to use their services.

Section 26.1 of the National Payment Act provides that the Central Bank, the Central Bank settlement system participants, payment clearing house system operators and system operators shall retain all records obtained by them during the course of the operations and administration of a payment system or the issuance of a payment instrument, for a period of seven years from the date of each particular record.

Kenya has signed the World Intellectual Property Organization (WIPO) Copyright Treaty in December 1996, but has not ratified it.

Section 31 of the Data Protection Act No. 24 of 2019 requires the performance of protection impact assessment in cases where a processing operation is likely to result in high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context and purposes.

Kenya does not have a comprehensive framework in place that provides effective protection of trade secrets, but there are limited measures addressing some issues related to them. The protection of trade secrets is mostly by way of common law and equity (and there are a few judicial decisions on this topic). Trade secret protection can be inferred from common law protection of confidentiality. However, regarding whether trade secrets are kept confidential during court proceedings, there is currently no clear judicial precedent on the handling of evidence containing a trade secret while still maintaining its confidentiality. A review of the available case law shows that such matters are determined on a case-by-case basis, and one must demonstrate that the trade secret is indeed useful and applicable in the relevant trade or industry; is not public knowledge or public property; is of economic value to the business seeking to protect it and that the disclosure of such information would be prejudicial to the business.
Moreover, protection is granted locally by virtue of the Constitution (Arts. 2.5 and 2.6). Some forms of protection of trade secrets can also be found in various pieces of legislation, such as those relating to employment and contracts.

Section 27.3 of Act No. 3 empowers the Anti-Corruption Commission to issue a notice requiring any person to provide, within a reasonable time specified in the notice, any information or documents in the person’s possession that relate to a person suspected of corruption or economic crime. This notice does not require a court order or court warrant and may be issued when the Anti-Corruption Commission is investigating financial crimes.

It is reported that Kenya does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.

Paragraph 6.2.4 of the National Information Communication and Technology Policy Guidelines of 2020 mandated that a company must have at least 30% substantive Kenyan ownership to be licensed by the Communication Authority to provide ICT services in Kenya. This requirement applied until August 2023 when, through Gazette Notice 11079 dated 22 August 2023, the Kenyan Cabinet Secretary for Information, Communications, and the Digital Economy formally announced the deletion of the paragraph. According to Section 2 of the Kenya Information and Communications Act, information and communication technologies encompass the technologies used in collecting, storing, using, or transmitting information, including those involving computers or any telecommunication system. This definition includes ICT, telecommunication, and audiovisual services. Previously, this ownership requirement was 20% for telecommunications licensees.

The Kenyan government has stakes in several telecom companies. It ows 35% of Safaricom Limited, 35% of Vodacom, 5% of Vodafone and 30% of Telekom Kenya.

It is reported that Kenya does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.

Kenya has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that foreign firms have had very limited success bidding on Kenyan Government tenders. There are widespread reports that corruption often influences the outcome of public tenders, and many of these tenders are challenged in the courts. Foreign firms, some without proven track records, have won government contracts when partnered with well-connected Kenyan firms or individuals. As of January 2019, all tenders and procurements are required to be undertaken through the Kenyan Government’s electronic procurement system, the Integrated Financial Management Information System (IFMIS). Certain foreign companies have expressed concerns about IFMIS due to insufficient connectivity and technical capacity in county government offices, apathy from county government officials, central control shutdowns, and security gaps that render the system vulnerable to manipulation and hacking.

Section 4.3 (Skills and Innovation) of the National ICT Policy Guidelines 2020 establishes that skills transfer to local firms and personnel is a mandatory requirement to win public tenders.