While The Kenya Information and Communications Act (Registration of SIM Cards) Regulations 2015 does not specify any period of retention of data, Section 4.4 requires that the telecommunications companies provide quarterly records of all registered SIM Cards and a report of the maintenance of the records of SIM Cards registered as under the Regulations. This inadvertently means that there is a requirement for these record of SIM Card registration almost indefinitely and the Kenya Communications Authority expects regular updates.

Guide 7 of the 2019 Guidelines for Reporting on SIM-Card Registration by Telecommunications Operators outlines various measures that operators must follow in the SIM card registration process. Although the retention period is not explicitly specified, it is anticipated that the data collected for each mobile user should be retained for as long as the user holds the telecom's SIM card and continues to use their services.

Section 26.1 of the National Payment Act provides that the Central Bank, the Central Bank settlement system participants, payment clearing house system operators and system operators shall retain all records obtained by them during the course of the operations and administration of a payment system or the issuance of a payment instrument, for a period of seven years from the date of each particular record.

Section 31 of the Data Protection Act No. 24 of 2019 requires the performance of protection impact assessment in cases where a processing operation is likely to result in high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context and purposes.

Section 27.3 of Act No. 3 empowers the Anti-Corruption Commission to issue a notice requiring any person to provide, within a reasonable time specified in the notice, any information or documents in the person’s possession that relate to a person suspected of corruption or economic crime. This notice does not require a court order or court warrant and may be issued when the Anti-Corruption Commission is investigating financial crimes.

Pursuant to Section 42 (1) and (2) of the National Intelligence Service Act 2012, the Director General of Intelligence may obtain warrants from the High Court of Kenya to obtain any information and monitor communication in order to preserve national security.
Despite the law requiring a warrant, an investigation by Privacy International in March 2017 revealed that the National Intelligence Agency (NIS) has direct access to Kenya’s telecommunications networks, which allows for the interception of both communications data and content. Direct access describes situations where state agencies have a direct connection to telecommunications networks, which allows them to obtain digital communications content and data (mobile and/or internet) without prior notice or judicial authorisation and without the involvement of the telecommunications provider or internet service provider that owns or runs the network.

Section 6 of the Official Secrets Act requires “any person who owns or controls any telecommunications apparatus used for the sending or receipt of any data to or from any place outside Kenya” to provide such data to the government. Such requests may be authorised by the president’s cabinet security rather than through the courts. Those who refuse risk a one-year prison term, a fine of 1 million shillings (USD 8,800), or both.

The Copyright Act establishes a safe harbour regime for intermediaries for copyright infringements. Section 35A of the Act outlines the limitations of liability for Internet Service Providers (ISPs) in cases of copyright infringement. ISPs may rely on these limitations under the following conditions:
- They do not initiate the transmission of the copyright;
- They do not select the addressee of the content;
- They perform their functions in an automatic, technical manner without selection of materials;
- They do not interfere with the lawful use of technology to obtain information on the use of the copyrighted material;
- They do not have actual knowledge that the content or activity related to the material is infringing the rights of a third party;
- They are not aware of the facts or circumstances of the alleged copyright infringing activity unless the infringing nature of the material is apparent and
- They remove or disable access to copyright-infringing content upon receipt of a valid takedown notice.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Kenya's law and jurisprudence. Except for the provisions in Section 35 of the Copyright Act, there are no explicit limitations on liability for activities such as "hosting, caching, linking, or acting as mere conduits." The Electronic Transactions Bill of 2007, which was eventually repealed, had proposed limitations on both criminal and civil liability for third parties involved in caching, information location, and conduit functions, drawing extensively from the EU Commerce Directive.

Kenya has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Regulation 5 of the Registration of SIM-Cards Regulations requires every telecom operator to register its users, including the provision of personal data such as names and national identity cards.

It is reported that the Communication Authority of Kenya, the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Section 13 of Act No. 12 creates the offence, and outlaws hate speech, and Section 62 makes an offence for any media enterprise to publish words intended to incite feelings of contempt, hatred, hostility, violence or discrimination against any person, group or community on the basis of ethnicity or race. A media enterprise can be fined up to one million shillings (USD 8,800) for publishing hate speech.
In addition, under the "Guidelines for the Prevention of Dissemination of Undesirable Bulk Political SMS and social media content via Electronic Communications Networks", intermediaries (bulk messaging and social media service providers) can be held liable for spreading falsehoods, hate speech and insults. Art. 13.6 of the Guidelines establishes that it shall be the responsibility of the Administrator of a social media platform to moderate and control undesirable content and discussions that have been brought to their attention on their platform. In this respect, Art. 13.7 provides that social media service providers shall be required to pull down accounts used in disseminating undesirable political content on their platform that have been brought to their attention within 24 hours.

The National ICT Policy Guidelines (paragraph 4.4) provide that all arms of government build, deploy, operate and manage locally built back-end and front-end systems. The Guidelines also require that all Kenyan data remains in Kenya and is stored safely and in a manner that protects the privacy of citizens to the utmost.

The Communications Authority of Kenya (CA) is mandated to license all telecommunications systems and services in the country, including content service providers. The Content Service Provider licence allows a licensee to provide content-related services to end users who are customers of the application service providers. Content service providers use the infrastructure of network facilities providers and the application service providers' systems to reach their customers. The services offered by content service providers are of information, entertainment, education, health, social, etc. nature, which can either be text, voice, or video clips delivered to a customer’s mobile device on request or as subscribed to by the customer.
CA is guided by the provisions of the relevant statutes, including the Kenya Information and Communications Act, 1998 (Section 25) and the Kenya Communications Regulations 2001 (Part V). The CA has a Unified Licensing Framework (ULF) in place, which is technology- and service-neutral. The ULF market is structured into three main licenses: Network Facilities Provider, Application Service Provider, and Content Service Provider.