Database

Browse Database

KENYA

Since August 2005

Pillar Intermediary liability  |  Sub-pillar User identity requirement
Registration of SIM –Cards Regulations, 2015
Regulation 5 of the Registration of SIM-Cards Regulations requires every telecom operator to register its users, including the provision of personal data such as names and national identity cards.
Coverage Telecommunications sector

KENYA

Since March 2009
Since July 2017

Pillar Intermediary liability  |  Sub-pillar Monitoring requirement
National Cohesion And Integration Act No. 12 of 2008

Guidelines on Prevention of Dissemination of Undesirable Bulk and Premium Rate Political Messages and Political Social Media Content Via Electronic Communications Networks
Section 13 of Act No. 12 creates the offence, and outlaws hate speech, and Section 62 makes an offence for any media enterprise to publish words intended to incite feelings of contempt, hatred, hostility, violence or discrimination against any person, group or community on the basis of ethnicity or race. A media enterprise can be fined up to one million shillings (USD 8,800) for publishing hate speech.
In addition, under the "Guidelines for the Prevention of Dissemination of Undesirable Bulk Political SMS and social media content via Electronic Communications Networks", intermediaries (bulk messaging and social media service providers) can be held liable for spreading falsehoods, hate speech and insults. Art. 13.6 of the Guidelines establishes that it shall be the responsibility of the Administrator of a social media platform to moderate and control undesirable content and discussions that have been brought to their attention on their platform. In this respect, Art. 13.7 provides that social media service providers shall be required to pull down accounts used in disseminating undesirable political content on their platform that have been brought to their attention within 24 hours.
Coverage Media and bulk messaging and social media service providers

KENYA

Since October 1998, entry into force in February 1999, as amended in 2020
Since February 2001

Pillar Content access  |  Sub-pillar Licensing schemes for digital services and applications
Kenya Information and Communications Act, 1998

Kenya Communications Regulations, 2001
The Communications Authority of Kenya (CA) is mandated to license all telecommunications systems and services in the country, including content service providers. The Content Service Provider licence allows a licensee to provide content-related services to end users who are customers of the application service providers. Content service providers use the infrastructure of network facilities providers and the application service providers' systems to reach their customers. The services offered by content service providers are of information, entertainment, education, health, social, etc. nature, which can either be text, voice, or video clips delivered to a customer’s mobile device on request or as subscribed to by the customer.
CA is guided by the provisions of the relevant statutes, including the Kenya Information and Communications Act, 1998 (Section 25) and the Kenya Communications Regulations 2001 (Part V). The CA has a Unified Licensing Framework (ULF) in place, which is technology- and service-neutral. The ULF market is structured into three main licenses: Network Facilities Provider, Application Service Provider, and Content Service Provider.
Coverage Content service providers, application service providers

KENYA

Since February 2021

Pillar Quantitative trade restrictions for ICT goods and online services  |  Sub-pillar Other import restrictions, including non-transparent/discriminatory import procedures
The Environmental Management and Coordination (Extended Producer Responsibility) Regulations of 2021
The Environmental Management and Coordination (Extended Producer Responsibility) Regulations impose obligations for importers of used electronic goods such as licences, registration for compliance schemes and reporting to ensure that the products comply with the Extended Producer Responsibility (EPR), amongst other requirements.
Coverage Used electronic goods, including electronic equipment

KENYA

N/A

Pillar Quantitative trade restrictions for ICT goods and online services  |  Sub-pillar Other import restrictions, including non-transparent/discriminatory import procedures
Pre-export verification of conformity (PVoC)
It is reported that there is a requirement to obtain a Certificate of Conformity from a Kenya Bureau of Standards appointed pre-export verification of conformity (PVoC) partner. To import any commodity into Kenya, an importer has to enlist the services of a clearing agent who will process the import documentation through Kenya Customs electronically on the Simba 2005 system and clear the goods on the company's behalf. It is the seller’s responsibility to ensure that shipments to Kenya happen only after issuance of a Certificate of Conformity. In addition, products containing the QMark do not have to go through inspection for compliance upon entry into another Partner State of the East African Community.
Coverage Horizontal

KENYA

Reported in 2022, last reported in 2023

Pillar Quantitative trade restrictions for ICT goods and online services  |  Sub-pillar Other import restrictions, including non-transparent/discriminatory import procedures
Lack of transparency of import procedures
Companies have expressed concerns regarding the prolonged duration for Kenyan Customs to release shipments, along with the excessive formalities involved. The one-stop customs clearance system in Kenya reportedly does not function as expected, and the pre-arrival processing of electronic documents is ineffective. Additionally, there are reports of inconsistent application of classification and valuation decisions within the system, as well as unnecessary transit inspections.
Coverage Horizontal

KENYA

Reported in 2022

Pillar Technical standards applied to ICT goods and online services  |  Sub-pillar Self-certification for product safety
Self-certification not allowed for foreign businesses
According to the Communications Authority of Kenya, an application for Type Approval must be made using the Application Form for Type Approval/Type Acceptance of ICT Equipment. It is reported that the homologation procedure in Kenya is more complicated than in most African countries. Depending on regulations and type of equipment, the authority may require product samples for further examination or simply issue an exemption letter. The validity period of conformity documents can be unlimited (exemption letters) or limited to 6 months (certificates of conformity) after which the authority automatically issues an unlimited certificate.
Coverage ICT equipment

KENYA

Since November 2012

Pillar Domestic data policies  |  Sub-pillar Requirement to allow the government to access personal data collected
National Intelligence Service Act 2012
Pursuant to Section 42 (1) and (2) of the National Intelligence Service Act 2012, the Director General of Intelligence may obtain warrants from the High Court of Kenya to obtain any information and monitor communication in order to preserve national security.
Despite the law requiring a warrant, an investigation by Privacy International in March 2017 revealed that the National Intelligence Agency (NIS) has direct access to Kenya’s telecommunications networks, which allows for the interception of both communications data and content. Direct access describes situations where state agencies have a direct connection to telecommunications networks, which allows them to obtain digital communications content and data (mobile and/or internet) without prior notice or judicial authorisation and without the involvement of the telecommunications provider or internet service provider that owns or runs the network.
Coverage Horizontal

KENYA

Since February 1968, as amended in December 2020

Pillar Domestic data policies  |  Sub-pillar Requirement to allow the government to access personal data collected
Official Secrets Act
Section 6 of the Official Secrets Act requires “any person who owns or controls any telecommunications apparatus used for the sending or receipt of any data to or from any place outside Kenya” to provide such data to the government. Such requests may be authorised by the president’s cabinet security rather than through the courts. Those who refuse risk a one-year prison term, a fine of 1 million shillings (USD 8,800), or both.
Coverage Horizontal

KENYA

Since 2010

KENYA

N/A

Pillar Telecom infrastructure & competition  |  Sub-pillar Functional/accounting separation for operators with significant market power
Lack of mandatory functional separation for dominant network operators
It is reported that Kenya does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.
Coverage Telecommunications sector

KENYA

Since November 1999

Pillar Telecom infrastructure & competition  |  Sub-pillar Signature of the World Trade Organization (WTO) Telecom Reference Paper
WTO Telecom Reference Paper
Kenya has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.
Coverage Telecommunications sector

KENYA

N/A

Pillar Telecom infrastructure & competition  |  Sub-pillar Presence of an independent telecom authority
Presence of independent telecom authority
It is reported that the Communication Authority of Kenya, the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.
Coverage Telecommunications sector

KENYA

Since August 2020, last amended in April 2021

Pillar Cross-border data policies  |  Sub-pillar Ban to transfer and local processing requirement
National Information, Communications and Technology (ICT) Policy Guidelines of 2020
The National ICT Policy Guidelines (paragraph 4.4) provide that all arms of government build, deploy, operate and manage locally built back-end and front-end systems. The Guidelines also require that all Kenyan data remains in Kenya and is stored safely and in a manner that protects the privacy of citizens to the utmost.
Coverage Public sector

KENYA

Since November 2019
Since December 2021, entry into force in February 2022
Since May 2018

Pillar Cross-border data policies  |  Sub-pillar Local storage requirement
Data Protection Act (No. 24 of 2019)

Data Protection (General) Regulations, 2021

Computer Misuse and Cybercrimes Act No. 5 of 2018
Section 50 of the Data Protection Act provides that the Cabinet Secretary may prescribe, based on the grounds of strategic interests of the state or protection of revenue, processing of a certain nature that should only be conducted through a server or data centre located in Kenya. Regulation 26.1 of the Data Protection (General) Regulations further clarifies that, pursuant to Section 50 of the Act, a data controller or data processor who processes personal data for the purposes of strategic interests of the state outlined in Regulation 26.2 should process such personal data through a server and data centre located in Kenya; or store at least one serving copy of the concerned personal data in a data centre located in Kenya (whereby no definitions have been provided for the term 'serving copy'). The strategic purposes contemplated in Regulation 26.1 include the processing of personal data for:
- administering the civil registration and legal identity management systems;
- facilitating the conduct of elections for the representation of the people under the constitution;
- overseeing any system for administering public finances by any state organ;
- providing primary or secondary healthcare for a data subject in the country;
- offering any form of early childhood education and basic education under the Basic Education Act No. 14 of 2013; and
- running any system designated as a protected computer system in terms of Section 20 of the Computer Misuse and Cybercrimes Act.
Under the Computer Misuse and Cybercrimes Act, a protected system is defined as a computer system used directly in connection with or necessary for:
- the security, defence, or international relations of Kenya;
- the existence or identification of a confidential source of information relating to the enforcement of a criminal law;
- the provision of services directly related to communications infrastructure, banking and financial services, payment and settlement systems and instruments, public utilities, or public transportation, including government services delivered electronically;
- the protection of public safety, including systems related to essential emergency services, such as police, civil defence, and medical services;
- the provision of national registration systems; or
- such other systems as may be designated relating to the security, defence, or international relations of Kenya, critical information, communications, business, or transport infrastructure, and protection of public safety and public services as may be designated by the Cabinet Secretary responsible for matters relating to information, communication, and technology.
Coverage Horizontal

Report issue     Report new measure