Section 27.3 of Act No. 3 empowers the Anti-Corruption Commission to issue a notice requiring any person to provide, within a reasonable time specified in the notice, any information or documents in the person’s possession that relate to a person suspected of corruption or economic crime. This notice does not require a court order or court warrant and may be issued when the Anti-Corruption Commission is investigating financial crimes.

It is reported that Kenya does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.

Paragraph 6.2.4 of the National Information Communication and Technology Policy Guidelines of 2020 mandated that a company must have at least 30% substantive Kenyan ownership to be licensed by the Communication Authority to provide ICT services in Kenya. This requirement applied until August 2023 when, through Gazette Notice 11079 dated 22 August 2023, the Kenyan Cabinet Secretary for Information, Communications, and the Digital Economy formally announced the deletion of the paragraph. According to Section 2 of the Kenya Information and Communications Act, information and communication technologies encompass the technologies used in collecting, storing, using, or transmitting information, including those involving computers or any telecommunication system. This definition includes ICT, telecommunication, and audiovisual services. Previously, this ownership requirement was 20% for telecommunications licensees.

The Kenyan government has stakes in several telecom companies. It ows 35% of Safaricom Limited, 35% of Vodacom, 5% of Vodafone and 30% of Telekom Kenya.

It is reported that Kenya does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation.

Kenya has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

It is reported that the Communication Authority of Kenya, the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

The National ICT Policy Guidelines (paragraph 4.4) provide that all arms of government build, deploy, operate and manage locally built back-end and front-end systems. The Guidelines also require that all Kenyan data remains in Kenya and is stored safely and in a manner that protects the privacy of citizens to the utmost.

Section 50 of the Data Protection Act provides that the Cabinet Secretary may prescribe, based on the grounds of strategic interests of the state or protection of revenue, processing of a certain nature that should only be conducted through a server or data centre located in Kenya. Regulation 26.1 of the Data Protection (General) Regulations further clarifies that, pursuant to Section 50 of the Act, a data controller or data processor who processes personal data for the purposes of strategic interests of the state outlined in Regulation 26.2 should process such personal data through a server and data centre located in Kenya; or store at least one serving copy of the concerned personal data in a data centre located in Kenya (whereby no definitions have been provided for the term 'serving copy'). The strategic purposes contemplated in Regulation 26.1 include the processing of personal data for:
- administering the civil registration and legal identity management systems;
- facilitating the conduct of elections for the representation of the people under the constitution;
- overseeing any system for administering public finances by any state organ;
- providing primary or secondary healthcare for a data subject in the country;
- offering any form of early childhood education and basic education under the Basic Education Act No. 14 of 2013; and
- running any system designated as a protected computer system in terms of Section 20 of the Computer Misuse and Cybercrimes Act.
Under the Computer Misuse and Cybercrimes Act, a protected system is defined as a computer system used directly in connection with or necessary for:
- the security, defence, or international relations of Kenya;
- the existence or identification of a confidential source of information relating to the enforcement of a criminal law;
- the provision of services directly related to communications infrastructure, banking and financial services, payment and settlement systems and instruments, public utilities, or public transportation, including government services delivered electronically;
- the protection of public safety, including systems related to essential emergency services, such as police, civil defence, and medical services;
- the provision of national registration systems; or
- such other systems as may be designated relating to the security, defence, or international relations of Kenya, critical information, communications, business, or transport infrastructure, and protection of public safety and public services as may be designated by the Cabinet Secretary responsible for matters relating to information, communication, and technology.

Art. 48 of the Data Protection Act No. 24 of 2019 states that a data controller or data processor may transfer personal data to another country only where the data controller or data processor has given proof to the Data Commissioner of the appropriate safeguards with respect to the security and protection of the personal data. Alternatively, data can be transferred if the transfer is necessary for: the performance of a contract, for any matter of public interest, for the establishment, exercise or defence of a legal claim, in order to protect the vital interests of the data subject or of other persons; or for the purpose of compelling legitimate interests pursued by the data controller or data processor which are not overridden by the interests, rights and freedoms of the data subjects.
Art. 49 highlights safeguards prior to transfer of personal data out of Kenya, which include: (1) The processing of sensitive personal data out of Kenya shall only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards; (2) The Data Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the security safeguards or the existence of compelling legitimate interests; (3) The Data Commissioner may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject the transfer to such conditions as may be determined.

Kenya has not joined any free trade agreement committing to open transfers of cross-border data flows.

The Data Protection Act provides a comprehensive regime of data protection in Kenya. The Act sets out, among other things, data subject rights, principles of data processing, and obligations related to data transfers, direct marketing, and breach notifications.

The Copyrights Act provides a regime of copyright exceptions that follows the fair dealing model, which enables the lawful use of copyrighted work by others without obtaining permission. According to Art. 26, it is permitted the use of copyrighted works for educational purposes, the incidental inclusion of works in a broadcast or film, the non-for-profit use of works in public, the broadcast of works intended to be used for systematic instructional activities, the use of works by the government, public libraries and non-commercial documentation centres as well as the use of works for judicial purposes, provided the author and the source are indicated.

Copyright is not adequately enforced online in Kenya. Copyright piracy and the use of unlicensed software are reported to be prevalent in the country. Businesses in the country have also expressed concern about the online distribution of copyright-infringing content.

Kenya has signed the World Intellectual Property Organization (WIPO) Copyright Treaty in December 1996, but has not ratified it.