The Kenya Information and Communications (Amendment) Bill, 2025, currently before the National Assembly, promises to protect Kenyans from being overcharged for accessing the internet. It would give every internet subscriber a meter number, require providers to monitor each person’s use of their connection, and have those meter numbers reported to a government regulator once a year.
This bill, sponsored by Aldai MP Marianne Kitany, has had its first reading in the National Assembly. It amends the Kenya Information and Communications Act, Cap 411A, the law that governs telecommunications and the Communications Authority of Kenya.
The bill does three things. First, it redefines “telecommunication operator” to include internet service providers. That single change folds internet service providers (ISPs) into the licensing and subscriber-data regime that already applies to mobile operators under sections 79 and 27A of the Act. Second, it requires every ISP to run a “meter billing system” that assigns each customer a unique, identifiable meter number, monitors usage, and generates invoices based on consumption. Third, it requires ISPs to submit to the Communications Authority at least once a year information about their billing system, including the meter numbers issued to subscribers.
The stated purpose is consumer protection. The bill’s memorandum invokes Article 46 of the Constitution and presents metered billing as a way to curb exploitation and make people pay for what they actually use, much as a household pays for water or electricity. Put that way, you’d almost be convinced that it is a great bill that puts consumer interests first.
The framing is where the trouble begins.
Look at what the bill actually builds:
- A unique identifier tied to each subscriber.
- A standing duty on providers to monitor what each subscriber does online.
- A yearly channel that delivers those identifiers to a state regulator.
Now set that against the data ISPs would take on the moment they become “telecommunication operators.” Under section 27A, operators must already collect every user’s full name, national ID number, date of birth, gender, and physical and postal addresses, and may disclose a subscriber’s particulars to the Communications Authority of Kenya for its statutory functions, criminal investigations, and civil proceedings. Metered billing attaches an ID-verified identity to a continuous record of a person’s internet use, held by or available to the government. Whatever the bill calls it, that is a monitoring system.
This is kind of the main objection in ICJ Kenya’s human rights analysis of the bill. Article 31 of the Constitution protects the right to privacy. But when you link named individuals to traceable meter numbers and then track their activity, it gives the state a workable instrument to figure out who is online and what they are doing there. The people exposed are usually the ones who really need cover: journalists, activists, organizers, and anyone whose work relies on not being watched. We have seen this pattern before, with the Huduma Namba rollout and the Worldcoin episode all moving in the same direction, gathering identifying data first, then leaving safeguards for later, if at all.
That points to the second problem. The bill creates a new and revealing dataset, a running record of what each named subscriber does online, tied to a meter number, and a standing requirement to move that record to a state regulator. It does not mention the Data Protection Act, 2019. It sets no retention limit, names no purpose for which the data may be used, and provides no independent oversight of what the Authority may do with the meter numbers once it holds them. Kenyans already know what can happen when identity-linked data is held by the state, and the rules do not. Since the June 2024 Gen Z protests, the Kenya National Commission on Human Rights and Amnesty International have documented more than eighty enforced disappearances of protesters and government critics. Investigations by the Daily Nation, Al Jazeera, and Amnesty International’s own report point to the role telecommunications data played in that campaign: call records and location information were used to locate people and then take them. Safaricom, partly owned by the Government of Kenya, carries most of the country’s internet traffic and denies unlawfully sharing customer data. Even so, some Kenyans have already abandoned their lines to make themselves harder to trace, and urged others to do the same. A dataset this sensitive, handed to the state with no rules attached, will leak and be repurposed. In a country where the same kind of data has already been linked to the disappearance of government critics, building a mandatory, state-held record of everyone’s internet use would give whoever controls it a map of the people on it.
Then there is what the bill says about itself. Its memorandum states that it “does not delegate legislative powers nor does it limit fundamental rights and freedoms.” That is simply not true. A law that mandates monitoring internet use and reporting per-user identifiers to a regulator plainly infringes on the right to privacy. Article 24 requires that any limitation of a right be shown to be reasonable and proportionate, achieved through the least restrictive means available. The bill offers no such justification because it denies that anything warrants it. By all means, Kenyans should be protected from unfair billing, but we cannot have protection built on individual monitoring, routed through a state regulator, and stripped of data safeguards. Before the bill moves further, Parliament should open it to genuine public participation, commission a human rights impact assessment, and either write in enforceable data-protection and oversight provisions or abandon the metering architecture. As it stands, the bill asks Kenyans to accept surveillance and call it a fair deal.


