Overview

Five years after the enactment of the Data Protection Act (DPA) 2019, Amnesty International Kenya has published a landmark report assessing how Kenyans understand and experience their right to privacy. The study, conducted across 10 counties through focus group discussions and key informant interviews, reveals that while the Data Protection Act 2019 established a strong legal framework, its real impact is still limited by low awareness, weak enforcement, and insufficient regional presence of the regulator.

This report provides rare citizen-level insights into:

Awareness of the Data Protection Act and privacy rights.
Experiences with personal data breaches and remedies.
Knowledge of the Office of the Data Protection Commissioner (ODPC).
Recommendations for stronger enforcement, inclusion, and public education.

Key Findings

Urban counties such as Nairobi and Kisumu show relatively high awareness of the DPA, while rural and marginalized counties report limited knowledge.
Many citizens hesitate to share personal data; some provide false information due to past breaches and lack of confidence in recourse.
Few citizens know how to report violations to the ODPC, and no participants in the study had actually done so.
Youth, persons with disabilities, and low-literacy communities remain largely outside DPA implementation efforts.
Lack of regional offices, limited staffing, and weak enforcement powers undermine public trust.

Recommendations

This report calls for:

Community Engagement & Education – National awareness campaigns, use of chiefs’ barazas, and digital literacy initiatives.
Inclusion of Vulnerable Groups – Tailored outreach to youth, persons with disabilities, and marginalized populations.
ODPC Presence & Capacity – Expanding offices to counties, embedding officers in police stations, and strengthening enforcement independence.
Accountability & Enforcement – Proactive investigations, especially against large telecom companies and digital lenders.
Multi-Sectoral Collaboration – Joint efforts between government, CSOs, media, and the private sector to mainstream privacy and data protection.
Education Curriculum Integration – Embedding basic data protection concepts in schools.

DPA Awareness Perception Study Final Download

Complementary Resources: Data Protection Guidelines for Civil Society Organisations

Civil society organisations (CSOs) play a critical role in advancing rights and serving communities in Kenya. With increasing reliance on personal data, CSOs must comply with the Data Protection Act 2019 while protecting the dignity and privacy of the people they serve.

Amnesty International Kenya, in collaboration with the Data Privacy and Governance Society of Kenya, has developed Data Protection Guidelines for CSOs. This guide demystifies the DPA and provides practical, rights-based tools for compliance.

The guidelines cover:

The legal and regulatory framework for data protection in Kenya.
Obligations of CSOs as data controllers and processors.
Principles of data protection and rights of data subjects.
Lawful bases for processing personal and sensitive data.
Cross-border data transfers and Data Protection Impact Assessments (DPIAs).
Practical steps for building internal privacy programs and policies.
Technical and organizational measures for data security

CSO Data Protection Guidelines Final Download