Introduction
Kenya is a leader in digital governance, ranking 109th globally according to the 2024 United Nations (UN) E-Government Development Index, driven by the success of the eCitizen platform. Amongst other services, the eCitizen platform has shifted the publication of marriage notices online, aligning with the Marriage Act and Kenya’s Vision 2030 agenda of enhancing accessibility and efficiency in service delivery. The platform is owned by the State and managed by the Ministry of Information Communication and Digital Economy through public-private partnership with local and foreign companies like Webmasters, Olive Tree Media and Pesa Flow Limited.
The partnerships scale the platform’s capacity and boost efficiency but also creates vulnerabilities, such as critical cyberattacks the platform has faced, leading to denial of access to services and data manipulation. This undermines trust in e- governance. These attacks as per a 2025 audit highlight insufficient resource allocation, fragmented and ambiguous oversight which is further complicated by the continued third party service providers.
The privacy issues arising from the transition of marriage notices to the eCitizen platform
Before migration to the eCitizen platform, marriage data was managed manually by the Office of the Attorney General (AG), particularly through the Registrar of Marriages serving on average over 600 people daily. These services were limited to those who visited the registries and the places of intended marriage, such as churches. The practice mitigated privacy risks associated with unrestricted open access to large amounts of personal data. Once a man and a woman consented to marry, they would give to the Registrar of Marriages a written notice of intention to marry of not less than 21 days and not more than three months before the marriage date. The marriage notice, signed by both parties, had the names and places of residence of the parties and those of their parents, date and venue of marriage.
The marriage notice would then be published by the Registrar in the place where the marriage would be celebrated. This would entail publication at the Registry notice board or outer door where anyone could see it and submit a written objection. The Marriage Act targets the community where the marriage is conducted to protect public interest by ensuring valid marriages free from impediments, such as the prohibited degree of consanguinity and subsisting marriages.
Significantly, the publication of marriage notices have over the years been done physically, as illustrated above. However, with the transition of this service to the eCitizen platform, the style of publication has changed, to virtual. In comparison to the physical process that could only be accessed by those who visited the Registry, eCitizen marriage notices’ publication is accessible by anyone. Marriage notices on eCitizen contain data such as names, photos, spouses’ names, wedding dates and venues. While the intent is to notify of the marriage and allow for written objection, the platform does not allow objections to be submitted online indicating that objections continue to be done manually to the registrar or the officer in charge of the intended place of marriage.
Additionally, applications for marriage certificates are done on the platform. It requires filling in sensitive personal data including one’s occupation, age, phone number, email details, the details of their parents as well the attachment of documents such as IDs, death certificates, birth certificates, divorce orders among others. While this process isn’t any different from the earlier physical process, the major concern is how the data is handled and allows unrestricted public access by third parties. There are also concerns on how the data is collected, stored and transferred on the platform. This article in the subsequent subsections examines these concerns arising from the eCitizen publication of marriage notices.
-
Data minimisation and purpose limitation
The expansive exposure and storage of sensitive data by eCitizen violates the data minimization principle which requires personal data to be adequate, relevant and limited to what is necessary for specified purpose. Only data necessary for allowing objection to marriages in line with the marriage Act should be accessible publicly. This includes the names of spouses and the mode of objection of the marriage. Details such as the specific venues of the marriage at the specified time and photos of spouses are available online to the general public. Furthermore, enabling objections to be filed through the platform would maintain transparency while reducing the disclosure of data relating to the person’s location at a specific time, balancing the right to privacy and transparency. This is through minimising the unrestricted public access to sensitive personal data.
-
Lack of privacy safeguards
The DPA requires data protection by design or default. The Registrar of Marriages ought to implement appropriate technical and organisational measures, such as encryption and pseudonymisation, considering the possible risks, such as unwarranted surveillance, social engineering and privacy breaches in any event of a cyber attack. The marriage notices are not encrypted and allow free access to the data such as photos, names, and marriage venue to the general public. The eCitizen platform has faced cyber attacks, for instance the BRS attack exposing sensitive personal data showing the insufficiency in its safeguards. The personal data uploaded in relation to the marriage notices and applications remains unprotected with no technical safeguards to protect the data from misuse in case of any cyber attacks.
-
The right to erasure, clear deletion and retention policies
Data subjects have the right to erasure, allowing requests for deletion of excessive, irrelevant and unauthorized data. The platform lacks clear policies on the retention, erasure and deletion of the marriage data after the expiry of the three months notice period. Notices from as early as February 2025 remain available in the platform contrary to the maximum requirement of 3 months under Section 25 of the Marriage Act. This is in violation of Section 39 of the DPA’s requirement to limit retention of the data to what is necessary and prohibition of further processing incompatible with the purpose. According to this requirement, the marriage notices should only be publicly accessible for a maximum of three months and thereafter, removed from public open access.
-
Surveillance, exposure to identity theft and social harassment
The public accessibility of the notices through the Attorney General’s eCitizen portal without log in requirements and anonymisations enable easy access, screenshot or misuse. This facilitates surveillance by exposing real time details of venue and wedding dates that can track an individual’s movement. In 2024-2025, the Kenya National Computer Incident Response Team Coordination Centre (KE-CIRT/CC) reported an alarming rise in cyber attacks exploiting system vulnerabilities on government infrastructure. Kenya has experienced phone surveillance and data misuse, highlighting how digitising sensitive data and making it available through the digital domain can be exploited for political targeting, social discrimination and control heightening risks to marginalised and vulnerable communities.
In addition, the open access of sensitive data such as photographs, spouse identities creates opportunities for identity theft, social engineering and enables phishing, social harassment and impersonation especially in communities where marital status has social stigma. Due to lack of safeguards, the marital data can be easily copied, screen shotted and scraped off amplifying the risks.
Best practices and recommendations
Kenya’s eCitizen has in the past exhibited significant gaps in privacy safeguards through cyber attacks that have exposed sensitive citizen data, underscoring the critical need for vigilance and improvement. ECitizen can implement best practices such as the data protection principles and privacy safeguards from comparable platforms like Rwanda’s Irembo, Germany’s Bundesanzeiger, to balance service delivery with privacy protection. Rwanda’s Irembo platform, just like Kenya’s eCitizen, provides citizens with access to a wide range of public services, such as marriage services. Germany’s Bundesanzeiger on the other end is the official federal gazette and digital government portal with a company register and publication platform for legal notices.
-
Adoption of stringent policy framework
The Kenya DPA mandates principles including data minimisation and requirement for data protection by design and by default. The eCitizen platform must adopt policies that limit the marriage notices to strictly what is essential for objection excluding photographs, exact wedding dates and venues unless with consent and adequate safeguards. Additionally eCitizen should set clear data subject rights enforcement to allow citizens access, correct and request for deletion of their data. Adopting clear data retention schedules that ensure deletion of personal data after its statutory purpose expires will reduce the exposure period of sensitive data in adherence to Section 39 of the DPA. This will also limit unrestricted public access.
For comparative purposes, the European Union (EU) General Data Protection Regulations (GDPR) mirror the principle of data minimisation under Article 5. The France’s Journal Officeil, in compliance with the GDPR limits public notices, such as marriage bans, to minimal identifiers like names and exclude photographs and venues to ensure privacy. Additionally, it employs safeguards like pseudonymisation and access controls, limiting access to sensitive data together with clear privacy policies empowering data subject rights.
In addition, Germany’s Bundesanzeiger federal gazette limits data to what is required for legal effectiveness, minimising privacy risks. It has a comprehensive Data Privacy Statement that ensures collection is limited to statutory purpose and maintains strict data retention measures, deleting data when no longer needed. Similarly, Rwanda’s Irembo platform aligns with Rwanda’s Data Privacy and Protection Law. Its Privacy Policy emphasizes consent based access, access restrictions and identity verifications before sensitive data is made accessible. These platforms give an illustration of key measures that Kenya’s eCitizen platform should adopt to be compliant with the DPA in the publication of marriage notices.
-
Robust technical safeguards
Recent audit reports on eCitizen exposed systematic deficiencies highlighting security gaps in the platform. Open access allows data to be viewed and scrapped without authentication. ECitizen must urgently adopt robust safeguards beyond OTP authentication. To counter the risks exemplified by the 2025 BRS attack, eCitizen must implement privacy by design features such as encryption, anti scrapping technologies and pseudonymization to prevent the unauthorized harvesting of the sensitive data from the platform. Such measures have been successful for comparable platforms like Irembo and Germany’s Bundesanzeiger which utilises encryption, pseudonymisation and strict access controls. These measures ensure privacy by design and default as per the DPA which mandates adoption of organizational measures like encryption to ensure privacy from the onset of the processing. The technical safeguards can include anti scrapping safeguards that detect and block any automated attempt to extract bulk personal data, reducing surveillance and identity theft. Additionally regular monitoring to detect any suspicious activities and cyber threats should be put in place, for prompt response.
-
Data localisation
Lastly, Kenya must enforce data sovereignty by hosting citizen data within its national borders ensuring government control, limiting foreign control and misuse. To ensure data sovereignty and localization of sensitive data it is recommended that Kenya ought to focus on investment on local infrastructure. These safeguards will ensure reduced risks of surveillance, identity theft, unauthorised access and fraud while ensuring continuous service delivery. The above recommendations coupled with the ongoing digital literacy efforts will empower citizens to protect their privacy, through exercising the rights accorded by the DPA.
Conclusion
Kenya’s eCitizen has brought remarkable progress in e-governance by streamlining services to ensure accessibility and efficiency. However, the publication of marriage data exposes citizens to significant risks of mass surveillance, identity theft and data misuse. This is because of the unrestricted public access of the data. In addition, previous cyber-attacks on the platform threaten individual privacy and erode public trust in e-governance. To mitigate the risks, eCitizen must urgently employ a holistic approach by integrating strong technical safeguards like anti scrapping and continuous monitoring to create multi layers of protection and make the platform resilient. These safeguards together with strict policies that ensure data minimisation, localisation, restricted public access, privacy by design and default will safeguard citizen data and restore public trust.
The image used was genereated by ChatGPT
